From 43802f178e22dd3674adcd2264b58635edc6fde7 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 20 Jul 2021 15:55:53 +0200 Subject: [PATCH 001/108] bootstrap: Install krb5-workstation on Fedora based distros Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit e0fa3e359f16b26122d49ad79372e3923f5ded77) --- .gitlab-ci-main.yml | 2 +- bootstrap/config.py | 2 +- bootstrap/generated-dists/centos7/bootstrap.sh | 1 + bootstrap/generated-dists/centos7/packages.yml | 1 + bootstrap/generated-dists/centos8/bootstrap.sh | 1 + bootstrap/generated-dists/centos8/packages.yml | 1 + bootstrap/generated-dists/fedora33/bootstrap.sh | 1 + bootstrap/generated-dists/fedora33/packages.yml | 1 + bootstrap/generated-dists/fedora34/bootstrap.sh | 1 + bootstrap/generated-dists/fedora34/packages.yml | 1 + bootstrap/generated-dists/opensuse151/bootstrap.sh | 1 + bootstrap/generated-dists/opensuse151/packages.yml | 1 + bootstrap/generated-dists/opensuse152/bootstrap.sh | 1 + bootstrap/generated-dists/opensuse152/packages.yml | 1 + bootstrap/sha1sum.txt | 2 +- 15 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 0979c007dc6..8bcedfc5d6a 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: fa3eeb92fb5447524a057a4c377e6960dff626ce + SAMBA_CI_CONTAINER_TAG: 11d550c08430787a5b0eb8dc847977ffffe12bbe # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/config.py b/bootstrap/config.py index b5d04d4e371..b02ce4cf566 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -116,7 +116,7 @@ PKGS = [ ('bind9utils', 'bind-utils'), ('dnsutils', ''), ('xsltproc', 'libxslt'), - ('krb5-user', ''), + ('krb5-user', 'krb5-workstation'), ('krb5-config', ''), ('krb5-kdc', 'krb5-server'), ('apt-utils', 'yum-utils'), diff --git a/bootstrap/generated-dists/centos7/bootstrap.sh b/bootstrap/generated-dists/centos7/bootstrap.sh index 00dd22b891f..36913f40b44 100755 --- a/bootstrap/generated-dists/centos7/bootstrap.sh +++ b/bootstrap/generated-dists/centos7/bootstrap.sh @@ -45,6 +45,7 @@ yum install -y \ keyutils-libs-devel \ krb5-devel \ krb5-server \ + krb5-workstation \ lcov \ libacl-devel \ libarchive-devel \ diff --git a/bootstrap/generated-dists/centos7/packages.yml b/bootstrap/generated-dists/centos7/packages.yml index 3f5e8331b40..4da3d61441f 100644 --- a/bootstrap/generated-dists/centos7/packages.yml +++ b/bootstrap/generated-dists/centos7/packages.yml @@ -31,6 +31,7 @@ packages: - keyutils-libs-devel - krb5-devel - krb5-server + - krb5-workstation - lcov - libacl-devel - libarchive-devel diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh index a3079982dda..60cf3937cf7 100755 --- a/bootstrap/generated-dists/centos8/bootstrap.sh +++ b/bootstrap/generated-dists/centos8/bootstrap.sh @@ -54,6 +54,7 @@ yum install -y \ keyutils-libs-devel \ krb5-devel \ krb5-server \ + krb5-workstation \ libacl-devel \ libarchive-devel \ libattr-devel \ diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8/packages.yml index 2994e81640a..f5d0ac5ffe6 100644 --- a/bootstrap/generated-dists/centos8/packages.yml +++ b/bootstrap/generated-dists/centos8/packages.yml @@ -34,6 +34,7 @@ packages: - keyutils-libs-devel - krb5-devel - krb5-server + - krb5-workstation - libacl-devel - libarchive-devel - libattr-devel diff --git a/bootstrap/generated-dists/fedora33/bootstrap.sh b/bootstrap/generated-dists/fedora33/bootstrap.sh index 106bd09ede8..22b968e9ae2 100755 --- a/bootstrap/generated-dists/fedora33/bootstrap.sh +++ b/bootstrap/generated-dists/fedora33/bootstrap.sh @@ -45,6 +45,7 @@ dnf install -y \ keyutils-libs-devel \ krb5-devel \ krb5-server \ + krb5-workstation \ lcov \ libacl-devel \ libarchive-devel \ diff --git a/bootstrap/generated-dists/fedora33/packages.yml b/bootstrap/generated-dists/fedora33/packages.yml index 9fa48ad4502..7c61da3c53a 100644 --- a/bootstrap/generated-dists/fedora33/packages.yml +++ b/bootstrap/generated-dists/fedora33/packages.yml @@ -34,6 +34,7 @@ packages: - keyutils-libs-devel - krb5-devel - krb5-server + - krb5-workstation - lcov - libacl-devel - libarchive-devel diff --git a/bootstrap/generated-dists/fedora34/bootstrap.sh b/bootstrap/generated-dists/fedora34/bootstrap.sh index 6686ab19250..d5fea5c008a 100755 --- a/bootstrap/generated-dists/fedora34/bootstrap.sh +++ b/bootstrap/generated-dists/fedora34/bootstrap.sh @@ -45,6 +45,7 @@ dnf install -y \ keyutils-libs-devel \ krb5-devel \ krb5-server \ + krb5-workstation \ lcov \ libacl-devel \ libarchive-devel \ diff --git a/bootstrap/generated-dists/fedora34/packages.yml b/bootstrap/generated-dists/fedora34/packages.yml index 1e488823dda..db12fdb5486 100644 --- a/bootstrap/generated-dists/fedora34/packages.yml +++ b/bootstrap/generated-dists/fedora34/packages.yml @@ -34,6 +34,7 @@ packages: - keyutils-libs-devel - krb5-devel - krb5-server + - krb5-workstation - lcov - libacl-devel - libarchive-devel diff --git a/bootstrap/generated-dists/opensuse151/bootstrap.sh b/bootstrap/generated-dists/opensuse151/bootstrap.sh index 2271e2ea8b2..e4771284f4d 100755 --- a/bootstrap/generated-dists/opensuse151/bootstrap.sh +++ b/bootstrap/generated-dists/opensuse151/bootstrap.sh @@ -40,6 +40,7 @@ zypper --non-interactive install \ hostname \ htop \ keyutils-devel \ + krb5-client \ krb5-devel \ krb5-server \ lcov \ diff --git a/bootstrap/generated-dists/opensuse151/packages.yml b/bootstrap/generated-dists/opensuse151/packages.yml index 5710c60bd8b..d465252e26b 100644 --- a/bootstrap/generated-dists/opensuse151/packages.yml +++ b/bootstrap/generated-dists/opensuse151/packages.yml @@ -28,6 +28,7 @@ packages: - hostname - htop - keyutils-devel + - krb5-client - krb5-devel - krb5-server - lcov diff --git a/bootstrap/generated-dists/opensuse152/bootstrap.sh b/bootstrap/generated-dists/opensuse152/bootstrap.sh index ae766095a4d..bdfb121b345 100755 --- a/bootstrap/generated-dists/opensuse152/bootstrap.sh +++ b/bootstrap/generated-dists/opensuse152/bootstrap.sh @@ -40,6 +40,7 @@ zypper --non-interactive install \ hostname \ htop \ keyutils-devel \ + krb5-client \ krb5-devel \ krb5-server \ lcov \ diff --git a/bootstrap/generated-dists/opensuse152/packages.yml b/bootstrap/generated-dists/opensuse152/packages.yml index 6bc1a137ca7..75a37074791 100644 --- a/bootstrap/generated-dists/opensuse152/packages.yml +++ b/bootstrap/generated-dists/opensuse152/packages.yml @@ -28,6 +28,7 @@ packages: - hostname - htop - keyutils-devel + - krb5-client - krb5-devel - krb5-server - lcov diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index e198e6b80ae..0e70f1937b9 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -fa3eeb92fb5447524a057a4c377e6960dff626ce +11d550c08430787a5b0eb8dc847977ffffe12bbe -- 2.25.1 From 2497c79a4d4c655edab19eaa78a708193039d404 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 21 Jul 2021 09:17:31 +0200 Subject: [PATCH 002/108] python:waf: Correctly check for python-dateutil Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit e51e9d014598241e1cb8b525cce9e9c6b9e4e98f) --- python/wscript | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/python/wscript b/python/wscript index b33200e41d9..9815e816d35 100644 --- a/python/wscript +++ b/python/wscript @@ -5,7 +5,6 @@ from waflib import Options, Errors # work out what python external libraries we need to be successful selftest_pkgs = { - 'iso8601': 'python3-iso8601', 'cryptography': 'python3-cryptography', 'pyasn1': 'python3-pyasn1' } @@ -16,12 +15,14 @@ ad_dc_pkgs = { } -def find_third_party_module(conf, module, package): +def find_third_party_module(conf, module, package, required=True): conf.COMPOUND_START("Checking for system installation of Python module %s" % module) try: __import__(module) except ImportError: conf.COMPOUND_END(False) + if not required: + return False raise Errors.WafError("""\ Unable to find Python module '%s'. Please install the system package: %s'. """ % (module, package)) @@ -29,6 +30,8 @@ def find_third_party_module(conf, module, package): # Installed on the system conf.COMPOUND_END("system") + return True + def configure(conf): if conf.env.disable_python: @@ -73,6 +76,20 @@ def configure(conf): for module, package in selftest_pkgs.items(): find_third_party_module(conf, module, package) + # Prefer dateutil.parser which is much more widely used. + if not find_third_party_module(conf, + 'dateutil.parser', + 'python3-dateutilis', + required=False): + if not find_third_party_module(conf, + 'iso8601', + 'python3-iso8601', + required=False): + raise Errors.WafError("Could not find Python package " + "'python3-dateutils' nor " + "'python3-iso8601'. Please install " + "one of the packages.") + if not Options.options.without_ad_dc: for module, package in ad_dc_pkgs.items(): find_third_party_module(conf, module, package) @@ -117,5 +134,5 @@ def build(bld): bld.SAMBA_SCRIPT('samba_python_files', pattern='samba/**/*.py', installdir='python') - + bld.INSTALL_WILDCARD('${PYTHONARCHDIR}', 'samba/**/*.py', flat=False) -- 2.25.1 From 4966b5da27ea2bd0b6ce04dd71dbed804fde712a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 21 Jul 2021 09:32:42 +0200 Subject: [PATCH 003/108] bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Wed Jul 21 12:18:30 UTC 2021 on sn-devel-184 (cherry picked from commit ee9dfff617ad21d81369d7ef2ea35d7caab82fec) --- .gitlab-ci-main.yml | 2 +- bootstrap/config.py | 3 +++ bootstrap/generated-dists/fedora33/bootstrap.sh | 2 +- bootstrap/generated-dists/fedora33/packages.yml | 2 +- bootstrap/generated-dists/fedora34/bootstrap.sh | 2 +- bootstrap/generated-dists/fedora34/packages.yml | 2 +- bootstrap/generated-dists/opensuse152/bootstrap.sh | 2 +- bootstrap/generated-dists/opensuse152/packages.yml | 2 +- bootstrap/sha1sum.txt | 2 +- 9 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 8bcedfc5d6a..657b28e274f 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 11d550c08430787a5b0eb8dc847977ffffe12bbe + SAMBA_CI_CONTAINER_TAG: b5333a93306e20ba549f5fac3c6c74e0b103c1d6 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/config.py b/bootstrap/config.py index b02ce4cf566..821ce3d5cc2 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -485,6 +485,7 @@ RPM_DISTS = { 'lsb-release': 'redhat-lsb', 'libsemanage-python': 'python3-libsemanage', 'policycoreutils-python': 'python3-policycoreutils', + 'python3-iso8601': 'python3-dateutil', } }, 'fedora34': { @@ -496,6 +497,7 @@ RPM_DISTS = { 'libsemanage-python': 'python3-libsemanage', 'policycoreutils-python': 'python3-policycoreutils', 'perl-FindBin': '', + 'python3-iso8601': 'python3-dateutil', 'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available } }, @@ -552,6 +554,7 @@ RPM_DISTS = { 'perl-interpreter': '', 'perl-FindBin': '', 'procps-ng': 'procps', + 'python3-iso8601': 'python3-python-dateutil', 'python3-dns': 'python3-dnspython', 'python3-markdown': 'python3-Markdown', 'quota-devel': '', diff --git a/bootstrap/generated-dists/fedora33/bootstrap.sh b/bootstrap/generated-dists/fedora33/bootstrap.sh index 22b968e9ae2..52e199f6b88 100755 --- a/bootstrap/generated-dists/fedora33/bootstrap.sh +++ b/bootstrap/generated-dists/fedora33/bootstrap.sh @@ -87,10 +87,10 @@ dnf install -y \ psmisc \ python3 \ python3-cryptography \ + python3-dateutil \ python3-devel \ python3-dns \ python3-gpg \ - python3-iso8601 \ python3-libsemanage \ python3-markdown \ python3-policycoreutils \ diff --git a/bootstrap/generated-dists/fedora33/packages.yml b/bootstrap/generated-dists/fedora33/packages.yml index 7c61da3c53a..d9cbfbd80db 100644 --- a/bootstrap/generated-dists/fedora33/packages.yml +++ b/bootstrap/generated-dists/fedora33/packages.yml @@ -76,10 +76,10 @@ packages: - psmisc - python3 - python3-cryptography + - python3-dateutil - python3-devel - python3-dns - python3-gpg - - python3-iso8601 - python3-libsemanage - python3-markdown - python3-policycoreutils diff --git a/bootstrap/generated-dists/fedora34/bootstrap.sh b/bootstrap/generated-dists/fedora34/bootstrap.sh index d5fea5c008a..de5a9670601 100755 --- a/bootstrap/generated-dists/fedora34/bootstrap.sh +++ b/bootstrap/generated-dists/fedora34/bootstrap.sh @@ -86,10 +86,10 @@ dnf install -y \ psmisc \ python3 \ python3-cryptography \ + python3-dateutil \ python3-devel \ python3-dns \ python3-gpg \ - python3-iso8601 \ python3-libsemanage \ python3-markdown \ python3-policycoreutils \ diff --git a/bootstrap/generated-dists/fedora34/packages.yml b/bootstrap/generated-dists/fedora34/packages.yml index db12fdb5486..749f30dfc0e 100644 --- a/bootstrap/generated-dists/fedora34/packages.yml +++ b/bootstrap/generated-dists/fedora34/packages.yml @@ -75,10 +75,10 @@ packages: - psmisc - python3 - python3-cryptography + - python3-dateutil - python3-devel - python3-dns - python3-gpg - - python3-iso8601 - python3-libsemanage - python3-markdown - python3-policycoreutils diff --git a/bootstrap/generated-dists/opensuse152/bootstrap.sh b/bootstrap/generated-dists/opensuse152/bootstrap.sh index bdfb121b345..534ff66896f 100755 --- a/bootstrap/generated-dists/opensuse152/bootstrap.sh +++ b/bootstrap/generated-dists/opensuse152/bootstrap.sh @@ -88,8 +88,8 @@ zypper --non-interactive install \ python3-devel \ python3-dnspython \ python3-gpg \ - python3-iso8601 \ python3-pyasn1 \ + python3-python-dateutil \ python3-setproctitle \ readline-devel \ rng-tools \ diff --git a/bootstrap/generated-dists/opensuse152/packages.yml b/bootstrap/generated-dists/opensuse152/packages.yml index 75a37074791..05b3779a2fd 100644 --- a/bootstrap/generated-dists/opensuse152/packages.yml +++ b/bootstrap/generated-dists/opensuse152/packages.yml @@ -76,8 +76,8 @@ packages: - python3-devel - python3-dnspython - python3-gpg - - python3-iso8601 - python3-pyasn1 + - python3-python-dateutil - python3-setproctitle - readline-devel - rng-tools diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 0e70f1937b9..e7de92cc504 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -11d550c08430787a5b0eb8dc847977ffffe12bbe +b5333a93306e20ba549f5fac3c6c74e0b103c1d6 -- 2.25.1 From 8e76935975efeaefdec7805cff05b235607a9b24 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 27 Jul 2021 08:50:54 +0200 Subject: [PATCH 004/108] selftest: Re-format long lines in selftesthelpers.py Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 18976a9568b23759060377d09304e9d7badb143a) --- selftest/selftesthelpers.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py index 3358374cbca..d24d4487f71 100644 --- a/selftest/selftesthelpers.py +++ b/selftest/selftesthelpers.py @@ -1,4 +1,5 @@ -#!/usr/bin/python +#!/usr/bin/env python3 +# # This script generates a list of testsuites that should be run as part of # the Samba 4 test suite. @@ -24,7 +25,8 @@ import sys def srcdir(): - return os.path.normpath(os.getenv("SRCDIR", os.path.join(os.path.dirname(os.path.abspath(__file__)), ".."))) + alternate_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..") + return os.path.normpath(os.getenv("SRCDIR", alternate_path)) def source4dir(): @@ -90,7 +92,8 @@ def add_prefix(prefix, env, support_list=False): listopt = "$LISTOPT " else: listopt = "" - return "%s %s/selftest/filter-subunit %s--fail-on-empty --prefix=\"%s.\" --suffix=\"(%s)\"" % (python, srcdir(), listopt, prefix, env) + return ("%s %s/selftest/filter-subunit %s--fail-on-empty --prefix=\"%s.\" --suffix=\"(%s)\"" % + (python, srcdir(), listopt, prefix, env)) def plantestsuite_loadlist(name, env, cmdline): @@ -108,7 +111,9 @@ def plantestsuite_loadlist(name, env, cmdline): raise AssertionError("loadlist test %s does not support not --list" % name) if "$LOADLIST" not in cmdline: raise AssertionError("loadlist test %s does not support --load-list" % name) - print(("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list ")) + print(("%s | %s" % + (cmdline.replace("$LOADLIST", ""), + add_prefix(name, env, support_list))).replace("$LISTOPT", "--list ")) print(cmdline.replace("$LISTOPT", "") + " 2>&1 " + " | " + add_prefix(name, env, False)) @@ -163,7 +168,10 @@ bbdir = os.path.join(srcdir(), "testprogs/blackbox") configuration = "--configfile=$SMB_CONF_PATH" smbtorture4 = binpath("smbtorture") -smbtorture4_testsuite_list = subprocess.Popen([smbtorture4, "--list-suites"], stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate("")[0].decode('utf8').splitlines() +smbtorture4_testsuite_list = subprocess.Popen( + [smbtorture4, "--list-suites"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE).communicate("")[0].decode('utf8').splitlines() smbtorture4_options = [ configuration, -- 2.25.1 From b328e732d43946ed24c8011034c56c8f68f5d11a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 27 Jul 2021 13:25:59 +0200 Subject: [PATCH 005/108] selftest: Add support for setting ENV variables in plansmbtorture4testsuite() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3db299e586fd9464b6e1b145f29b10c8ae325d3a) --- selftest/selftesthelpers.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py index d24d4487f71..524026248d9 100644 --- a/selftest/selftesthelpers.py +++ b/selftest/selftesthelpers.py @@ -182,13 +182,14 @@ smbtorture4_options = [ ] + get_env_torture_options() -def plansmbtorture4testsuite(name, env, options, target, modname=None): +def plansmbtorture4testsuite(name, env, options, target, environ={}, modname=None): if modname is None: modname = "samba4.%s" % name if isinstance(options, list): options = " ".join(options) options = " ".join(smbtorture4_options + ["--target=%s" % target]) + " " + options - cmdline = "%s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name) + cmdline = ["%s=%s" % item for item in environ.items()] + cmdline += "%s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name) plantestsuite_loadlist(modname, env, cmdline) -- 2.25.1 From 6d5473c117ee2371c6988a4349b23a93d61d287a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 27 Jul 2021 13:45:03 +0200 Subject: [PATCH 006/108] selftest: Add support for setting ENV variables in plantestsuite() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 48289b6964d28e153fec885aceca02c6a9b436ef) --- selftest/selftesthelpers.py | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py index 524026248d9..542737dbd10 100644 --- a/selftest/selftesthelpers.py +++ b/selftest/selftesthelpers.py @@ -66,7 +66,7 @@ def valgrindify(cmdline): return valgrind + " " + cmdline -def plantestsuite(name, env, cmdline): +def plantestsuite(name, env, cmd, environ={}): """Plan a test suite. :param name: Testsuite name @@ -80,8 +80,18 @@ def plantestsuite(name, env, cmdline): fullname = "%s(%s)" % (name, env) print(fullname) print(env) - if isinstance(cmdline, list): - cmdline = " ".join(cmdline) + + cmdline = "" + if environ: + environ = dict(environ) + cmdline_env = ["%s=%s" % item for item in environ.items()] + cmdline = " ".join(cmdline_env) + " " + + if isinstance(cmd, list): + cmdline += " ".join(cmd) + else: + cmdline += cmd + if "$LISTOPT" in cmdline: raise AssertionError("test %s supports --list, but not --load-list" % name) print(cmdline + " 2>&1 " + " | " + add_prefix(name, env)) @@ -182,14 +192,17 @@ smbtorture4_options = [ ] + get_env_torture_options() -def plansmbtorture4testsuite(name, env, options, target, environ={}, modname=None): +def plansmbtorture4testsuite(name, env, options, target, modname=None, environ={}): if modname is None: modname = "samba4.%s" % name if isinstance(options, list): options = " ".join(options) options = " ".join(smbtorture4_options + ["--target=%s" % target]) + " " + options - cmdline = ["%s=%s" % item for item in environ.items()] - cmdline += "%s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name) + cmdline = "" + if environ: + environ = dict(environ) + cmdline = ["%s=%s" % item for item in environ.items()] + cmdline += " %s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name) plantestsuite_loadlist(modname, env, cmdline) -- 2.25.1 From 5db3b2517823cf8400a8ce92d6d1cc67ce3c6949 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 19 Jul 2021 17:29:39 +1200 Subject: [PATCH 007/108] pygensec: Fix memory leaks Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 814df05f8c10e9d82e6082d42ece1df569db4385) --- source4/auth/gensec/pygensec.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c index 490fcbecd58..f1f845a4663 100644 --- a/source4/auth/gensec/pygensec.c +++ b/source4/auth/gensec/pygensec.c @@ -310,9 +310,13 @@ static PyObject *py_gensec_session_info(PyObject *self, return NULL; } mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + return PyErr_NoMemory(); + } status = gensec_session_info(security, mem_ctx, &info); if (NT_STATUS_IS_ERR(status)) { + talloc_free(mem_ctx); PyErr_SetNTSTATUS(status); return NULL; } @@ -337,6 +341,9 @@ static PyObject *py_gensec_session_key(PyObject *self, return NULL; } mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + return PyErr_NoMemory(); + } status = gensec_session_key(security, mem_ctx, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -466,7 +473,12 @@ static PyObject *py_gensec_update(PyObject *self, PyObject *args) return NULL; mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + return PyErr_NoMemory(); + } + if (!PyBytes_Check(py_in)) { + talloc_free(mem_ctx); PyErr_Format(PyExc_TypeError, "bytes expected"); return NULL; } @@ -510,8 +522,12 @@ static PyObject *py_gensec_wrap(PyObject *self, PyObject *args) return NULL; mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + return PyErr_NoMemory(); + } if (!PyBytes_Check(py_in)) { + talloc_free(mem_ctx); PyErr_Format(PyExc_TypeError, "bytes expected"); return NULL; } @@ -545,8 +561,12 @@ static PyObject *py_gensec_unwrap(PyObject *self, PyObject *args) return NULL; mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + return PyErr_NoMemory(); + } if (!PyBytes_Check(py_in)) { + talloc_free(mem_ctx); PyErr_Format(PyExc_TypeError, "bytes expected"); return NULL; } @@ -599,6 +619,9 @@ static PyObject *py_gensec_sign_packet(PyObject *self, PyObject *args) pdu.length = pdu_length; mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + return PyErr_NoMemory(); + } status = gensec_sign_packet(security, mem_ctx, data.data, data.length, -- 2.25.1 From e54220d768884e75fcc100f386b4a8c37c9d2ce1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 20 Jul 2021 10:48:41 +1200 Subject: [PATCH 008/108] pygensec: Don't modify Python bytes objects gensec_update() and gensec_unwrap() can both modify their input buffers (for example, during the inplace RRC operation on GSSAPI tokens). However, buffers obtained from Python bytes objects must not be modified in any way. Create a copy of the input buffer so the original isn't modified. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159) --- source4/auth/gensec/gensec_gssapi.c | 4 ++++ source4/auth/gensec/pygensec.c | 36 ++++++++++++++++++++++------- 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 9adc477a15c..e33c78462e2 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1168,6 +1168,10 @@ static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security, } } + /* + * FIXME: input_message_buffer is marked const, but gss_unwrap() may + * modify it (see calls to rrc_rotate() in _gssapi_unwrap_cfx()). + */ maj_stat = gss_unwrap(&min_stat, gensec_gssapi_state->gssapi_context, &input_token, diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c index f1f845a4663..dd63fa58348 100644 --- a/source4/auth/gensec/pygensec.c +++ b/source4/auth/gensec/pygensec.c @@ -468,6 +468,9 @@ static PyObject *py_gensec_update(PyObject *self, PyObject *args) PyObject *py_bytes, *result, *py_in; struct gensec_security *security = pytalloc_get_type(self, struct gensec_security); PyObject *finished_processing; + char *data = NULL; + Py_ssize_t len; + int err; if (!PyArg_ParseTuple(args, "O", &py_in)) return NULL; @@ -477,14 +480,21 @@ static PyObject *py_gensec_update(PyObject *self, PyObject *args) return PyErr_NoMemory(); } - if (!PyBytes_Check(py_in)) { + err = PyBytes_AsStringAndSize(py_in, &data, &len); + if (err) { talloc_free(mem_ctx); - PyErr_Format(PyExc_TypeError, "bytes expected"); return NULL; } - in.data = (uint8_t *)PyBytes_AsString(py_in); - in.length = PyBytes_Size(py_in); + /* + * Make a copy of the input buffer, as gensec_update may modify its + * input argument. + */ + in = data_blob_talloc(mem_ctx, data, len); + if (!in.data) { + talloc_free(mem_ctx); + return PyErr_NoMemory(); + } status = gensec_update(security, mem_ctx, in, &out); @@ -556,6 +566,9 @@ static PyObject *py_gensec_unwrap(PyObject *self, PyObject *args) DATA_BLOB in, out; PyObject *ret, *py_in; struct gensec_security *security = pytalloc_get_type(self, struct gensec_security); + char *data = NULL; + Py_ssize_t len; + int err; if (!PyArg_ParseTuple(args, "O", &py_in)) return NULL; @@ -565,14 +578,21 @@ static PyObject *py_gensec_unwrap(PyObject *self, PyObject *args) return PyErr_NoMemory(); } - if (!PyBytes_Check(py_in)) { + err = PyBytes_AsStringAndSize(py_in, &data, &len); + if (err) { talloc_free(mem_ctx); - PyErr_Format(PyExc_TypeError, "bytes expected"); return NULL; } - in.data = (uint8_t *)PyBytes_AsString(py_in); - in.length = PyBytes_Size(py_in); + /* + * Make a copy of the input buffer, as gensec_unwrap may modify its + * input argument. + */ + in = data_blob_talloc(mem_ctx, data, len); + if (!in.data) { + talloc_free(mem_ctx); + return PyErr_NoMemory(); + } status = gensec_unwrap(security, mem_ctx, &in, &out); -- 2.25.1 From cc7fdce307126f6378e75feb143d85d280dd8396 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 26 Jul 2021 17:15:23 +1200 Subject: [PATCH 009/108] tests/krb5: Fix ms_kile_client_principal_lookup_test errors Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4797ced89095155c01e44727cf8b66ee4fb39710) --- .../krb5/ms_kile_client_principal_lookup_tests.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py index e9d251e72f6..1598959a18c 100755 --- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py @@ -395,7 +395,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): # Check the contents of the pac, and the ticket ticket = rep['ticket'] enc_part = self.decode_service_ticket(mc, ticket) - self.check_pac(enc_part['authorization-data'], dn, uc, user_name) + self.check_pac(samdb, + enc_part['authorization-data'], dn, uc, user_name) # check the crealm and cname cname = enc_part['cname'] self.assertEqual(NT_PRINCIPAL, cname['name-type']) @@ -497,7 +498,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): ticket = rep['ticket'] enc_part = self.decode_service_ticket(mc, ticket) self.check_pac( - enc_part['authorization-data'], dn, uc, upn, upn=upn) + samdb, enc_part['authorization-data'], dn, uc, upn, upn=upn) # check the crealm and cname cname = enc_part['cname'] crealm = enc_part['crealm'] @@ -560,7 +561,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): ticket = rep['ticket'] enc_part = self.decode_service_ticket(mc, ticket) self.check_pac( - enc_part['authorization-data'], dn, uc, ename, upn=ename) + samdb, enc_part['authorization-data'], dn, uc, ename, upn=ename) # check the crealm and cname cname = enc_part['cname'] crealm = enc_part['crealm'] @@ -624,7 +625,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): ticket = rep['ticket'] enc_part = self.decode_service_ticket(mc, ticket) self.check_pac( - enc_part['authorization-data'], dn, mc, ename, upn=uname) + samdb, enc_part['authorization-data'], dn, mc, ename, upn=uname) # check the crealm and cname cname = enc_part['cname'] crealm = enc_part['crealm'] @@ -771,7 +772,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): ticket = rep['ticket'] enc_part = self.decode_service_ticket(mc, ticket) self.check_pac( - enc_part['authorization-data'], dn, uc, uname, upn=uname) + samdb, enc_part['authorization-data'], dn, uc, uname, upn=uname) # check the crealm and cname cname = enc_part['cname'] self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) -- 2.25.1 From 53f27e570462105a0f3ef4236d71d3443507c4d6 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 22 Jul 2021 16:26:17 +1200 Subject: [PATCH 010/108] tests/krb5: Fix comment typo Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4) --- python/samba/tests/krb5/raw_testcase.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index b9bc08d1fa9..9c090e4d005 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -864,7 +864,7 @@ class RawKerberosTest(TestCaseInTempDir): # The value on the wire should never be 0 self.assertNotEqual(v, 0) # unspecified_kvno means we don't know the kvno, - # but want to enforce its presense + # but want to enforce its presence if value is not self.unspecified_kvno: value = int(value) self.assertNotEqual(value, 0) -- 2.25.1 From ec49567859f12e4b2886f7532c136051539be4dc Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 10:17:52 +1200 Subject: [PATCH 011/108] tests/krb5: Fix method name typo Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2) --- python/samba/tests/krb5/kdc_base_test.py | 4 ++-- python/samba/tests/krb5/kdc_tgs_tests.py | 6 +++--- .../ms_kile_client_principal_lookup_tests.py | 20 +++++++++---------- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 0f5238a3de9..4bd856b217e 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -444,7 +444,7 @@ class KDCBaseTest(RawKerberosTest): return enc_part - def check_pre_authenication(self, rep): + def check_pre_authentication(self, rep): """ Check that the kdc response was pre-authentication required """ self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED) @@ -794,7 +794,7 @@ class KDCBaseTest(RawKerberosTest): names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(user_credentials, rep) diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 0c757bd5e5f..25a1f5f3ed8 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -63,7 +63,7 @@ class KdcTgsTests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -113,7 +113,7 @@ class KdcTgsTests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -154,7 +154,7 @@ class KdcTgsTests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py index 1598959a18c..e42b643b357 100755 --- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py @@ -106,7 +106,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -165,7 +165,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(mc, rep) @@ -227,7 +227,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -365,7 +365,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -433,7 +433,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -472,7 +472,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -535,7 +535,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -599,7 +599,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(mc, rep) @@ -741,7 +741,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) @@ -810,7 +810,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): name_type=NT_SRV_INST, names=["krbtgt", realm]) rep = self.as_req(cname, sname, realm, etype) - self.check_pre_authenication(rep) + self.check_pre_authentication(rep) # Do the next AS-REQ padata = self.get_pa_data(uc, rep) -- 2.25.1 From 7a7143efcf8f9ccb9587cb3322dc406b406c1e22 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 2 Aug 2021 17:00:09 +1200 Subject: [PATCH 012/108] tests/krb5: formatting Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit df6623363a7ec1a13af48a09e1d29fa8784e825c) --- python/samba/tests/krb5/as_req_tests.py | 20 +- python/samba/tests/krb5/kdc_base_test.py | 22 +- python/samba/tests/krb5/raw_testcase.py | 323 +++++++++++++---------- 3 files changed, 209 insertions(+), 156 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 10e7b603609..09cfc9e1fc8 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -82,16 +82,16 @@ class AsReqKerberosTests(KDCBaseTest): return initial_padata, req_body kdc_exchange_dict = self.as_exchange_dict( - expected_crealm=expected_crealm, - expected_cname=expected_cname, - expected_srealm=expected_srealm, - expected_sname=expected_sname, - generate_padata_fn=_generate_padata_copy, - check_error_fn=self.generic_check_as_error, - check_rep_fn=self.generic_check_kdc_rep, - expected_error_mode=expected_error_mode, - client_as_etypes=client_as_etypes, - expected_salt=expected_salt) + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + generate_padata_fn=_generate_padata_copy, + check_error_fn=self.generic_check_as_error, + check_rep_fn=self.generic_check_kdc_rep, + expected_error_mode=expected_error_mode, + client_as_etypes=client_as_etypes, + expected_salt=expected_salt) rep = self._generic_kdc_exchange(kdc_exchange_dict, kdc_options=str(initial_kdc_options), diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 4bd856b217e..c23c71e1d74 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -21,10 +21,7 @@ import os from datetime import datetime, timezone import tempfile import binascii -import struct -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" from collections import namedtuple import ldb from ldb import SCOPE_BASE @@ -66,6 +63,9 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_ETYPE_INFO2, ) +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + global_asn1_print = False global_hexdump = False @@ -114,9 +114,9 @@ class KDCBaseTest(RawKerberosTest): session = system_session() type(self)._ldb = SamDB(url="ldap://%s" % self.host, - session_info=session, - credentials=creds, - lp=lp) + session_info=session, + credentials=creds, + lp=lp) return self._ldb @@ -337,6 +337,7 @@ class KDCBaseTest(RawKerberosTest): require_strongest_key=False): if require_strongest_key: self.assertTrue(require_keys) + def download_krbtgt_creds(): samdb = self.get_samdb() @@ -742,15 +743,16 @@ class KDCBaseTest(RawKerberosTest): .replace(tzinfo=timezone.utc).timestamp()) # Account for clock skew of up to five minutes. - self.assertLess(cred.authtime - 5*60, + self.assertLess(cred.authtime - 5 * 60, datetime.now(timezone.utc).timestamp(), "Ticket not yet valid - clocks may be out of sync.") - self.assertLess(cred.starttime - 5*60, + self.assertLess(cred.starttime - 5 * 60, datetime.now(timezone.utc).timestamp(), "Ticket not yet valid - clocks may be out of sync.") - self.assertGreater(cred.endtime - 60*60, + self.assertGreater(cred.endtime - 60 * 60, datetime.now(timezone.utc).timestamp(), - "Ticket already expired/about to expire - clocks may be out of sync.") + "Ticket already expired/about to expire - " + "clocks may be out of sync.") cred.renew_till = cred.endtime cred.is_skey = 0 diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 9c090e4d005..de9c25751d2 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -24,11 +24,19 @@ import datetime import random import binascii import itertools +from pyasn1.codec.der.decoder import decode as pyasn1_der_decode +from pyasn1.codec.der.encoder import encode as pyasn1_der_encode +from pyasn1.codec.native.decoder import decode as pyasn1_native_decode +from pyasn1.codec.native.encoder import encode as pyasn1_native_encode + +from pyasn1.codec.ber.encoder import BitStringEncoder -import samba.tests from samba.credentials import Credentials -from samba.tests import TestCaseInTempDir from samba.dcerpc import security + +import samba.tests +from samba.tests import TestCaseInTempDir + import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_ETYPE_NOSUPP, @@ -53,13 +61,6 @@ from samba.tests.krb5.rfc4120_constants import ( ) import samba.tests.krb5.kcrypto as kcrypto -from pyasn1.codec.der.decoder import decode as pyasn1_der_decode -from pyasn1.codec.der.encoder import encode as pyasn1_der_encode -from pyasn1.codec.native.decoder import decode as pyasn1_native_decode -from pyasn1.codec.native.encoder import encode as pyasn1_native_encode - -from pyasn1.codec.ber.encoder import BitStringEncoder as BitStringEncoder - def BitStringEncoder_encodeValue32( self, value, asn1Spec, encodeFun, **options): @@ -217,6 +218,7 @@ class Krb5EncryptionKey(object): } return EncryptionKey_obj + class KerberosCredentials(Credentials): def __init__(self): super(KerberosCredentials, self).__init__() @@ -293,6 +295,7 @@ class KerberosCredentials(Credentials): def get_forced_salt(self): return self.forced_salt + class KerberosTicketCreds(object): def __init__(self, ticket, session_key, crealm=None, cname=None, @@ -311,14 +314,15 @@ class KerberosTicketCreds(object): self.encpart_private = encpart_private return + class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" etypes_to_test = ( - { "value": -1111, "name": "dummy", }, - { "value": kcrypto.Enctype.AES256, "name": "aes128", }, - { "value": kcrypto.Enctype.AES128, "name": "aes256", }, - { "value": kcrypto.Enctype.RC4, "name": "rc4", }, + {"value": -1111, "name": "dummy", }, + {"value": kcrypto.Enctype.AES256, "name": "aes128", }, + {"value": kcrypto.Enctype.AES128, "name": "aes256", }, + {"value": kcrypto.Enctype.RC4, "name": "rc4", }, ) setup_etype_test_permutations_done = False @@ -332,7 +336,7 @@ class RawKerberosTest(TestCaseInTempDir): num_idxs = len(cls.etypes_to_test) permutations = [] - for num in range(1, num_idxs+1): + for num in range(1, num_idxs + 1): chunk = list(itertools.permutations(range(num_idxs), num)) for e in chunk: el = list(e) @@ -349,7 +353,7 @@ class RawKerberosTest(TestCaseInTempDir): name += "_%s" % n etypes += (cls.etypes_to_test[idx]["value"],) - r = { "name": name, "etypes": etypes, } + r = {"name": name, "etypes": etypes, } res.append(r) cls.etype_test_permutations = res @@ -386,7 +390,8 @@ class RawKerberosTest(TestCaseInTempDir): self.do_asn1_print = False self.do_hexdump = False - strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True) + strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', + allow_missing=True) if strict_checking is None: strict_checking = '1' self.strict_checking = bool(int(strict_checking)) @@ -440,8 +445,9 @@ class RawKerberosTest(TestCaseInTempDir): val = None if prefix is not None: allow_missing_prefix = allow_missing or fallback_default - val = samba.tests.env_get_var_value('%s_%s' % (prefix, varname), - allow_missing=allow_missing_prefix) + val = samba.tests.env_get_var_value( + '%s_%s' % (prefix, varname), + allow_missing=allow_missing_prefix) else: fallback_default = True if val is None and fallback_default: @@ -506,7 +512,8 @@ class RawKerberosTest(TestCaseInTempDir): if aes256_key is not None: c.set_forced_key(kcrypto.Enctype.AES256, aes256_key) aes128_key = self.env_get_var('AES128_KEY_HEX', prefix, - fallback_default=False, allow_missing=True) + fallback_default=False, + allow_missing=True) if aes128_key is not None: c.set_forced_key(kcrypto.Enctype.AES128, aes128_key) rc4_key = self.env_get_var('RC4_KEY_HEX', prefix, @@ -536,11 +543,12 @@ class RawKerberosTest(TestCaseInTempDir): env_err = None try: # Try to obtain them from the environment - creds = self._get_krb5_creds_from_env(prefix, - default_username=default_username, - allow_missing_password=allow_missing_password, - allow_missing_keys=allow_missing_keys, - require_strongest_key=require_strongest_key) + creds = self._get_krb5_creds_from_env( + prefix, + default_username=default_username, + allow_missing_password=allow_missing_password, + allow_missing_keys=allow_missing_keys, + require_strongest_key=require_strongest_key) except Exception as err: # An error occurred, so save it for later env_err = err @@ -886,8 +894,8 @@ class RawKerberosTest(TestCaseInTempDir): return s def get_Nonce(self): - nonce_min=0x7f000000 - nonce_max=0x7fffffff + nonce_min = 0x7f000000 + nonce_max = 0x7fffffff v = random.randint(nonce_min, nonce_max) return v @@ -936,15 +944,20 @@ class RawKerberosTest(TestCaseInTempDir): if etype == kcrypto.Enctype.RC4: nthash = creds.get_nt_hash() self.assertIsNotNone(nthash, msg=fail_msg) - return self.SessionKey_create(etype=etype, contents=nthash, kvno=kvno) + return self.SessionKey_create(etype=etype, + contents=nthash, + kvno=kvno) password = creds.get_password() self.assertIsNotNone(password, msg=fail_msg) salt = creds.get_forced_salt() if salt is None: salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()), - encoding='utf-8') - return self.PasswordKey_create(etype=etype, pwd=password, salt=salt, kvno=kvno) + encoding='utf-8') + return self.PasswordKey_create(etype=etype, + pwd=password, + salt=salt, + kvno=kvno) def RandomKey(self, etype): e = kcrypto._get_enctype_profile(etype) @@ -1020,10 +1033,12 @@ class RawKerberosTest(TestCaseInTempDir): return PA_ENC_TS_ENC_obj def KERB_PA_PAC_REQUEST_create(self, include_pac, pa_data_create=True): - #KERB-PA-PAC-REQUEST ::= SEQUENCE { - # include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. - # --If FALSE, and PAC present, remove PAC - #} + # KERB-PA-PAC-REQUEST ::= SEQUENCE { + # include-pac[0] BOOLEAN --If TRUE, and no pac present, + # -- include PAC. + # --If FALSE, and PAC present, + # -- remove PAC. + # } KERB_PA_PAC_REQUEST_obj = { 'include-pac': include_pac, } @@ -1031,7 +1046,7 @@ class RawKerberosTest(TestCaseInTempDir): return KERB_PA_PAC_REQUEST_obj pa_pac = self.der_encode(KERB_PA_PAC_REQUEST_obj, asn1Spec=krb5_asn1.KERB_PA_PAC_REQUEST()) - pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST + pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST return pa_data def KDC_REQ_BODY_create(self, @@ -1327,11 +1342,14 @@ class RawKerberosTest(TestCaseInTempDir): EncAuthorizationData=EncAuthorizationData, EncAuthorizationData_key=EncAuthorizationData_key, additional_tickets=additional_tickets) - req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), + req_body_blob = self.der_encode(req_body, + asn1Spec=krb5_asn1.KDC_REQ_BODY(), asn1_print=asn1_print, hexdump=hexdump) - req_body_checksum = self.Checksum_create( - ticket_session_key, 6, req_body_blob, ctype=body_checksum_type) + req_body_checksum = self.Checksum_create(ticket_session_key, + 6, + req_body_blob, + ctype=body_checksum_type) subkey_obj = None if authenticator_subkey is not None: @@ -1390,7 +1408,10 @@ class RawKerberosTest(TestCaseInTempDir): cksum_data += n.encode() cksum_data += realm.encode() cksum_data += "Kerberos".encode() - cksum = self.Checksum_create(tgt_session_key, 17, cksum_data, ctype) + cksum = self.Checksum_create(tgt_session_key, + 17, + cksum_data, + ctype) PA_S4U2Self_obj = { 'name': name, @@ -1403,20 +1424,20 @@ class RawKerberosTest(TestCaseInTempDir): return self.PA_DATA_create(129, pa_s4u2self) def _generic_kdc_exchange(self, - kdc_exchange_dict, # required - kdc_options=None, # required - cname=None, # optional - realm=None, # required - sname=None, # optional - from_time=None, # optional - till_time=None, # required - renew_time=None, # optional - nonce=None, # required - etypes=None, # required - addresses=None, # optional - EncAuthorizationData=None, # optional - EncAuthorizationData_key=None, # optional - additional_tickets=None): # optional + kdc_exchange_dict, # required + kdc_options=None, # required + cname=None, # optional + realm=None, # required + sname=None, # optional + from_time=None, # optional + till_time=None, # required + renew_time=None, # optional + nonce=None, # required + etypes=None, # required + addresses=None, # optional + EncAuthorizationData=None, # optional + EncAuthorizationData_key=None, # optional + additional_tickets=None): # optional check_error_fn = kdc_exchange_dict['check_error_fn'] check_rep_fn = kdc_exchange_dict['check_rep_fn'] @@ -1431,19 +1452,20 @@ class RawKerberosTest(TestCaseInTempDir): if nonce is None: nonce = self.get_Nonce() - req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, - cname=cname, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets) + req_body = self.KDC_REQ_BODY_create( + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets) if generate_padata_fn is not None: # This can alter req_body... padata, req_body = generate_padata_fn(kdc_exchange_dict, @@ -1455,10 +1477,10 @@ class RawKerberosTest(TestCaseInTempDir): kdc_exchange_dict['req_padata'] = padata kdc_exchange_dict['req_body'] = req_body - req_obj,req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, - padata=padata, - req_body=req_body, - asn1Spec=req_asn1Spec()) + req_obj, req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, + padata=padata, + req_body=req_body, + asn1Spec=req_asn1Spec()) rep = self.send_recv_transaction(req_decoded) self.assertIsNotNone(rep) @@ -1571,7 +1593,7 @@ class RawKerberosTest(TestCaseInTempDir): rep_encpart_asn1Spec = kdc_exchange_dict['rep_encpart_asn1Spec'] msg_type = kdc_exchange_dict['rep_msg_type'] - self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP + self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP padata = self.getElementValue(rep, 'padata') self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) self.assertElementEqualPrincipal(rep, 'cname', expected_cname) @@ -1579,22 +1601,23 @@ class RawKerberosTest(TestCaseInTempDir): ticket = self.getElementValue(rep, 'ticket') ticket_encpart = None ticket_cipher = None - if ticket is not None: # Never None, but gives indentation + if ticket is not None: # Never None, but gives indentation self.assertElementPresent(ticket, 'tkt-vno') self.assertElementEqualUTF8(ticket, 'realm', expected_srealm) self.assertElementEqualPrincipal(ticket, 'sname', expected_sname) self.assertElementPresent(ticket, 'enc-part') ticket_encpart = self.getElementValue(ticket, 'enc-part') - if ticket_encpart is not None: # Never None, but gives indentation + if ticket_encpart is not None: # Never None, but gives indentation self.assertElementPresent(ticket_encpart, 'etype') # 'unspecified' means present, with any value != 0 - self.assertElementKVNO(ticket_encpart, 'kvno', self.unspecified_kvno) + self.assertElementKVNO(ticket_encpart, 'kvno', + self.unspecified_kvno) self.assertElementPresent(ticket_encpart, 'cipher') ticket_cipher = self.getElementValue(ticket_encpart, 'cipher') self.assertElementPresent(rep, 'enc-part') encpart = self.getElementValue(rep, 'enc-part') encpart_cipher = None - if encpart is not None: # Never None, but gives indentation + if encpart is not None: # Never None, but gives indentation self.assertElementPresent(encpart, 'etype') self.assertElementKVNO(ticket_encpart, 'kvno', 'autodetect') self.assertElementPresent(encpart, 'cipher') @@ -1602,24 +1625,35 @@ class RawKerberosTest(TestCaseInTempDir): encpart_decryption_key = None if check_padata_fn is not None: - # See if get the decryption key from the preauth phase - encpart_decryption_key,encpart_decryption_usage = \ - check_padata_fn(kdc_exchange_dict, callback_dict, - rep, padata) + # See if we can get the decryption key from the preauth phase + encpart_decryption_key, encpart_decryption_usage = ( + check_padata_fn(kdc_exchange_dict, callback_dict, + rep, padata)) ticket_private = None if ticket_decryption_key is not None: - self.assertElementEqual(ticket_encpart, 'etype', ticket_decryption_key.etype) - self.assertElementKVNO(ticket_encpart, 'kvno', ticket_decryption_key.kvno) - ticket_decpart = ticket_decryption_key.decrypt(KU_TICKET, ticket_cipher) - ticket_private = self.der_decode(ticket_decpart, asn1Spec=krb5_asn1.EncTicketPart()) + self.assertElementEqual(ticket_encpart, 'etype', + ticket_decryption_key.etype) + self.assertElementKVNO(ticket_encpart, 'kvno', + ticket_decryption_key.kvno) + ticket_decpart = ticket_decryption_key.decrypt(KU_TICKET, + ticket_cipher) + ticket_private = self.der_decode( + ticket_decpart, + asn1Spec=krb5_asn1.EncTicketPart()) encpart_private = None if encpart_decryption_key is not None: - self.assertElementEqual(encpart, 'etype', encpart_decryption_key.etype) - self.assertElementKVNO(encpart, 'kvno', encpart_decryption_key.kvno) - rep_decpart = encpart_decryption_key.decrypt(encpart_decryption_usage, encpart_cipher) - encpart_private = self.der_decode(rep_decpart, asn1Spec=rep_encpart_asn1Spec()) + self.assertElementEqual(encpart, 'etype', + encpart_decryption_key.etype) + self.assertElementKVNO(encpart, 'kvno', + encpart_decryption_key.kvno) + rep_decpart = encpart_decryption_key.decrypt( + encpart_decryption_usage, + encpart_cipher) + encpart_private = self.der_decode( + rep_decpart, + asn1Spec=rep_encpart_asn1Spec()) if check_kdc_private_fn is not None: check_kdc_private_fn(kdc_exchange_dict, callback_dict, @@ -1647,12 +1681,14 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(ticket_private, 'flags') self.assertElementPresent(ticket_private, 'key') ticket_key = self.getElementValue(ticket_private, 'key') - if ticket_key is not None: # Never None, but gives indentation + if ticket_key is not None: # Never None, but gives indentation self.assertElementPresent(ticket_key, 'keytype') self.assertElementPresent(ticket_key, 'keyvalue') ticket_session_key = self.EncryptionKey_import(ticket_key) - self.assertElementEqualUTF8(ticket_private, 'crealm', expected_crealm) - self.assertElementEqualPrincipal(ticket_private, 'cname', expected_cname) + self.assertElementEqualUTF8(ticket_private, 'crealm', + expected_crealm) + self.assertElementEqualPrincipal(ticket_private, 'cname', + expected_cname) self.assertElementPresent(ticket_private, 'transited') self.assertElementPresent(ticket_private, 'authtime') if self.strict_checking: @@ -1666,39 +1702,45 @@ class RawKerberosTest(TestCaseInTempDir): if encpart_private is not None: self.assertElementPresent(encpart_private, 'key') encpart_key = self.getElementValue(encpart_private, 'key') - if encpart_key is not None: # Never None, but gives indentation + if encpart_key is not None: # Never None, but gives indentation self.assertElementPresent(encpart_key, 'keytype') self.assertElementPresent(encpart_key, 'keyvalue') encpart_session_key = self.EncryptionKey_import(encpart_key) self.assertElementPresent(encpart_private, 'last-req') self.assertElementPresent(encpart_private, 'nonce') - # TODO self.assertElementPresent(encpart_private, 'key-expiration') + # TODO self.assertElementPresent(encpart_private, + # 'key-expiration') self.assertElementPresent(encpart_private, 'flags') self.assertElementPresent(encpart_private, 'authtime') if self.strict_checking: self.assertElementPresent(encpart_private, 'starttime') self.assertElementPresent(encpart_private, 'endtime') # TODO self.assertElementPresent(encpart_private, 'renew-till') - self.assertElementEqualUTF8(encpart_private, 'srealm', expected_srealm) - self.assertElementEqualPrincipal(encpart_private, 'sname', expected_sname) + self.assertElementEqualUTF8(encpart_private, 'srealm', + expected_srealm) + self.assertElementEqualPrincipal(encpart_private, 'sname', + expected_sname) # TODO self.assertElementMissing(encpart_private, 'caddr') if ticket_session_key is not None and encpart_session_key is not None: - self.assertEqual(ticket_session_key.etype, encpart_session_key.etype) - self.assertEqual(ticket_session_key.key.contents, encpart_session_key.key.contents) + self.assertEqual(ticket_session_key.etype, + encpart_session_key.etype) + self.assertEqual(ticket_session_key.key.contents, + encpart_session_key.key.contents) if encpart_session_key is not None: session_key = encpart_session_key else: session_key = ticket_session_key - ticket_creds = KerberosTicketCreds(ticket, - session_key, - crealm=expected_crealm, - cname=expected_cname, - srealm=expected_srealm, - sname=expected_sname, - decryption_key=ticket_decryption_key, - ticket_private=ticket_private, - encpart_private=encpart_private) + ticket_creds = KerberosTicketCreds( + ticket, + session_key, + crealm=expected_crealm, + cname=expected_cname, + srealm=expected_srealm, + sname=expected_sname, + decryption_key=ticket_decryption_key, + ticket_private=ticket_private, + encpart_private=encpart_private) kdc_exchange_dict['rep_ticket_creds'] = ticket_creds return @@ -1728,11 +1770,11 @@ class RawKerberosTest(TestCaseInTempDir): if kcrypto.Enctype.RC4 in proposed_etypes: expect_etype_info = True for etype in proposed_etypes: - if etype in (kcrypto.Enctype.AES256,kcrypto.Enctype.AES128): + if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): expect_etype_info = False if etype not in client_as_etypes: continue - if etype in (kcrypto.Enctype.AES256,kcrypto.Enctype.AES128): + if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): if etype > expected_aes_type: expected_aes_type = etype if etype in (kcrypto.Enctype.RC4,): @@ -1779,14 +1821,17 @@ class RawKerberosTest(TestCaseInTempDir): if self.strict_checking: self.assertIsNotNone(edata) if edata is not None: - rep_padata = self.der_decode(edata, asn1Spec=krb5_asn1.METHOD_DATA()) + rep_padata = self.der_decode(edata, + asn1Spec=krb5_asn1.METHOD_DATA()) self.assertGreater(len(rep_padata), 0) else: rep_padata = [] if self.strict_checking: for i in range(0, len(expected_patypes)): - self.assertElementEqual(rep_padata[i], 'padata-type', expected_patypes[i]) + self.assertElementEqual(rep_padata[i], + 'padata-type', + expected_patypes[i]) self.assertEqual(len(rep_padata), len(expected_patypes)) etype_info2 = None @@ -1799,11 +1844,13 @@ class RawKerberosTest(TestCaseInTempDir): pavalue = self.getElementValue(pa, 'padata-value') if patype == PADATA_ETYPE_INFO2: self.assertIsNone(etype_info2) - etype_info2 = self.der_decode(pavalue, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2 = self.der_decode(pavalue, + asn1Spec=krb5_asn1.ETYPE_INFO2()) continue if patype == PADATA_ETYPE_INFO: self.assertIsNone(etype_info) - etype_info = self.der_decode(pavalue, asn1Spec=krb5_asn1.ETYPE_INFO()) + etype_info = self.der_decode(pavalue, + asn1Spec=krb5_asn1.ETYPE_INFO()) continue if patype == PADATA_ENC_TIMESTAMP: self.assertIsNone(enc_timestamp) @@ -1881,7 +1928,8 @@ class RawKerberosTest(TestCaseInTempDir): authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] body_checksum_type = kdc_exchange_dict['body_checksum_type'] - req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY()) + req_body_blob = self.der_encode(req_body, + asn1Spec=krb5_asn1.KDC_REQ_BODY()) req_body_checksum = self.Checksum_create(tgt.session_key, KU_TGS_REQ_AUTH_CKSUM, @@ -1893,15 +1941,18 @@ class RawKerberosTest(TestCaseInTempDir): subkey_obj = authenticator_subkey.export_obj() seq_number = random.randint(0, 0xfffffffe) (ctime, cusec) = self.get_KerberosTimeWithUsec() - authenticator_obj = self.Authenticator_create(crealm=tgt.crealm, - cname=tgt.cname, - cksum=req_body_checksum, - cusec=cusec, - ctime=ctime, - subkey=subkey_obj, - seq_number=seq_number, - authorization_data=None) - authenticator_blob = self.der_encode(authenticator_obj, asn1Spec=krb5_asn1.Authenticator()) + authenticator_obj = self.Authenticator_create( + crealm=tgt.crealm, + cname=tgt.cname, + cksum=req_body_checksum, + cusec=cusec, + ctime=ctime, + subkey=subkey_obj, + seq_number=seq_number, + authorization_data=None) + authenticator_blob = self.der_encode( + authenticator_obj, + asn1Spec=krb5_asn1.Authenticator()) authenticator = self.EncryptedData_create(tgt.session_key, KU_TGS_REQ_AUTH, @@ -1909,8 +1960,8 @@ class RawKerberosTest(TestCaseInTempDir): ap_options = krb5_asn1.APOptions('0') ap_req_obj = self.AP_REQ_create(ap_options=str(ap_options), - ticket=tgt.ticket, - authenticator=authenticator) + ticket=tgt.ticket, + authenticator=authenticator) ap_req = self.der_encode(ap_req_obj, asn1Spec=krb5_asn1.AP_REQ()) pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) padata = [pa_tgs_req] @@ -1964,19 +2015,19 @@ class RawKerberosTest(TestCaseInTempDir): return preauth_key, as_rep_usage kdc_exchange_dict = self.as_exchange_dict( - expected_crealm=expected_crealm, - expected_cname=expected_cname, - expected_srealm=expected_srealm, - expected_sname=expected_sname, - ticket_decryption_key=ticket_decryption_key, - generate_padata_fn=_generate_padata_copy, - check_error_fn=self.generic_check_as_error, - check_rep_fn=self.generic_check_kdc_rep, - check_padata_fn=_check_padata_preauth_key, - check_kdc_private_fn=self.generic_check_kdc_private, - expected_error_mode=expected_error_mode, - client_as_etypes=client_as_etypes, - expected_salt=expected_salt) + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + ticket_decryption_key=ticket_decryption_key, + generate_padata_fn=_generate_padata_copy, + check_error_fn=self.generic_check_as_error, + check_rep_fn=self.generic_check_kdc_rep, + check_padata_fn=_check_padata_preauth_key, + check_kdc_private_fn=self.generic_check_kdc_private, + expected_error_mode=expected_error_mode, + client_as_etypes=client_as_etypes, + expected_salt=expected_salt) rep = self._generic_kdc_exchange(kdc_exchange_dict, kdc_options=str(kdc_options), @@ -1986,7 +2037,7 @@ class RawKerberosTest(TestCaseInTempDir): till_time=till, etypes=etypes) - if expected_error_mode == 0: # AS-REP + if expected_error_mode == 0: # AS-REP return rep return kdc_exchange_dict['preauth_etype_info2'] -- 2.25.1 From 7cf42b62969fa2c9dced1d666dca650d91175545 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 2 Aug 2021 17:01:39 +1200 Subject: [PATCH 013/108] tests/krb5: Remove unneeded statements A return statement is redundant as the last statement in a method, as methods will otherwise return None. Also, code blocks consisting of a single 'pass' statement can be safely omitted. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d) --- python/samba/tests/krb5/as_req_tests.py | 2 - python/samba/tests/krb5/raw_testcase.py | 99 +++++++++---------------- 2 files changed, 33 insertions(+), 68 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 09cfc9e1fc8..106c7489e9c 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -46,7 +46,6 @@ class AsReqKerberosTests(KDCBaseTest): tname = "%s_pac_%s" % (name, pac) targs = (idx, pac) cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) - return def setUp(self): super(AsReqKerberosTests, self).setUp() @@ -197,7 +196,6 @@ class AsReqKerberosTests(KDCBaseTest): preauth_key=preauth_key, ticket_decryption_key=krbtgt_decryption_key) self.assertIsNotNone(as_rep) - return if __name__ == "__main__": global_asn1_print = True diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index de9c25751d2..34eae177882 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -195,7 +195,6 @@ class Krb5EncryptionKey(object): self.etype = key.enctype self.ctype = EncTypeChecksum[self.etype] self.kvno = kvno - return def encrypt(self, usage, plaintext): ciphertext = kcrypto.encrypt(self.key, usage, plaintext) @@ -235,19 +234,15 @@ class KerberosCredentials(Credentials): self.forced_keys = {} self.forced_salt = None - return def set_as_supported_enctypes(self, value): self.as_supported_enctypes = int(value) - return def set_tgs_supported_enctypes(self, value): self.tgs_supported_enctypes = int(value) - return def set_ap_supported_enctypes(self, value): self.ap_supported_enctypes = int(value) - return def _get_krb5_etypes(self, supported_enctypes): etypes = () @@ -290,7 +285,6 @@ class KerberosCredentials(Credentials): def set_forced_salt(self, salt): self.forced_salt = bytes(salt) - return def get_forced_salt(self): return self.forced_salt @@ -312,7 +306,6 @@ class KerberosTicketCreds(object): self.decryption_key = decryption_key self.ticket_private = ticket_private self.encpart_private = encpart_private - return class RawKerberosTest(TestCaseInTempDir): @@ -358,7 +351,6 @@ class RawKerberosTest(TestCaseInTempDir): cls.etype_test_permutations = res cls.setup_etype_test_permutations_done = True - return @classmethod def etype_test_permutation_name_idx(cls): @@ -427,17 +419,12 @@ class RawKerberosTest(TestCaseInTempDir): except IOError: self.s.close() raise - except Exception: - raise - finally: - pass def connect(self): self.assertNotConnected() self._connect_tcp() if self.do_hexdump: sys.stderr.write("connected[%s]\n" % self.host) - return def env_get_var(self, varname, prefix, fallback_default=True, @@ -704,8 +691,6 @@ class RawKerberosTest(TestCaseInTempDir): except IOError as e: self._disconnect("send_pdu: %s" % e) raise - finally: - pass def recv_raw(self, num_recv=0xffff, hexdump=None, timeout=None): rep_pdu = None @@ -721,57 +706,51 @@ class RawKerberosTest(TestCaseInTempDir): except socket.timeout: self.s.settimeout(10) sys.stderr.write("recv_raw: TIMEOUT\n") - pass except socket.error as e: self._disconnect("recv_raw: %s" % e) raise except IOError as e: self._disconnect("recv_raw: %s" % e) raise - finally: - pass return rep_pdu def recv_pdu_raw(self, asn1_print=None, hexdump=None, timeout=None): rep_pdu = None rep = None - try: + raw_pdu = self.recv_raw( + num_recv=4, hexdump=hexdump, timeout=timeout) + if raw_pdu is None: + return (None, None) + header = struct.unpack(">I", raw_pdu[0:4]) + k5_len = header[0] + if k5_len == 0: + return (None, "") + missing = k5_len + rep_pdu = b'' + while missing > 0: raw_pdu = self.recv_raw( - num_recv=4, hexdump=hexdump, timeout=timeout) - if raw_pdu is None: - return (None, None) - header = struct.unpack(">I", raw_pdu[0:4]) - k5_len = header[0] - if k5_len == 0: - return (None, "") - missing = k5_len - rep_pdu = b'' - while missing > 0: - raw_pdu = self.recv_raw( - num_recv=missing, hexdump=hexdump, timeout=timeout) - self.assertGreaterEqual(len(raw_pdu), 1) - rep_pdu += raw_pdu - missing = k5_len - len(rep_pdu) - k5_raw = self.der_decode( - rep_pdu, - asn1Spec=None, - native_encode=False, - asn1_print=False, - hexdump=False) - pvno = k5_raw['field-0'] - self.assertEqual(pvno, 5) - msg_type = k5_raw['field-1'] - self.assertIn(msg_type, [11, 13, 30]) - if msg_type == 11: - asn1Spec = krb5_asn1.AS_REP() - elif msg_type == 13: - asn1Spec = krb5_asn1.TGS_REP() - elif msg_type == 30: - asn1Spec = krb5_asn1.KRB_ERROR() - rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, - asn1_print=asn1_print, hexdump=False) - finally: - pass + num_recv=missing, hexdump=hexdump, timeout=timeout) + self.assertGreaterEqual(len(raw_pdu), 1) + rep_pdu += raw_pdu + missing = k5_len - len(rep_pdu) + k5_raw = self.der_decode( + rep_pdu, + asn1Spec=None, + native_encode=False, + asn1_print=False, + hexdump=False) + pvno = k5_raw['field-0'] + self.assertEqual(pvno, 5) + msg_type = k5_raw['field-1'] + self.assertIn(msg_type, [11, 13, 30]) + if msg_type == 11: + asn1Spec = krb5_asn1.AS_REP() + elif msg_type == 13: + asn1Spec = krb5_asn1.TGS_REP() + elif msg_type == 30: + asn1Spec = krb5_asn1.KRB_ERROR() + rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, + asn1_print=asn1_print, hexdump=False) return (rep, rep_pdu) def recv_pdu(self, asn1_print=None, hexdump=None, timeout=None): @@ -782,11 +761,9 @@ class RawKerberosTest(TestCaseInTempDir): def assertIsConnected(self): self.assertIsNotNone(self.s, msg="Not connected") - return def assertNotConnected(self): self.assertIsNone(self.s, msg="Is connected") - return def send_recv_transaction( self, @@ -807,11 +784,9 @@ class RawKerberosTest(TestCaseInTempDir): def assertNoValue(self, value): self.assertTrue(value.isNoValue) - return def assertHasValue(self, value): self.assertIsNotNone(value) - return def getElementValue(self, obj, elem): v = None @@ -824,24 +799,20 @@ class RawKerberosTest(TestCaseInTempDir): def assertElementMissing(self, obj, elem): v = self.getElementValue(obj, elem) self.assertIsNone(v) - return def assertElementPresent(self, obj, elem): v = self.getElementValue(obj, elem) self.assertIsNotNone(v) - return def assertElementEqual(self, obj, elem, value): v = self.getElementValue(obj, elem) self.assertIsNotNone(v) self.assertEqual(v, value) - return def assertElementEqualUTF8(self, obj, elem, value): v = self.getElementValue(obj, elem) self.assertIsNotNone(v) self.assertEqual(v, bytes(value, 'utf8')) - return def assertPrincipalEqual(self, princ1, princ2): self.assertEqual(princ1['name-type'], princ2['name-type']) @@ -854,14 +825,12 @@ class RawKerberosTest(TestCaseInTempDir): princ1['name-string'][idx], princ2['name-string'][idx], msg="princ1=%s != princ2=%s" % (princ1, princ2)) - return def assertElementEqualPrincipal(self, obj, elem, value): v = self.getElementValue(obj, elem) self.assertIsNotNone(v) v = pyasn1_native_decode(v, asn1Spec=krb5_asn1.PrincipalName()) self.assertPrincipalEqual(v, value) - return def assertElementKVNO(self, obj, elem, value): v = self.getElementValue(obj, elem) @@ -879,7 +848,6 @@ class RawKerberosTest(TestCaseInTempDir): self.assertEqual(v, value) else: self.assertIsNone(v) - return def get_KerberosTimeWithUsec(self, epoch=None, offset=None): if epoch is None: @@ -1743,7 +1711,6 @@ class RawKerberosTest(TestCaseInTempDir): encpart_private=encpart_private) kdc_exchange_dict['rep_ticket_creds'] = ticket_creds - return def generic_check_as_error(self, kdc_exchange_dict, -- 2.25.1 From 91be57c63bcb7e07fc88a40b816eae112838bf6c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 2 Aug 2021 17:10:32 +1200 Subject: [PATCH 014/108] tests/krb5: Use more compact dict lookup Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 38b3a361819c716adb773fb3b4507c28d7d26c0d) --- python/samba/tests/krb5/kdc_base_test.py | 5 +---- python/samba/tests/krb5/raw_testcase.py | 18 ++++-------------- 2 files changed, 5 insertions(+), 18 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index c23c71e1d74..79efc68254e 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -722,10 +722,7 @@ class KDCBaseTest(RawKerberosTest): ticket_data = self.der_encode(ticket, asn1Spec=krb5_asn1.Ticket()) authtime = enc_part['authtime'] - try: - starttime = enc_part['starttime'] - except KeyError: - starttime = authtime + starttime = enc_part.get('starttime', authtime) endtime = enc_part['endtime'] cred = krb5ccache.CREDENTIAL() diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 34eae177882..15bbd9ec999 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -279,9 +279,7 @@ class KerberosCredentials(Credentials): def get_forced_key(self, etype): etype = int(etype) - if etype in self.forced_keys: - return self.forced_keys[etype] - return None + return self.forced_keys.get(etype, None) def set_forced_salt(self, salt): self.forced_salt = bytes(salt) @@ -789,12 +787,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(value) def getElementValue(self, obj, elem): - v = None - try: - v = obj[elem] - except KeyError: - pass - return v + return obj.get(elem, None) def assertElementMissing(self, obj, elem): v = self.getElementValue(obj, elem) @@ -879,11 +872,8 @@ class RawKerberosTest(TestCaseInTempDir): def PasswordKey_from_etype_info2(self, creds, etype_info2, kvno=None): e = etype_info2['etype'] - salt = None - try: - salt = etype_info2['salt'] - except Exception: - pass + + salt = etype_info2.get('salt', None) if e == kcrypto.Enctype.RC4: nthash = creds.get_nt_hash() -- 2.25.1 From e65c58e1b0c13354e219f05d2393e74b3c26fa5b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 3 Aug 2021 15:03:00 +1200 Subject: [PATCH 015/108] tests/krb5: Simplify Python syntax Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 41c3e410344280d691e5a21fa5240ef52e71bd2d) --- python/samba/tests/krb5/raw_testcase.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 15bbd9ec999..31731a6547c 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -184,7 +184,7 @@ krb5_asn1.KerbErrorDataType.prettyPrint =\ Integer_NamedValues_prettyPrint -class Krb5EncryptionKey(object): +class Krb5EncryptionKey: def __init__(self, key, kvno): EncTypeChecksum = { kcrypto.Enctype.AES256: kcrypto.Cksumtype.SHA1_AES256, @@ -288,7 +288,7 @@ class KerberosCredentials(Credentials): return self.forced_salt -class KerberosTicketCreds(object): +class KerberosTicketCreds: def __init__(self, ticket, session_key, crealm=None, cname=None, srealm=None, sname=None, @@ -956,7 +956,7 @@ class RawKerberosTest(TestCaseInTempDir): return Checksum_obj @classmethod - def PrincipalName_create(self, name_type, names): + def PrincipalName_create(cls, name_type, names): # PrincipalName ::= SEQUENCE { # name-type [0] Int32, # name-string [1] SEQUENCE OF KerberosString @@ -1785,10 +1785,8 @@ class RawKerberosTest(TestCaseInTempDir): rep_padata = [] if self.strict_checking: - for i in range(0, len(expected_patypes)): - self.assertElementEqual(rep_padata[i], - 'padata-type', - expected_patypes[i]) + for i, patype in enumerate(expected_patypes): + self.assertElementEqual(rep_padata[i], 'padata-type', patype) self.assertEqual(len(rep_padata), len(expected_patypes)) etype_info2 = None -- 2.25.1 From b045821d61753deb77d9434944ae694c5036899e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 13:49:27 +1200 Subject: [PATCH 016/108] tests/krb5: Remove magic constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a2b183c179e74634438c85a4b35518836ba59e47) --- python/samba/tests/krb5/raw_testcase.py | 30 +++++++++++--------- python/samba/tests/krb5/rfc4120_constants.py | 7 +++++ 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 31731a6547c..dfa6a71467a 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -41,12 +41,14 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_ETYPE_NOSUPP, KDC_ERR_PREAUTH_REQUIRED, + KRB_AP_REQ, KRB_AS_REP, KRB_AS_REQ, KRB_ERROR, KRB_TGS_REP, KRB_TGS_REQ, KU_AS_REP_ENC_PART, + KU_NON_KERB_CKSUM_SALT, KU_TGS_REP_ENC_PART_SESSION, KU_TGS_REP_ENC_PART_SUB_KEY, KU_TGS_REQ_AUTH, @@ -55,7 +57,9 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO, PADATA_ETYPE_INFO2, + PADATA_FOR_USER, PADATA_KDC_REQ, + PADATA_PAC_REQUEST, PADATA_PK_AS_REQ, PADATA_PK_AS_REP_19 ) @@ -740,12 +744,12 @@ class RawKerberosTest(TestCaseInTempDir): pvno = k5_raw['field-0'] self.assertEqual(pvno, 5) msg_type = k5_raw['field-1'] - self.assertIn(msg_type, [11, 13, 30]) - if msg_type == 11: + self.assertIn(msg_type, [KRB_AS_REP, KRB_TGS_REP, KRB_ERROR]) + if msg_type == KRB_AS_REP: asn1Spec = krb5_asn1.AS_REP() - elif msg_type == 13: + elif msg_type == KRB_TGS_REP: asn1Spec = krb5_asn1.TGS_REP() - elif msg_type == 30: + elif msg_type == KRB_ERROR: asn1Spec = krb5_asn1.KRB_ERROR() rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, asn1_print=asn1_print, hexdump=False) @@ -1004,7 +1008,7 @@ class RawKerberosTest(TestCaseInTempDir): return KERB_PA_PAC_REQUEST_obj pa_pac = self.der_encode(KERB_PA_PAC_REQUEST_obj, asn1Spec=krb5_asn1.KERB_PA_PAC_REQUEST()) - pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST + pa_data = self.PA_DATA_create(PADATA_PAC_REQUEST, pa_pac) return pa_data def KDC_REQ_BODY_create(self, @@ -1172,7 +1176,7 @@ class RawKerberosTest(TestCaseInTempDir): asn1_print=asn1_print, hexdump=hexdump) obj, decoded = self.KDC_REQ_create( - msg_type=10, + msg_type=KRB_AS_REQ, padata=padata, req_body=KDC_REQ_BODY_obj, asn1Spec=krb5_asn1.AS_REQ(), @@ -1192,7 +1196,7 @@ class RawKerberosTest(TestCaseInTempDir): # } AP_REQ_obj = { 'pvno': 5, - 'msg-type': 14, + 'msg-type': KRB_AP_REQ, 'ap-options': ap_options, 'ticket': ticket, 'authenticator': authenticator, @@ -1305,7 +1309,7 @@ class RawKerberosTest(TestCaseInTempDir): asn1_print=asn1_print, hexdump=hexdump) req_body_checksum = self.Checksum_create(ticket_session_key, - 6, + KU_TGS_REQ_AUTH_CKSUM, req_body_blob, ctype=body_checksum_type) @@ -1329,7 +1333,7 @@ class RawKerberosTest(TestCaseInTempDir): hexdump=hexdump) authenticator = self.EncryptedData_create( - ticket_session_key, 7, authenticator) + ticket_session_key, KU_TGS_REQ_AUTH, authenticator) ap_options = krb5_asn1.APOptions('0') ap_req = self.AP_REQ_create(ap_options=str(ap_options), @@ -1337,14 +1341,14 @@ class RawKerberosTest(TestCaseInTempDir): authenticator=authenticator) ap_req = self.der_encode(ap_req, asn1Spec=krb5_asn1.AP_REQ(), asn1_print=asn1_print, hexdump=hexdump) - pa_tgs_req = self.PA_DATA_create(1, ap_req) + pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) if padata is not None: padata.append(pa_tgs_req) else: padata = [pa_tgs_req] obj, decoded = self.KDC_REQ_create( - msg_type=12, + msg_type=KRB_TGS_REQ, padata=padata, req_body=req_body, asn1Spec=krb5_asn1.TGS_REQ(), @@ -1367,7 +1371,7 @@ class RawKerberosTest(TestCaseInTempDir): cksum_data += realm.encode() cksum_data += "Kerberos".encode() cksum = self.Checksum_create(tgt_session_key, - 17, + KU_NON_KERB_CKSUM_SALT, cksum_data, ctype) @@ -1379,7 +1383,7 @@ class RawKerberosTest(TestCaseInTempDir): } pa_s4u2self = self.der_encode( PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) - return self.PA_DATA_create(129, pa_s4u2self) + return self.PA_DATA_create(PADATA_FOR_USER, pa_s4u2self) def _generic_kdc_exchange(self, kdc_exchange_dict, # required diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index a4c5e079b66..adcc93e1d6b 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -27,6 +27,7 @@ ARCFOUR_HMAC_MD5 = int( # Message types KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) +KRB_AP_REQ = int(krb5_asn1.MessageTypeValues('krb-ap-req')) KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) KRB_AS_REQ = int(krb5_asn1.MessageTypeValues('krb-as-req')) KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep')) @@ -39,8 +40,12 @@ PADATA_ETYPE_INFO = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO')) PADATA_ETYPE_INFO2 = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) +PADATA_FOR_USER = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-FOR-USER')) PADATA_KDC_REQ = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-KDC-REQ')) +PADATA_PAC_REQUEST = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-PA-PAC-REQUEST')) PADATA_PK_AS_REQ = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ')) PADATA_PK_AS_REP_19 = int( @@ -125,3 +130,5 @@ KU_KRB_CRED = 14 KU_KRB_SAFE_CKSUM = 15 ''' KRB-SAFE cksum, keyed with a key chosen by the application (section 5.6.1) ''' +KU_NON_KERB_SALT = 16 +KU_NON_KERB_CKSUM_SALT = 17 -- 2.25.1 From 9dd363ab564dc0088f2498bd21e5b40b25e0b70e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 26 Jul 2021 17:14:08 +1200 Subject: [PATCH 017/108] tests/krb5: Fix including enc-authorization-data Remove the EncAuthorizationData parameters from AS_REQ_create(), since it should only be present in the TGS-REQ form. Also, fix a call to EncryptedData_create() to supply the key usage when creating enc-authorization-data. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 67ff72395cec2e5170c0ebae8db416a1f226df72) --- .../tests/krb5/as_canonicalization_tests.py | 4 --- .../samba/tests/krb5/compatability_tests.py | 4 --- python/samba/tests/krb5/kdc_base_test.py | 2 -- python/samba/tests/krb5/kdc_tests.py | 2 -- python/samba/tests/krb5/raw_testcase.py | 31 +++++++++++++------ python/samba/tests/krb5/s4u_tests.py | 4 --- python/samba/tests/krb5/simple_tests.py | 4 --- python/samba/tests/krb5/xrealm_tests.py | 4 --- 8 files changed, 21 insertions(+), 34 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index abb3f96a1e6..29d8cf418f5 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -257,8 +257,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) @@ -314,8 +312,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 5a1ef02ef80..cd67549212a 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -147,8 +147,6 @@ class SimpleKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) @@ -209,8 +207,6 @@ class SimpleKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 79efc68254e..7874562d32d 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -390,8 +390,6 @@ class KDCBaseTest(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) return rep diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py index c7c53953a86..930edd0a63e 100755 --- a/python/samba/tests/krb5/kdc_tests.py +++ b/python/samba/tests/krb5/kdc_tests.py @@ -79,8 +79,6 @@ class KdcTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) return rep diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index dfa6a71467a..f39656d5e03 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -53,6 +53,8 @@ from samba.tests.krb5.rfc4120_constants import ( KU_TGS_REP_ENC_PART_SUB_KEY, KU_TGS_REQ_AUTH, KU_TGS_REQ_AUTH_CKSUM, + KU_TGS_REQ_AUTH_DAT_SESSION, + KU_TGS_REQ_AUTH_DAT_SUBKEY, KU_TICKET, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO, @@ -1022,9 +1024,10 @@ class RawKerberosTest(TestCaseInTempDir): nonce, etypes, addresses, + additional_tickets, EncAuthorizationData, EncAuthorizationData_key, - additional_tickets, + EncAuthorizationData_usage, asn1_print=None, hexdump=None): # KDC-REQ-BODY ::= SEQUENCE { @@ -1054,8 +1057,9 @@ class RawKerberosTest(TestCaseInTempDir): asn1Spec=krb5_asn1.AuthorizationData(), asn1_print=asn1_print, hexdump=hexdump) - enc_ad = self.EncryptedData_create( - EncAuthorizationData_key, enc_ad_plain) + enc_ad = self.EncryptedData_create(EncAuthorizationData_key, + EncAuthorizationData_usage, + enc_ad_plain) else: enc_ad = None KDC_REQ_BODY_obj = { @@ -1123,8 +1127,6 @@ class RawKerberosTest(TestCaseInTempDir): nonce, # required etypes, # required addresses, # optional - EncAuthorizationData, - EncAuthorizationData_key, additional_tickets, native_decoded_only=True, asn1_print=None, @@ -1170,9 +1172,10 @@ class RawKerberosTest(TestCaseInTempDir): nonce, etypes, addresses, - EncAuthorizationData, - EncAuthorizationData_key, additional_tickets, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + EncAuthorizationData_usage=None, asn1_print=asn1_print, hexdump=hexdump) obj, decoded = self.KDC_REQ_create( @@ -1290,6 +1293,11 @@ class RawKerberosTest(TestCaseInTempDir): # -- NOTE: not empty # } + if authenticator_subkey is not None: + EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SUBKEY + else: + EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SESSION + req_body = self.KDC_REQ_BODY_create( kdc_options=kdc_options, cname=None, @@ -1301,9 +1309,10 @@ class RawKerberosTest(TestCaseInTempDir): nonce=nonce, etypes=etypes, addresses=addresses, + additional_tickets=additional_tickets, EncAuthorizationData=EncAuthorizationData, EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets) + EncAuthorizationData_usage=EncAuthorizationData_usage) req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), asn1_print=asn1_print, hexdump=hexdump) @@ -1397,9 +1406,10 @@ class RawKerberosTest(TestCaseInTempDir): nonce=None, # required etypes=None, # required addresses=None, # optional + additional_tickets=None, # optional EncAuthorizationData=None, # optional EncAuthorizationData_key=None, # optional - additional_tickets=None): # optional + EncAuthorizationData_usage=None): # optional check_error_fn = kdc_exchange_dict['check_error_fn'] check_rep_fn = kdc_exchange_dict['check_rep_fn'] @@ -1425,9 +1435,10 @@ class RawKerberosTest(TestCaseInTempDir): nonce=nonce, etypes=etypes, addresses=addresses, + additional_tickets=additional_tickets, EncAuthorizationData=EncAuthorizationData, EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets) + EncAuthorizationData_usage=EncAuthorizationData_usage) if generate_padata_fn is not None: # This can alter req_body... padata, req_body = generate_padata_fn(kdc_exchange_dict, diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 30a58d6345a..57575f0595d 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -69,8 +69,6 @@ class S4UKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) @@ -113,8 +111,6 @@ class S4UKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index 9650702c6c6..795d753b4f7 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -69,8 +69,6 @@ class SimpleKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) @@ -113,8 +111,6 @@ class SimpleKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py index efb953bdf7e..073cb755b46 100755 --- a/python/samba/tests/krb5/xrealm_tests.py +++ b/python/samba/tests/krb5/xrealm_tests.py @@ -68,8 +68,6 @@ class XrealmKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) @@ -112,8 +110,6 @@ class XrealmKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) -- 2.25.1 From d2915f6cef2f6e6e7ece0d9d53ae18b093b3f4a3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 11:12:34 +1200 Subject: [PATCH 018/108] tests/krb5: Fix callback_dict parameter Items contained in a default-created callback_dict should not be carried over between unrelated calls to {as,tgs}_as_exchange_dict(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf) --- python/samba/tests/krb5/raw_testcase.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index f39656d5e03..fc8e6990834 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1486,7 +1486,7 @@ class RawKerberosTest(TestCaseInTempDir): check_rep_fn=None, check_padata_fn=None, check_kdc_private_fn=None, - callback_dict=dict(), + callback_dict=None, expected_error_mode=None, client_as_etypes=None, expected_salt=None): @@ -1511,6 +1511,9 @@ class RawKerberosTest(TestCaseInTempDir): 'client_as_etypes': client_as_etypes, 'expected_salt': expected_salt, } + if callback_dict is None: + callback_dict = {} + return kdc_exchange_dict def tgs_exchange_dict(self, @@ -1524,7 +1527,7 @@ class RawKerberosTest(TestCaseInTempDir): check_rep_fn=None, check_padata_fn=None, check_kdc_private_fn=None, - callback_dict=dict(), + callback_dict=None, tgt=None, authenticator_subkey=None, body_checksum_type=None): @@ -1549,6 +1552,9 @@ class RawKerberosTest(TestCaseInTempDir): 'body_checksum_type': body_checksum_type, 'authenticator_subkey': authenticator_subkey, } + if callback_dict is None: + callback_dict = {} + return kdc_exchange_dict def generic_check_kdc_rep(self, -- 2.25.1 From f31a99214bd8938c9a51ec59c6e13f20bee61f67 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:06:29 +1200 Subject: [PATCH 019/108] tests/krb5: Fix encpart_decryption_key with MIT KDC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1) --- python/samba/tests/krb5/raw_testcase.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index fc8e6990834..1c08b76061f 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1630,9 +1630,16 @@ class RawKerberosTest(TestCaseInTempDir): rep_decpart = encpart_decryption_key.decrypt( encpart_decryption_usage, encpart_cipher) - encpart_private = self.der_decode( - rep_decpart, - asn1Spec=rep_encpart_asn1Spec()) + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with + # application tag 26 + try: + encpart_private = self.der_decode( + rep_decpart, + asn1Spec=rep_encpart_asn1Spec()) + except Exception: + encpart_private = self.der_decode( + rep_decpart, + asn1Spec=krb5_asn1.EncTGSRepPart()) if check_kdc_private_fn is not None: check_kdc_private_fn(kdc_exchange_dict, callback_dict, -- 2.25.1 From 9af5b08fe2ca2415c96862890acac2a930cdacf9 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Jul 2021 17:00:09 +1200 Subject: [PATCH 020/108] tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b) --- python/samba/tests/krb5/raw_testcase.py | 3 ++- python/samba/tests/krb5/rfc4120_constants.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 1c08b76061f..c0e997a86a1 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -40,6 +40,7 @@ from samba.tests import TestCaseInTempDir import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_ETYPE_NOSUPP, + KDC_ERR_GENERIC, KDC_ERR_PREAUTH_REQUIRED, KRB_AP_REQ, KRB_AS_REP, @@ -1799,7 +1800,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementEqualPrincipal(rep, 'sname', expected_sname) if self.strict_checking: self.assertElementMissing(rep, 'e-text') - if expected_error_mode != KDC_ERR_PREAUTH_REQUIRED: + if expected_error_mode == KDC_ERR_GENERIC: self.assertElementMissing(rep, 'e-data') return edata = self.getElementValue(rep, 'e-data') diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index adcc93e1d6b..b00b8b48ae5 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -58,6 +58,7 @@ KDC_ERR_PREAUTH_FAILED = 24 KDC_ERR_PREAUTH_REQUIRED = 25 KDC_ERR_BADMATCH = 36 KDC_ERR_SKEW = 37 +KDC_ERR_GENERIC = 60 # Name types NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) -- 2.25.1 From 68481e0f55f5fb7455ceb7e5337b13bf7906625c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 15:07:59 +1200 Subject: [PATCH 021/108] tests/krb5: Check Kerberos protocol version number Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d6a242e20004217a0ce02dc4ef620a121e5944da) --- python/samba/tests/krb5/raw_testcase.py | 1 + 1 file changed, 1 insertion(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index c0e997a86a1..693f196940c 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1786,6 +1786,7 @@ class RawKerberosTest(TestCaseInTempDir): expected_patypes += (PADATA_PK_AS_REQ,) expected_patypes += (PADATA_PK_AS_REP_19,) + self.assertElementEqual(rep, 'pvno', 5) self.assertElementEqual(rep, 'msg-type', KRB_ERROR) self.assertElementEqual(rep, 'error-code', expected_error) self.assertElementMissing(rep, 'ctime') -- 2.25.1 From 0ad104c54e601379ff4627dfc937d6d48d4e8080 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 11:28:37 +1200 Subject: [PATCH 022/108] tests/krb5: Use credentials kvno when creating password key Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 17d5a267298ccd7272e86fd24c2c608511cf46b7) --- python/samba/tests/krb5/kdc_base_test.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 7874562d32d..aa172640399 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -409,7 +409,8 @@ class KDCBaseTest(RawKerberosTest): etype_info2 = self.der_decode( padata_value, asn1Spec=krb5_asn1.ETYPE_INFO2()) - key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) + key = self.PasswordKey_from_etype_info2(creds, etype_info2[0], + creds.get_kvno()) return key def get_pa_data(self, creds, rep, skew=0): -- 2.25.1 From faa78a165afddcb89ac0457c739c16dbaca2eafd Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 10:24:52 +1200 Subject: [PATCH 023/108] tests/krb5: Allow cf2 to automatically use the enctype of the first key RFC6113 states: "Unless otherwise specified, the resulting enctype of KRB-FX-CF2 is the enctype of k1." This change means the enctype no longer has to be specified manually. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a5e5f8fdfe8b6952592d7d682af893c79080826f) --- python/samba/tests/krb5/kcrypto.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py index c8fef4c876d..ce7b00bda4c 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -653,9 +653,11 @@ def prfplus(key, pepper, ln): return out[:ln] -def cf2(enctype, key1, key2, pepper1, pepper2): +def cf2(key1, key2, pepper1, pepper2, enctype=None): # Combine two keys and two pepper strings to produce a result key # of type enctype, using the RFC 6113 KRB-FX-CF2 function. + if enctype is None: + enctype = key1.enctype e = _get_enctype_profile(enctype) return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), prfplus(key2, pepper2, e.seedsize))) @@ -748,7 +750,7 @@ class KcrytoTest(TestCase): kb = h('97DF97E4B798B29EB31ED7280287A92A') k1 = string_to_key(Enctype.AES128, b'key1', b'key1') k2 = string_to_key(Enctype.AES128, b'key2', b'key2') - k = cf2(Enctype.AES128, k1, k2, b'a', b'b') + k = cf2(k1, k2, b'a', b'b') self.assertEqual(k.contents, kb) def test_aes256_cf2(self): @@ -757,7 +759,7 @@ class KcrytoTest(TestCase): 'E72B1C7B') k1 = string_to_key(Enctype.AES256, b'key1', b'key1') k2 = string_to_key(Enctype.AES256, b'key2', b'key2') - k = cf2(Enctype.AES256, k1, k2, b'a', b'b') + k = cf2(k1, k2, b'a', b'b') self.assertEqual(k.contents, kb) def test_des3_crypt(self): @@ -794,7 +796,7 @@ class KcrytoTest(TestCase): kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') k1 = string_to_key(Enctype.DES3, b'key1', b'key1') k2 = string_to_key(Enctype.DES3, b'key2', b'key2') - k = cf2(Enctype.DES3, k1, k2, b'a', b'b') + k = cf2(k1, k2, b'a', b'b') self.assertEqual(k.contents, kb) def test_rc4_crypt(self): @@ -830,7 +832,7 @@ class KcrytoTest(TestCase): kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') k1 = string_to_key(Enctype.RC4, b'key1', b'key1') k2 = string_to_key(Enctype.RC4, b'key2', b'key2') - k = cf2(Enctype.RC4, k1, k2, b'a', b'b') + k = cf2(k1, k2, b'a', b'b') self.assertEqual(k.contents, kb) def _test_md5_unkeyed_checksum(self, etype, usage): -- 2.25.1 From 8c4242a15ac7b72d3c39827bb463bd258f215bb6 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 10:16:01 +1200 Subject: [PATCH 024/108] tests/krb5: Refactor get_pa_data() The function now returns a single padata object rather than a list, making it easier to combine multiple padata elements into a request. The new name 'get_enc_timestamp_pa_data' also makes it clearer as to what the method generates. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731) --- python/samba/tests/krb5/kdc_base_test.py | 8 ++-- python/samba/tests/krb5/kdc_tests.py | 25 ++++++------ python/samba/tests/krb5/kdc_tgs_tests.py | 12 +++--- .../ms_kile_client_principal_lookup_tests.py | 40 +++++++++---------- 4 files changed, 42 insertions(+), 43 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index aa172640399..7748eae6225 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -413,7 +413,7 @@ class KDCBaseTest(RawKerberosTest): creds.get_kvno()) return key - def get_pa_data(self, creds, rep, skew=0): + def get_enc_timestamp_pa_data(self, creds, rep, skew=0): '''generate the pa_data data element for an AS-REQ ''' key = self.get_as_rep_key(creds, rep) @@ -427,7 +427,7 @@ class KDCBaseTest(RawKerberosTest): padata = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, padata) - return [padata] + return padata def get_as_rep_enc_data(self, key, rep): ''' Decrypt and Decode the encrypted data in an AS-REP @@ -795,9 +795,9 @@ class KDCBaseTest(RawKerberosTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(user_credentials, rep) + padata = self.get_enc_timestamp_pa_data(user_credentials, rep) key = self.get_as_rep_key(user_credentials, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py index 930edd0a63e..928f3c25c0f 100755 --- a/python/samba/tests/krb5/kdc_tests.py +++ b/python/samba/tests/krb5/kdc_tests.py @@ -83,7 +83,7 @@ class KdcTests(RawKerberosTest): rep = self.send_recv_transaction(req) return rep - def get_pa_data(self, creds, rep, skew=0): + def get_enc_timestamp_pa_data(self, creds, rep, skew=0): rep_padata = self.der_decode( rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) @@ -107,8 +107,7 @@ class KdcTests(RawKerberosTest): pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) - padata = [pa_ts] - return padata + return pa_ts def check_pre_authenication(self, rep): """ Check that the kdc response was pre-authentication required @@ -160,8 +159,8 @@ class KdcTests(RawKerberosTest): rep = self.as_req(creds, etype) self.check_pre_authenication(rep) - padata = self.get_pa_data(creds, rep) - rep = self.as_req(creds, etype, padata=padata) + padata = self.get_enc_timestamp_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=[padata]) self.check_as_reply(rep) etype = rep['enc-part']['etype'] @@ -174,8 +173,8 @@ class KdcTests(RawKerberosTest): rep = self.as_req(creds, etype) self.check_pre_authenication(rep) - padata = self.get_pa_data(creds, rep) - rep = self.as_req(creds, etype, padata=padata) + padata = self.get_enc_timestamp_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=[padata]) self.check_as_reply(rep) etype = rep['enc-part']['etype'] @@ -188,8 +187,8 @@ class KdcTests(RawKerberosTest): rep = self.as_req(creds, etype) self.check_pre_authenication(rep) - padata = self.get_pa_data(creds, rep) - rep = self.as_req(creds, etype, padata=padata) + padata = self.get_enc_timestamp_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=[padata]) self.check_as_reply(rep) etype = rep['enc-part']['etype'] @@ -202,8 +201,8 @@ class KdcTests(RawKerberosTest): rep = self.as_req(creds, etype) self.check_pre_authenication(rep) - padata = self.get_pa_data(creds, rep, skew=3600) - rep = self.as_req(creds, etype, padata=padata) + padata = self.get_enc_timestamp_pa_data(creds, rep, skew=3600) + rep = self.as_req(creds, etype, padata=[padata]) self.check_error_rep(rep, KDC_ERR_SKEW) @@ -216,8 +215,8 @@ class KdcTests(RawKerberosTest): rep = self.as_req(creds, etype) self.check_pre_authenication(rep) - padata = self.get_pa_data(creds, rep) - rep = self.as_req(creds, etype, padata=padata) + padata = self.get_enc_timestamp_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=[padata]) self.check_error_rep(rep, KDC_ERR_PREAUTH_FAILED) diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 25a1f5f3ed8..97f9dd41339 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -66,9 +66,9 @@ class KdcTgsTests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a service ticket, but use a cname that does not match @@ -116,9 +116,9 @@ class KdcTgsTests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) enc_part2 = self.get_as_rep_enc_data(key, rep) @@ -157,9 +157,9 @@ class KdcTgsTests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py index e42b643b357..99c842701ea 100755 --- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py @@ -109,9 +109,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account @@ -168,9 +168,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(mc, rep) + padata = self.get_enc_timestamp_pa_data(mc, rep) key = self.get_as_rep_key(mc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account @@ -230,9 +230,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account @@ -368,13 +368,13 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) # Note: although we used the alt security id for the pre-auth # we need to use the username for the auth cname = self.PrincipalName_create( name_type=NT_PRINCIPAL, names=[user_name]) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account @@ -436,12 +436,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) # Use the alternate security identifier # this should fail cname = self.PrincipalName_create( name_type=NT_PRINCIPAL, names=[alt_sec]) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) def test_enterprise_principal_step_1_3(self): @@ -475,9 +475,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account @@ -538,9 +538,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account @@ -602,9 +602,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(mc, rep) + padata = self.get_enc_timestamp_pa_data(mc, rep) key = self.get_as_rep_key(mc, rep) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account @@ -744,13 +744,13 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) key = self.get_as_rep_key(uc, rep) # Note: although we used the alt security id for the pre-auth # we need to use the username for the auth cname = self.PrincipalName_create( name_type=NT_ENTERPRISE_PRINCIPAL, names=[uname]) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_as_reply(rep) # Request a ticket to the host service on the machine account @@ -813,12 +813,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): self.check_pre_authentication(rep) # Do the next AS-REQ - padata = self.get_pa_data(uc, rep) + padata = self.get_enc_timestamp_pa_data(uc, rep) # Use the alternate security identifier # this should fail cname = self.PrincipalName_create( name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) - rep = self.as_req(cname, sname, realm, etype, padata=padata) + rep = self.as_req(cname, sname, realm, etype, padata=[padata]) self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) -- 2.25.1 From 16bd9325a1baa7c9912b4c675e2ac0e6eb16056a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 26 Jul 2021 17:18:38 +1200 Subject: [PATCH 025/108] tests/krb5: Add get_enc_timestamp_pa_data_from_key() This makes it easier to create encrypted timestamp padata when the key has already been obtained. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit f5a906f74f9665a894db3c13722022f732180620) --- python/samba/tests/krb5/kdc_base_test.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 7748eae6225..64d9e627672 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -416,8 +416,12 @@ class KDCBaseTest(RawKerberosTest): def get_enc_timestamp_pa_data(self, creds, rep, skew=0): '''generate the pa_data data element for an AS-REQ ''' + key = self.get_as_rep_key(creds, rep) + return self.get_enc_timestamp_pa_data_from_key(key, skew=skew) + + def get_enc_timestamp_pa_data_from_key(self, key, skew=0): (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew) padata = self.PA_ENC_TS_ENC_create(patime, pausec) padata = self.der_encode(padata, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) -- 2.25.1 From 897a31ac5c0e714d18327a4e4e545376dc46c6fb Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 12:51:54 +1200 Subject: [PATCH 026/108] tests/krb5: Add method to return dict containing padata elements This makes checking multiple padata elements easier. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit cb332d83008aa97a60eaca9e008054f641d514d6) --- python/samba/tests/krb5/raw_testcase.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 693f196940c..9b0b953e565 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -867,6 +867,18 @@ class RawKerberosTest(TestCaseInTempDir): v = random.randint(nonce_min, nonce_max) return v + def get_pa_dict(self, pa_data): + pa_dict = {} + + if pa_data is not None: + for pa in pa_data: + pa_type = pa['padata-type'] + if pa_type in pa_dict: + raise RuntimeError(f'Duplicate type {pa_type}') + pa_dict[pa_type] = pa['padata-value'] + + return pa_dict + def SessionKey_create(self, etype, contents, kvno=None): key = kcrypto.Key(etype, contents) return Krb5EncryptionKey(key, kvno) -- 2.25.1 From 118abccd8e94d5ebbbdeb5089839641d1970479b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:27:47 +1200 Subject: [PATCH 027/108] tests/krb5: Make _test_as_exchange() return value more consistent Always return the reply and the kdc_exchange_dict so that the caller has more potentially useful information. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fe8912e4a85c5fd614ad3079b041c0e1975958e3) --- python/samba/tests/krb5/as_req_tests.py | 62 +++++++++++++------------ python/samba/tests/krb5/raw_testcase.py | 5 +- 2 files changed, 33 insertions(+), 34 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 106c7489e9c..3b7841243c5 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -141,20 +141,21 @@ class AsReqKerberosTests(KDCBaseTest): initial_kdc_options = krb5_asn1.KDCOptions('forwardable') initial_error_mode = KDC_ERR_PREAUTH_REQUIRED - etype_info2 = self._test_as_exchange(cname, - realm, - sname, - till, - client_as_etypes, - initial_error_mode, - expected_crealm, - expected_cname, - expected_srealm, - expected_sname, - expected_salt, - initial_etypes, - initial_padata, - initial_kdc_options) + rep, kdc_exchange_dict = self._test_as_exchange(cname, + realm, + sname, + till, + client_as_etypes, + initial_error_mode, + expected_crealm, + expected_cname, + expected_srealm, + expected_sname, + expected_salt, + initial_etypes, + initial_padata, + initial_kdc_options) + etype_info2 = kdc_exchange_dict['preauth_etype_info2'] self.assertIsNotNone(etype_info2) preauth_key = self.PasswordKey_from_etype_info2(client_creds, @@ -179,22 +180,23 @@ class AsReqKerberosTests(KDCBaseTest): krbtgt_decryption_key = ( self.TicketDecryptionKey_from_creds(krbtgt_creds)) - as_rep = self._test_as_exchange(cname, - realm, - sname, - till, - client_as_etypes, - preauth_error_mode, - expected_crealm, - expected_cname, - expected_srealm, - expected_sname, - expected_salt, - preauth_etypes, - preauth_padata, - preauth_kdc_options, - preauth_key=preauth_key, - ticket_decryption_key=krbtgt_decryption_key) + as_rep, kdc_exchange_dict = self._test_as_exchange( + cname, + realm, + sname, + till, + client_as_etypes, + preauth_error_mode, + expected_crealm, + expected_cname, + expected_srealm, + expected_sname, + expected_salt, + preauth_etypes, + preauth_padata, + preauth_kdc_options, + preauth_key=preauth_key, + ticket_decryption_key=krbtgt_decryption_key) self.assertIsNotNone(as_rep) if __name__ == "__main__": diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 9b0b953e565..e9b4c6c9efa 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2034,7 +2034,4 @@ class RawKerberosTest(TestCaseInTempDir): till_time=till, etypes=etypes) - if expected_error_mode == 0: # AS-REP - return rep - - return kdc_exchange_dict['preauth_etype_info2'] + return rep, kdc_exchange_dict -- 2.25.1 From 03372c3ad63dfb410d7dd449491dfe274d02393d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 22 Jul 2021 16:27:17 +1200 Subject: [PATCH 028/108] tests/krb5: Add get_EpochFromKerberosTime() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit bab7503e3043002b1422b00f40cd03a0a29538aa) --- python/samba/tests/krb5/kdc_base_test.py | 12 +++--------- python/samba/tests/krb5/raw_testcase.py | 11 +++++++++++ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 64d9e627672..f0a9e7311a5 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -732,15 +732,9 @@ class KDCBaseTest(RawKerberosTest): cred.client = cprincipal cred.server = sprincipal cred.keyblock = keyblock - cred.authtime = int(datetime.strptime(authtime.decode(), - "%Y%m%d%H%M%SZ") - .replace(tzinfo=timezone.utc).timestamp()) - cred.starttime = int(datetime.strptime(starttime.decode(), - "%Y%m%d%H%M%SZ") - .replace(tzinfo=timezone.utc).timestamp()) - cred.endtime = int(datetime.strptime(endtime.decode(), - "%Y%m%d%H%M%SZ") - .replace(tzinfo=timezone.utc).timestamp()) + cred.authtime = self.get_EpochFromKerberosTime(authtime) + cred.starttime = self.get_EpochFromKerberosTime(starttime) + cred.endtime = self.get_EpochFromKerberosTime(endtime) # Account for clock skew of up to five minutes. self.assertLess(cred.authtime - 5 * 60, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index e9b4c6c9efa..3ab63cd01d0 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -861,6 +861,17 @@ class RawKerberosTest(TestCaseInTempDir): (s, _) = self.get_KerberosTimeWithUsec(epoch=epoch, offset=offset) return s + def get_EpochFromKerberosTime(self, kerberos_time): + if isinstance(kerberos_time, bytes): + kerberos_time = kerberos_time.decode() + + epoch = datetime.datetime.strptime(kerberos_time, + '%Y%m%d%H%M%SZ') + epoch = epoch.replace(tzinfo=datetime.timezone.utc) + epoch = int(epoch.timestamp()) + + return epoch + def get_Nonce(self): nonce_min = 0x7f000000 nonce_max = 0x7fffffff -- 2.25.1 From 5bdbf47fa6be7bab64781d12698715e705fb22d7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 3 Aug 2021 15:58:19 +1200 Subject: [PATCH 029/108] tests/krb5: Use encryption with admin credentials This ensures that account creation using admin credentials succeeds. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ce379edf2e135b105b18d35e24d732389de94291) --- python/samba/tests/krb5/raw_testcase.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 3ab63cd01d0..e48d501ad19 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -33,6 +33,7 @@ from pyasn1.codec.ber.encoder import BitStringEncoder from samba.credentials import Credentials from samba.dcerpc import security +from samba.gensec import FEATURE_SEAL import samba.tests from samba.tests import TestCaseInTempDir @@ -606,6 +607,7 @@ class RawKerberosTest(TestCaseInTempDir): c = self._get_krb5_creds(prefix='ADMIN', allow_missing_password=allow_missing_password, allow_missing_keys=allow_missing_keys) + c.set_gensec_features(c.get_gensec_features() | FEATURE_SEAL) return c def get_krbtgt_creds(self, -- 2.25.1 From c77997ceda4052fdb672841848880fc3804f219d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 11:25:55 +1200 Subject: [PATCH 030/108] tests/krb5: Allow specifying additional details when creating an account Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c) --- python/samba/tests/krb5/kdc_base_test.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index f0a9e7311a5..279e15c13ce 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -148,7 +148,7 @@ class KDCBaseTest(RawKerberosTest): return default_enctypes def create_account(self, ldb, name, machine_account=False, - spn=None, upn=None): + spn=None, upn=None, additional_details=None): '''Create an account for testing. The dn of the created account is added to self.accounts, which is used by tearDownClass to clean up the created accounts. @@ -180,6 +180,8 @@ class KDCBaseTest(RawKerberosTest): details["servicePrincipalName"] = spn if upn is not None: details["userPrincipalName"] = upn + if additional_details is not None: + details.update(additional_details) ldb.add(details) creds = KerberosCredentials() -- 2.25.1 From 9d5186621025232b0a4226d3bec3faf51b24cc26 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 10:19:57 +1200 Subject: [PATCH 031/108] tests/krb5: Add more methods for obtaining machine and service credentials Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb) --- python/samba/tests/krb5/kdc_base_test.py | 74 ++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 279e15c13ce..21e2c04cea1 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -334,6 +334,80 @@ class KDCBaseTest(RawKerberosTest): fallback_creds_fn=create_client_account) return c + def get_mach_creds(self, + allow_missing_password=False, + allow_missing_keys=True): + def create_mach_account(): + samdb = self.get_samdb() + + mach_name = 'kdctestmac' + details = { + 'msDS-SupportedEncryptionTypes': str( + security.KERB_ENCTYPE_FAST_SUPPORTED | + security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED | + security.KERB_ENCTYPE_CLAIMS_SUPPORTED + ) + } + + creds, dn = self.create_account(samdb, mach_name, + machine_account=True, + spn='host/' + mach_name, + additional_details=details) + + res = samdb.search(base=dn, + scope=ldb.SCOPE_BASE, + attrs=['msDS-KeyVersionNumber']) + kvno = int(res[0]['msDS-KeyVersionNumber'][0]) + creds.set_kvno(kvno) + + keys = self.get_keys(samdb, dn) + self.creds_set_keys(creds, keys) + + return creds + + c = self._get_krb5_creds(prefix='MAC', + allow_missing_password=allow_missing_password, + allow_missing_keys=allow_missing_keys, + fallback_creds_fn=create_mach_account) + return c + + def get_service_creds(self, + allow_missing_password=False, + allow_missing_keys=True): + def create_service_account(): + samdb = self.get_samdb() + + mach_name = 'kdctestservice' + details = { + 'msDS-SupportedEncryptionTypes': str( + security.KERB_ENCTYPE_FAST_SUPPORTED | + security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED | + security.KERB_ENCTYPE_CLAIMS_SUPPORTED + ) + } + + creds, dn = self.create_account(samdb, mach_name, + machine_account=True, + spn='host/' + mach_name, + additional_details=details) + + res = samdb.search(base=dn, + scope=ldb.SCOPE_BASE, + attrs=['msDS-KeyVersionNumber']) + kvno = int(res[0]['msDS-KeyVersionNumber'][0]) + creds.set_kvno(kvno) + + keys = self.get_keys(samdb, dn) + self.creds_set_keys(creds, keys) + + return creds + + c = self._get_krb5_creds(prefix='SERVICE', + allow_missing_password=allow_missing_password, + allow_missing_keys=allow_missing_keys, + fallback_creds_fn=create_service_account) + return c + def get_krbtgt_creds(self, require_keys=True, require_strongest_key=False): -- 2.25.1 From 67ecbb6c2645151dd3d07f429914e068278a1e91 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 22 Jul 2021 16:22:09 +1200 Subject: [PATCH 032/108] tests/krb5: Add method to calculate account salt Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5) --- python/samba/tests/krb5/kdc_base_test.py | 2 ++ python/samba/tests/krb5/raw_testcase.py | 19 +++++++++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 21e2c04cea1..0dbaeab4a0e 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -192,6 +192,8 @@ class KDCBaseTest(RawKerberosTest): creds.set_username(account_name) if machine_account: creds.set_workstation(name) + else: + creds.set_workstation('') # # Save the account name so it can be deleted in tearDownClass self.accounts.add(dn) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index e48d501ad19..2dbcc39114a 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -295,6 +295,20 @@ class KerberosCredentials(Credentials): def get_forced_salt(self): return self.forced_salt + def get_salt(self): + if self.forced_salt is not None: + return self.forced_salt + + if self.get_workstation(): + salt_string = '%shost%s.%s' % ( + self.get_realm().upper(), + self.get_username().lower().rsplit('$', 1)[0], + self.get_realm().lower()) + else: + salt_string = self.get_realm().upper() + self.get_username() + + return salt_string.encode('utf-8') + class KerberosTicketCreds: def __init__(self, ticket, session_key, @@ -940,10 +954,7 @@ class RawKerberosTest(TestCaseInTempDir): password = creds.get_password() self.assertIsNotNone(password, msg=fail_msg) - salt = creds.get_forced_salt() - if salt is None: - salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()), - encoding='utf-8') + salt = creds.get_salt() return self.PasswordKey_create(etype=etype, pwd=password, salt=salt, -- 2.25.1 From 2be85029e1f3ff909cba160808f239b561c36e82 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 26 Jul 2021 17:19:04 +1200 Subject: [PATCH 033/108] tests/krb5: Add check_reply() method to check for AS or TGS reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329) --- python/samba/tests/krb5/kdc_base_test.py | 26 +++++------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 0dbaeab4a0e..1b550179e0e 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -540,26 +540,7 @@ class KDCBaseTest(RawKerberosTest): kvno match the expected values """ - - # Should have a reply, and it should an AS-REP message. - self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], KRB_AS_REP, "rep = {%s}" % rep) - - # Protocol version number should be 5 - pvno = int(rep['pvno']) - self.assertEqual(5, pvno, "rep = {%s}" % rep) - - # The ticket version number should be 5 - tkt_vno = int(rep['ticket']['tkt-vno']) - self.assertEqual(5, tkt_vno, "rep = {%s}" % rep) - - # Check that the kvno is not an RODC kvno - # MIT kerberos does not provide the kvno, so we treat it as optional. - # This is tested in compatability_test.py - if 'kvno' in rep['enc-part']: - kvno = int(rep['enc-part']['kvno']) - # If the high order bits are set this is an RODC kvno. - self.assertEqual(0, kvno & 0xFFFF0000, "rep = {%s}" % rep) + self.check_reply(rep, msg_type=KRB_AS_REP) def check_tgs_reply(self, rep): """ Check that the kdc response is an TGS-REP and that the @@ -570,10 +551,13 @@ class KDCBaseTest(RawKerberosTest): kvno match the expected values """ + self.check_reply(rep, msg_type=KRB_TGS_REP) + + def check_reply(self, rep, msg_type): # Should have a reply, and it should an TGS-REP message. self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], KRB_TGS_REP, "rep = {%s}" % rep) + self.assertEqual(rep['msg-type'], msg_type, "rep = {%s}" % rep) # Protocol version number should be 5 pvno = int(rep['pvno']) -- 2.25.1 From 4908cd886a587027f045ac0b734afeda3203e576 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 10:32:52 +1200 Subject: [PATCH 034/108] tests/krb5: Always specify expected error code Now the expected error code is always determined by the test code itself rather than by generic_check_as_error(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 21c64fda8f98d451e028ea483dbe351b1280390c) --- python/samba/tests/krb5/as_req_tests.py | 11 ++++++++++- python/samba/tests/krb5/raw_testcase.py | 13 ++++++------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 3b7841243c5..861d2371b75 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -24,8 +24,10 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests import DynamicTestCase from samba.tests.krb5.kdc_base_test import KDCBaseTest +import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_ETYPE_NOSUPP, KDC_ERR_PREAUTH_REQUIRED, KU_PA_ENC_TIMESTAMP, NT_PRINCIPAL, @@ -68,13 +70,20 @@ class AsReqKerberosTests(KDCBaseTest): sname = self.PrincipalName_create(name_type=NT_SRV_INST, names=[krbtgt_account, realm]) - expected_error_mode = KDC_ERR_PREAUTH_REQUIRED expected_crealm = realm expected_cname = cname expected_srealm = realm expected_sname = sname expected_salt = client_creds.get_forced_salt() + if any(etype in client_as_etypes and etype in initial_etypes + for etype in (kcrypto.Enctype.AES256, + kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4)): + expected_error_mode = KDC_ERR_PREAUTH_REQUIRED + else: + expected_error_mode = KDC_ERR_ETYPE_NOSUPP + def _generate_padata_copy(_kdc_exchange_dict, _callback_dict, req_body): diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 2dbcc39114a..5579e989d1c 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -40,9 +40,7 @@ from samba.tests import TestCaseInTempDir import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( - KDC_ERR_ETYPE_NOSUPP, KDC_ERR_GENERIC, - KDC_ERR_PREAUTH_REQUIRED, KRB_AP_REQ, KRB_AS_REP, KRB_AS_REQ, @@ -1524,7 +1522,7 @@ class RawKerberosTest(TestCaseInTempDir): check_padata_fn=None, check_kdc_private_fn=None, callback_dict=None, - expected_error_mode=None, + expected_error_mode=0, client_as_etypes=None, expected_salt=None): kdc_exchange_dict = { @@ -1809,13 +1807,11 @@ class RawKerberosTest(TestCaseInTempDir): if expected_rc4_type != 0: expect_etype_info2 += (expected_rc4_type,) - expected_error = KDC_ERR_ETYPE_NOSUPP expected_patypes = () if expect_etype_info: self.assertGreater(len(expect_etype_info2), 0) expected_patypes += (PADATA_ETYPE_INFO,) if len(expect_etype_info2) != 0: - expected_error = KDC_ERR_PREAUTH_REQUIRED expected_patypes += (PADATA_ETYPE_INFO2,) expected_patypes += (PADATA_ENC_TIMESTAMP,) @@ -1824,7 +1820,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementEqual(rep, 'pvno', 5) self.assertElementEqual(rep, 'msg-type', KRB_ERROR) - self.assertElementEqual(rep, 'error-code', expected_error) + self.assertElementEqual(rep, 'error-code', expected_error_mode) self.assertElementMissing(rep, 'ctime') self.assertElementMissing(rep, 'cusec') self.assertElementPresent(rep, 'stime') @@ -1889,7 +1885,10 @@ class RawKerberosTest(TestCaseInTempDir): self.assertEqual(len(pk_as_rep19), 0) continue - if expected_error == KDC_ERR_ETYPE_NOSUPP: + if all(etype not in client_as_etypes or etype not in proposed_etypes + for etype in (kcrypto.Enctype.AES256, + kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4)): self.assertIsNone(etype_info2) self.assertIsNone(etype_info) if self.strict_checking: -- 2.25.1 From e98ffd545f04c81ce61fde9160838c9ca58ab008 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 10:35:40 +1200 Subject: [PATCH 035/108] tests/krb5: Include kdc_options in kdc_exchange_dict Make kdc_options an element of kdc_exchange_dict instead of a parameter to _generic_kdc_exchange(). This allows testing code to adjust the reply checking based on the options that were specified in the request. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95) --- python/samba/tests/krb5/as_req_tests.py | 4 ++-- python/samba/tests/krb5/raw_testcase.py | 15 ++++++++++----- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 861d2371b75..ed97a10b616 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -99,10 +99,10 @@ class AsReqKerberosTests(KDCBaseTest): check_rep_fn=self.generic_check_kdc_rep, expected_error_mode=expected_error_mode, client_as_etypes=client_as_etypes, - expected_salt=expected_salt) + expected_salt=expected_salt, + kdc_options=str(initial_kdc_options)) rep = self._generic_kdc_exchange(kdc_exchange_dict, - kdc_options=str(initial_kdc_options), cname=cname, realm=realm, sname=sname, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 5579e989d1c..00f90c5dea9 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1431,7 +1431,6 @@ class RawKerberosTest(TestCaseInTempDir): def _generic_kdc_exchange(self, kdc_exchange_dict, # required - kdc_options=None, # required cname=None, # optional realm=None, # required sname=None, # optional @@ -1454,6 +1453,8 @@ class RawKerberosTest(TestCaseInTempDir): req_asn1Spec = kdc_exchange_dict['req_asn1Spec'] rep_msg_type = kdc_exchange_dict['rep_msg_type'] + kdc_options = kdc_exchange_dict['kdc_options'] + if till_time is None: till_time = self.get_KerberosTime(offset=36000) if nonce is None: @@ -1524,7 +1525,8 @@ class RawKerberosTest(TestCaseInTempDir): callback_dict=None, expected_error_mode=0, client_as_etypes=None, - expected_salt=None): + expected_salt=None, + kdc_options=''): kdc_exchange_dict = { 'req_msg_type': KRB_AS_REQ, 'req_asn1Spec': krb5_asn1.AS_REQ, @@ -1545,6 +1547,7 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_error_mode': expected_error_mode, 'client_as_etypes': client_as_etypes, 'expected_salt': expected_salt, + 'kdc_options': kdc_options, } if callback_dict is None: callback_dict = {} @@ -1565,7 +1568,8 @@ class RawKerberosTest(TestCaseInTempDir): callback_dict=None, tgt=None, authenticator_subkey=None, - body_checksum_type=None): + body_checksum_type=None, + kdc_options=''): kdc_exchange_dict = { 'req_msg_type': KRB_TGS_REQ, 'req_asn1Spec': krb5_asn1.TGS_REQ, @@ -1586,6 +1590,7 @@ class RawKerberosTest(TestCaseInTempDir): 'tgt': tgt, 'body_checksum_type': body_checksum_type, 'authenticator_subkey': authenticator_subkey, + 'kdc_options': kdc_options } if callback_dict is None: callback_dict = {} @@ -2047,10 +2052,10 @@ class RawKerberosTest(TestCaseInTempDir): check_kdc_private_fn=self.generic_check_kdc_private, expected_error_mode=expected_error_mode, client_as_etypes=client_as_etypes, - expected_salt=expected_salt) + expected_salt=expected_salt, + kdc_options=str(kdc_options)) rep = self._generic_kdc_exchange(kdc_exchange_dict, - kdc_options=str(kdc_options), cname=cname, realm=realm, sname=sname, -- 2.25.1 From 81a3011b09e6ed416e7248afd47b70a4704324fd Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 11:06:15 +1200 Subject: [PATCH 036/108] tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn This means that there can no longer be surprises where a test receives a reply when it was expecting an error, or vice versa. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 78818655505b3183251940e86270cd40bae73206) --- python/samba/tests/krb5/as_req_tests.py | 2 +- python/samba/tests/krb5/raw_testcase.py | 25 +++++++++++++++++++------ 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index ed97a10b616..d9a66f99ecf 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -96,7 +96,7 @@ class AsReqKerberosTests(KDCBaseTest): expected_sname=expected_sname, generate_padata_fn=_generate_padata_copy, check_error_fn=self.generic_check_as_error, - check_rep_fn=self.generic_check_kdc_rep, + check_rep_fn=None, expected_error_mode=expected_error_mode, client_as_etypes=client_as_etypes, expected_salt=expected_salt, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 00f90c5dea9..d7813387941 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1453,6 +1453,7 @@ class RawKerberosTest(TestCaseInTempDir): req_asn1Spec = kdc_exchange_dict['req_asn1Spec'] rep_msg_type = kdc_exchange_dict['rep_msg_type'] + expected_error_mode = kdc_exchange_dict['expected_error_mode'] kdc_options = kdc_exchange_dict['kdc_options'] if till_time is None: @@ -1497,12 +1498,17 @@ class RawKerberosTest(TestCaseInTempDir): msg_type = self.getElementValue(rep, 'msg-type') self.assertIsNotNone(msg_type) - allowed_msg_types = () + expected_msg_type = None if check_error_fn is not None: - allowed_msg_types = (KRB_ERROR,) + expected_msg_type = KRB_ERROR + self.assertIsNone(check_rep_fn) + self.assertNotEqual(0, expected_error_mode) if check_rep_fn is not None: - allowed_msg_types += (rep_msg_type,) - self.assertIn(msg_type, allowed_msg_types) + expected_msg_type = rep_msg_type + self.assertIsNone(check_error_fn) + self.assertEqual(0, expected_error_mode) + self.assertIsNotNone(expected_msg_type) + self.assertEqual(msg_type, expected_msg_type) if msg_type == KRB_ERROR: return check_error_fn(kdc_exchange_dict, @@ -2039,6 +2045,13 @@ class RawKerberosTest(TestCaseInTempDir): as_rep_usage = KU_AS_REP_ENC_PART return preauth_key, as_rep_usage + if expected_error_mode == 0: + check_error_fn = None + check_rep_fn = self.generic_check_kdc_rep + else: + check_error_fn = self.generic_check_as_error + check_rep_fn = None + kdc_exchange_dict = self.as_exchange_dict( expected_crealm=expected_crealm, expected_cname=expected_cname, @@ -2046,8 +2059,8 @@ class RawKerberosTest(TestCaseInTempDir): expected_sname=expected_sname, ticket_decryption_key=ticket_decryption_key, generate_padata_fn=_generate_padata_copy, - check_error_fn=self.generic_check_as_error, - check_rep_fn=self.generic_check_kdc_rep, + check_error_fn=check_error_fn, + check_rep_fn=check_rep_fn, check_padata_fn=_check_padata_preauth_key, check_kdc_private_fn=self.generic_check_kdc_private, expected_error_mode=expected_error_mode, -- 2.25.1 From a62a80066e6dfac0addb3e3f78cc46691781981e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 10:37:48 +1200 Subject: [PATCH 037/108] tests/krb5: Ensure in assertElementPresent() that container elements are not empty Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ba3c92f77b20e1e0d298cd92399dc69535739c27) --- python/samba/tests/krb5/raw_testcase.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index d7813387941..e1baf0ce943 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -24,6 +24,8 @@ import datetime import random import binascii import itertools +import collections + from pyasn1.codec.der.decoder import decode as pyasn1_der_decode from pyasn1.codec.der.encoder import encode as pyasn1_der_encode from pyasn1.codec.native.decoder import decode as pyasn1_native_decode @@ -817,6 +819,9 @@ class RawKerberosTest(TestCaseInTempDir): def assertElementPresent(self, obj, elem): v = self.getElementValue(obj, elem) self.assertIsNotNone(v) + if self.strict_checking: + if isinstance(v, collections.abc.Container): + self.assertNotEqual(0, len(v)) def assertElementEqual(self, obj, elem, value): v = self.getElementValue(obj, elem) -- 2.25.1 From 1f9452d81d1a73cce77e3a19f147c00625168502 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:39:42 +1200 Subject: [PATCH 038/108] tests/krb5: Assert that more variables are not None Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3d1066e923815782036bd11524fda110a2528951) --- python/samba/tests/krb5/raw_testcase.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index e1baf0ce943..3a178f4bce3 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1631,12 +1631,14 @@ class RawKerberosTest(TestCaseInTempDir): ticket = self.getElementValue(rep, 'ticket') ticket_encpart = None ticket_cipher = None + self.assertIsNotNone(ticket) if ticket is not None: # Never None, but gives indentation self.assertElementPresent(ticket, 'tkt-vno') self.assertElementEqualUTF8(ticket, 'realm', expected_srealm) self.assertElementEqualPrincipal(ticket, 'sname', expected_sname) self.assertElementPresent(ticket, 'enc-part') ticket_encpart = self.getElementValue(ticket, 'enc-part') + self.assertIsNotNone(ticket_encpart) if ticket_encpart is not None: # Never None, but gives indentation self.assertElementPresent(ticket_encpart, 'etype') # 'unspecified' means present, with any value != 0 @@ -1647,6 +1649,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(rep, 'enc-part') encpart = self.getElementValue(rep, 'enc-part') encpart_cipher = None + self.assertIsNotNone(encpart) if encpart is not None: # Never None, but gives indentation self.assertElementPresent(encpart, 'etype') self.assertElementKVNO(ticket_encpart, 'kvno', 'autodetect') @@ -1654,6 +1657,7 @@ class RawKerberosTest(TestCaseInTempDir): encpart_cipher = self.getElementValue(encpart, 'cipher') encpart_decryption_key = None + self.assertIsNotNone(check_padata_fn) if check_padata_fn is not None: # See if we can get the decryption key from the preauth phase encpart_decryption_key, encpart_decryption_usage = ( @@ -1661,6 +1665,7 @@ class RawKerberosTest(TestCaseInTempDir): rep, padata)) ticket_private = None + self.assertIsNotNone(ticket_decryption_key) if ticket_decryption_key is not None: self.assertElementEqual(ticket_encpart, 'etype', ticket_decryption_key.etype) @@ -1673,6 +1678,7 @@ class RawKerberosTest(TestCaseInTempDir): asn1Spec=krb5_asn1.EncTicketPart()) encpart_private = None + self.assertIsNotNone(encpart_decryption_key) if encpart_decryption_key is not None: self.assertElementEqual(encpart, 'etype', encpart_decryption_key.etype) @@ -1692,6 +1698,7 @@ class RawKerberosTest(TestCaseInTempDir): rep_decpart, asn1Spec=krb5_asn1.EncTGSRepPart()) + self.assertIsNotNone(check_kdc_private_fn) if check_kdc_private_fn is not None: check_kdc_private_fn(kdc_exchange_dict, callback_dict, rep, ticket_private, encpart_private) @@ -1718,6 +1725,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(ticket_private, 'flags') self.assertElementPresent(ticket_private, 'key') ticket_key = self.getElementValue(ticket_private, 'key') + self.assertIsNotNone(ticket_key) if ticket_key is not None: # Never None, but gives indentation self.assertElementPresent(ticket_key, 'keytype') self.assertElementPresent(ticket_key, 'keyvalue') @@ -1739,6 +1747,7 @@ class RawKerberosTest(TestCaseInTempDir): if encpart_private is not None: self.assertElementPresent(encpart_private, 'key') encpart_key = self.getElementValue(encpart_private, 'key') + self.assertIsNotNone(encpart_key) if encpart_key is not None: # Never None, but gives indentation self.assertElementPresent(encpart_key, 'keytype') self.assertElementPresent(encpart_key, 'keyvalue') -- 2.25.1 From 5ceb74a06ffedcc58e2dfca8448f2e26eed82e94 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 11:34:19 +1200 Subject: [PATCH 039/108] tests/krb5: Check version number of obtained ticket Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b) --- python/samba/tests/krb5/raw_testcase.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 3a178f4bce3..70062ca338a 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1633,7 +1633,7 @@ class RawKerberosTest(TestCaseInTempDir): ticket_cipher = None self.assertIsNotNone(ticket) if ticket is not None: # Never None, but gives indentation - self.assertElementPresent(ticket, 'tkt-vno') + self.assertElementEqual(ticket, 'tkt-vno', 5) self.assertElementEqualUTF8(ticket, 'realm', expected_srealm) self.assertElementEqualPrincipal(ticket, 'sname', expected_sname) self.assertElementPresent(ticket, 'enc-part') -- 2.25.1 From 048ec949e7085805bffd6f638b11c3b70cce8781 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 11:39:37 +1200 Subject: [PATCH 040/108] tests/krb5: Make checking less strict Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc) --- python/samba/tests/krb5/raw_testcase.py | 52 +++++++++++++------------ 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 70062ca338a..69b7c7adc9b 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1625,8 +1625,9 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP padata = self.getElementValue(rep, 'padata') - self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) - self.assertElementEqualPrincipal(rep, 'cname', expected_cname) + if self.strict_checking: + self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) + self.assertElementEqualPrincipal(rep, 'cname', expected_cname) self.assertElementPresent(rep, 'ticket') ticket = self.getElementValue(rep, 'ticket') ticket_encpart = None @@ -1682,8 +1683,9 @@ class RawKerberosTest(TestCaseInTempDir): if encpart_decryption_key is not None: self.assertElementEqual(encpart, 'etype', encpart_decryption_key.etype) - self.assertElementKVNO(encpart, 'kvno', - encpart_decryption_key.kvno) + if self.strict_checking: + self.assertElementKVNO(encpart, 'kvno', + encpart_decryption_key.kvno) rep_decpart = encpart_decryption_key.decrypt( encpart_decryption_usage, encpart_cipher) @@ -1846,17 +1848,17 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementEqual(rep, 'pvno', 5) self.assertElementEqual(rep, 'msg-type', KRB_ERROR) self.assertElementEqual(rep, 'error-code', expected_error_mode) - self.assertElementMissing(rep, 'ctime') - self.assertElementMissing(rep, 'cusec') + if self.strict_checking: + self.assertElementMissing(rep, 'ctime') + self.assertElementMissing(rep, 'cusec') self.assertElementPresent(rep, 'stime') self.assertElementPresent(rep, 'susec') # error-code checked above if self.strict_checking: self.assertElementMissing(rep, 'crealm') self.assertElementMissing(rep, 'cname') - self.assertElementEqualUTF8(rep, 'realm', expected_srealm) - self.assertElementEqualPrincipal(rep, 'sname', expected_sname) - if self.strict_checking: + self.assertElementEqualUTF8(rep, 'realm', expected_srealm) + self.assertElementEqualPrincipal(rep, 'sname', expected_sname) self.assertElementMissing(rep, 'e-text') if expected_error_mode == KDC_ERR_GENERIC: self.assertElementMissing(rep, 'e-data') @@ -1922,7 +1924,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(pk_as_rep19) return - self.assertIsNotNone(etype_info2) + if self.strict_checking: + self.assertIsNotNone(etype_info2) if expect_etype_info: self.assertIsNotNone(etype_info) else: @@ -1931,23 +1934,22 @@ class RawKerberosTest(TestCaseInTempDir): if unexpect_etype_info: self.assertIsNone(etype_info) - self.assertGreaterEqual(len(etype_info2), 1) - self.assertLessEqual(len(etype_info2), len(expect_etype_info2)) if self.strict_checking: + self.assertGreaterEqual(len(etype_info2), 1) self.assertEqual(len(etype_info2), len(expect_etype_info2)) - for i in range(0, len(etype_info2)): - e = self.getElementValue(etype_info2[i], 'etype') - self.assertEqual(e, expect_etype_info2[i]) - salt = self.getElementValue(etype_info2[i], 'salt') - if e == kcrypto.Enctype.RC4: - self.assertIsNone(salt) - else: - self.assertIsNotNone(salt) - if expected_salt is not None: - self.assertEqual(salt, expected_salt) - s2kparams = self.getElementValue(etype_info2[i], 's2kparams') - if self.strict_checking: - self.assertIsNone(s2kparams) + for i in range(0, len(etype_info2)): + e = self.getElementValue(etype_info2[i], 'etype') + self.assertEqual(e, expect_etype_info2[i]) + salt = self.getElementValue(etype_info2[i], 'salt') + if e == kcrypto.Enctype.RC4: + self.assertIsNone(salt) + else: + self.assertIsNotNone(salt) + if expected_salt is not None: + self.assertEqual(salt, expected_salt) + s2kparams = self.getElementValue(etype_info2[i], 's2kparams') + if self.strict_checking: + self.assertIsNone(s2kparams) if etype_info is not None: self.assertEqual(len(etype_info), 1) e = self.getElementValue(etype_info[0], 'etype') -- 2.25.1 From 93651b7a667d04af462dec3c9ae96a3cdf21cd57 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 12:52:42 +1200 Subject: [PATCH 041/108] tests/krb5: Check nonce in EncKDCRepPart Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4951a105b0448854115a7ecc3d867be6f34b0dcf) --- python/samba/tests/krb5/raw_testcase.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 69b7c7adc9b..60e589464f3 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1442,7 +1442,6 @@ class RawKerberosTest(TestCaseInTempDir): from_time=None, # optional till_time=None, # required renew_time=None, # optional - nonce=None, # required etypes=None, # required addresses=None, # optional additional_tickets=None, # optional @@ -1463,8 +1462,12 @@ class RawKerberosTest(TestCaseInTempDir): if till_time is None: till_time = self.get_KerberosTime(offset=36000) - if nonce is None: + + if 'nonce' in kdc_exchange_dict: + nonce = kdc_exchange_dict['nonce'] + else: nonce = self.get_Nonce() + kdc_exchange_dict['nonce'] = nonce req_body = self.KDC_REQ_BODY_create( kdc_options=kdc_options, @@ -1755,7 +1758,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(encpart_key, 'keyvalue') encpart_session_key = self.EncryptionKey_import(encpart_key) self.assertElementPresent(encpart_private, 'last-req') - self.assertElementPresent(encpart_private, 'nonce') + self.assertElementEqual(encpart_private, 'nonce', + kdc_exchange_dict['nonce']) # TODO self.assertElementPresent(encpart_private, # 'key-expiration') self.assertElementPresent(encpart_private, 'flags') -- 2.25.1 From 40b013d5f1f4760a6844ef49bd19b87ead997cd0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Jul 2021 19:27:02 +1200 Subject: [PATCH 042/108] tests/krb5: Add generate_ap_req() method This method will be useful to generate an AP-REQ for use as FAST armor. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7) --- python/samba/tests/krb5/raw_testcase.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 60e589464f3..67b359f07d8 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1971,10 +1971,10 @@ class RawKerberosTest(TestCaseInTempDir): kdc_exchange_dict['preauth_etype_info2'] = etype_info2 return - def generate_simple_tgs_padata(self, - kdc_exchange_dict, - callback_dict, - req_body): + def generate_ap_req(self, + kdc_exchange_dict, + _callback_dict, + req_body): tgt = kdc_exchange_dict['tgt'] authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] body_checksum_type = kdc_exchange_dict['body_checksum_type'] @@ -2014,6 +2014,16 @@ class RawKerberosTest(TestCaseInTempDir): ticket=tgt.ticket, authenticator=authenticator) ap_req = self.der_encode(ap_req_obj, asn1Spec=krb5_asn1.AP_REQ()) + + return ap_req + + def generate_simple_tgs_padata(self, + kdc_exchange_dict, + callback_dict, + req_body): + ap_req = self.generate_ap_req(kdc_exchange_dict, + callback_dict, + req_body) pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) padata = [pa_tgs_req] -- 2.25.1 From 9f9c621bf1b3c62f7f3e0cc814f17498369662d8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 11:06:35 +1200 Subject: [PATCH 043/108] tests/krb5: Ensure generated padata is not None Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b6f96dd6395a30e15fa906959cbe665757aaba8d) --- python/samba/tests/krb5/as_req_tests.py | 6 +++++- python/samba/tests/krb5/raw_testcase.py | 8 +++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index d9a66f99ecf..b5a6cfd31c7 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -89,12 +89,16 @@ class AsReqKerberosTests(KDCBaseTest): req_body): return initial_padata, req_body + generate_padata_fn = (_generate_padata_copy + if initial_padata is not None + else None) + kdc_exchange_dict = self.as_exchange_dict( expected_crealm=expected_crealm, expected_cname=expected_cname, expected_srealm=expected_srealm, expected_sname=expected_sname, - generate_padata_fn=_generate_padata_copy, + generate_padata_fn=generate_padata_fn, check_error_fn=self.generic_check_as_error, check_rep_fn=None, expected_error_mode=expected_error_mode, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 67b359f07d8..e15fc44a962 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1489,6 +1489,7 @@ class RawKerberosTest(TestCaseInTempDir): padata, req_body = generate_padata_fn(kdc_exchange_dict, callback_dict, req_body) + self.assertIsNotNone(padata) else: padata = None @@ -2082,13 +2083,18 @@ class RawKerberosTest(TestCaseInTempDir): check_error_fn = self.generic_check_as_error check_rep_fn = None + if padata is not None: + generate_padata_fn = _generate_padata_copy + else: + generate_padata_fn = None + kdc_exchange_dict = self.as_exchange_dict( expected_crealm=expected_crealm, expected_cname=expected_cname, expected_srealm=expected_srealm, expected_sname=expected_sname, ticket_decryption_key=ticket_decryption_key, - generate_padata_fn=_generate_padata_copy, + generate_padata_fn=generate_padata_fn, check_error_fn=check_error_fn, check_rep_fn=check_rep_fn, check_padata_fn=_check_padata_preauth_key, -- 2.25.1 From d4a12afc174b821a6bc466d377c58650b87e1651 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 13:59:36 +1200 Subject: [PATCH 044/108] tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 025737deb5325d25b2ae4c57583c24ae1d0eca33) --- python/samba/tests/krb5/raw_testcase.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index e15fc44a962..4f399467cfe 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1484,13 +1484,34 @@ class RawKerberosTest(TestCaseInTempDir): EncAuthorizationData=EncAuthorizationData, EncAuthorizationData_key=EncAuthorizationData_key, EncAuthorizationData_usage=EncAuthorizationData_usage) + + if req_msg_type == KRB_AS_REQ: + tgs_req = None + tgs_req_padata = None + else: + self.assertEqual(KRB_TGS_REQ, req_msg_type) + + tgs_req = self.generate_ap_req(kdc_exchange_dict, + callback_dict, + req_body) + tgs_req_padata = self.PA_DATA_create(PADATA_KDC_REQ, tgs_req) + if generate_padata_fn is not None: # This can alter req_body... padata, req_body = generate_padata_fn(kdc_exchange_dict, callback_dict, req_body) self.assertIsNotNone(padata) + self.assertNotIn(PADATA_KDC_REQ, + [pa['padata-type'] for pa in padata], + 'Don\'t create TGS-REQ manually') else: + padata = [] + + if tgs_req_padata is not None: + padata.insert(0, tgs_req_padata) + + if not padata: padata = None kdc_exchange_dict['req_padata'] = padata -- 2.25.1 From 2d458114bb3c022f306930bb0f22774d0c94aff3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 10:21:07 +1200 Subject: [PATCH 045/108] tests/krb5: Add more ASN1 definitions for FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ec702900295100ae4e48ba57242eee6670bf30d6) --- python/samba/tests/krb5/rfc4120.asn1 | 106 ++++++++++++++++++- python/samba/tests/krb5/rfc4120_constants.py | 33 ++++++ python/samba/tests/krb5/rfc4120_pyasn1.py | 100 ++++++++++++++++- 3 files changed, 236 insertions(+), 3 deletions(-) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index d81d06ad6f7..f47c1d00202 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -1,3 +1,43 @@ +-- Portions of these ASN.1 modules are structures are from RFC6113 +-- authored by S. Hartman (Painless Security) and L. Zhu (Microsoft) +-- +-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the +-- code. All rights reserved. +-- +-- Redistribution and use in source and binary forms, with or without +-- modification, is permitted pursuant to, and subject to the license terms +-- contained in, the Simplified BSD License set forth in Section 4.c of the IETF +-- Trust’s Legal Provisions Relating to IETF Documents +-- (http://trustee.ietf.org/license-info). +-- +-- BSD License: +-- +-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved. +-- Redistribution and use in source and binary forms, with or without modification, are permitted provided +-- that the following conditions are met: +-- • Redistributions of source code must retain the above copyright notice, this list of conditions and +-- the following disclaimer. +-- +-- • Redistributions in binary form must reproduce the above copyright notice, this list of conditions +-- and the following disclaimer in the documentation and/or other materials provided with the +-- distribution. +-- +-- • Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors, +-- may be used to endorse or promote products derived from this software without specific prior written +-- permission. +-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” +-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +-- POSSIBILITY OF SUCH DAMAGE. +-- + KerberosV5Spec2 { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) krb5spec2(2) @@ -464,6 +504,69 @@ PA-PAC-OPTIONS ::= SEQUENCE { KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type -- KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey +FastOptions ::= BIT STRING { + reserved(0), + hide-client-names(1), + kdc-follow-referrals(16) +} + +KrbFastReq ::= SEQUENCE { + fast-options [0] FastOptions, + padata [1] SEQUENCE OF PA-DATA, + req-body [2] KDC-REQ-BODY, + ... +} + +KrbFastArmor ::= SEQUENCE { + armor-type [0] Int32, + armor-value [1] OCTET STRING, + ... +} + +KrbFastArmoredReq ::= SEQUENCE { + armor [0] KrbFastArmor OPTIONAL, + req-checksum [1] Checksum, + enc-fast-req [2] EncryptedData -- KrbFastReq -- +} + +PA-FX-FAST-REQUEST ::= CHOICE { + armored-data [0] KrbFastArmoredReq, + ... +} + +KrbFastFinished ::= SEQUENCE { + timestamp [0] KerberosTime, + usec [1] Int32, + crealm [2] Realm, + cname [3] PrincipalName, + ticket-checksum [4] Checksum, + ... +} + +KrbFastResponse ::= SEQUENCE { + padata [0] SEQUENCE OF PA-DATA, + -- padata typed holes. + strengthen-key [1] EncryptionKey OPTIONAL, + -- This, if present, strengthens the reply key for AS and + -- TGS. MUST be present for TGS. + -- MUST be absent in KRB-ERROR. + finished [2] KrbFastFinished OPTIONAL, + -- Present in AS or TGS reply; absent otherwise. + nonce [3] UInt32, + -- Nonce from the client request. + ... +} + +KrbFastArmoredRep ::= SEQUENCE { + enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- + ... +} + +PA-FX-FAST-REPLY ::= CHOICE { + armored-data [0] KrbFastArmoredRep, + ... +} + -- MS-KILE End -- -- @@ -631,7 +734,8 @@ PADataTypeValues ::= INTEGER { kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u kRB5-PADATA-REQ-ENC-PA-REP(149), -- - kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE + kRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE + kRB5-PADATA-PAC-OPTIONS(167) -- MS-KILE } PADataTypeSequence ::= SEQUENCE { dummy [0] PADataTypeValues diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index b00b8b48ae5..e1a688991a7 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -36,29 +36,44 @@ KRB_TGS_REQ = int(krb5_asn1.MessageTypeValues('krb-tgs-req')) # PAData types PADATA_ENC_TIMESTAMP = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) +PADATA_ENCRYPTED_CHALLENGE = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ENCRYPTED-CHALLENGE')) PADATA_ETYPE_INFO = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO')) PADATA_ETYPE_INFO2 = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) PADATA_FOR_USER = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-FOR-USER')) +PADATA_FX_COOKIE = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-COOKIE')) +PADATA_FX_ERROR = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-ERROR')) +PADATA_FX_FAST = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-FAST')) PADATA_KDC_REQ = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-KDC-REQ')) +PADATA_PAC_OPTIONS = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-PAC-OPTIONS')) PADATA_PAC_REQUEST = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-PA-PAC-REQUEST')) PADATA_PK_AS_REQ = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ')) PADATA_PK_AS_REP_19 = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19')) +PADATA_SUPPORTED_ETYPES = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-SUPPORTED-ETYPES')) # Error codes KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 +KDC_ERR_POLICY = 12 KDC_ERR_ETYPE_NOSUPP = 14 KDC_ERR_PREAUTH_FAILED = 24 KDC_ERR_PREAUTH_REQUIRED = 25 +KDC_ERR_NOT_US = 35 KDC_ERR_BADMATCH = 36 KDC_ERR_SKEW = 37 KDC_ERR_GENERIC = 60 +KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS = 93 # Name types NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) @@ -67,6 +82,7 @@ NT_SRV_HST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-HST')) NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( 'kRB5-NT-ENTERPRISE-PRINCIPAL')) +NT_WELLKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-WELLKNOWN')) # Authorization data ad-type values @@ -79,6 +95,8 @@ AD_MANDATORY_TICKET_EXTENSIONS = 6 AD_IN_TICKET_EXTENSIONS = 7 AD_MANDATORY_FOR_KDC = 8 AD_INITIAL_VERIFIED_CAS = 9 +AD_FX_FAST_ARMOR = 71 +AD_FX_FAST_USED = 72 AD_WIN2K_PAC = 128 AD_SIGNTICKET = 512 @@ -133,3 +151,18 @@ KU_KRB_SAFE_CKSUM = 15 (section 5.6.1) ''' KU_NON_KERB_SALT = 16 KU_NON_KERB_CKSUM_SALT = 17 + +KU_ACCEPTOR_SEAL = 22 +KU_ACCEPTOR_SIGN = 23 +KU_INITIATOR_SEAL = 24 +KU_INITIATOR_SIGN = 25 + +KU_FAST_REQ_CHKSUM = 50 +KU_FAST_ENC = 51 +KU_FAST_REP = 52 +KU_FAST_FINISHED = 53 +KU_ENC_CHALLENGE_CLIENT = 54 +KU_ENC_CHALLENGE_KDC = 55 + +# Armor types +FX_FAST_ARMOR_AP_REQUEST = 1 diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index 56fe02a68f0..39ec8ed7982 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -1,5 +1,5 @@ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 -# (last modified on 2021-06-16 08:54:13.969508) +# (last modified on 2021-06-25 12:10:34.484667) # KerberosV5Spec2 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful @@ -619,6 +619,17 @@ EncryptionTypeSequence.componentType = namedtype.NamedTypes( ) +class FastOptions(univ.BitString): + pass + + +FastOptions.namedValues = namedval.NamedValues( + ('reserved', 0), + ('hide-client-names', 1), + ('kdc-follow-referrals', 16) +) + + class KDCOptionsValues(univ.BitString): pass @@ -800,6 +811,72 @@ KerbErrorDataTypeSequence.componentType = namedtype.NamedTypes( ) +class KrbFastArmor(univ.Sequence): + pass + + +KrbFastArmor.componentType = namedtype.NamedTypes( + namedtype.NamedType('armor-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('armor-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class KrbFastArmoredRep(univ.Sequence): + pass + + +KrbFastArmoredRep.componentType = namedtype.NamedTypes( + namedtype.NamedType('enc-fast-rep', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))) +) + + +class KrbFastArmoredReq(univ.Sequence): + pass + + +KrbFastArmoredReq.componentType = namedtype.NamedTypes( + namedtype.OptionalNamedType('armor', KrbFastArmor().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), + namedtype.NamedType('req-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), + namedtype.NamedType('enc-fast-req', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) +) + + +class KrbFastFinished(univ.Sequence): + pass + + +KrbFastFinished.componentType = namedtype.NamedTypes( + namedtype.NamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('usec', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), + namedtype.NamedType('ticket-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) +) + + +class KrbFastReq(univ.Sequence): + pass + + +KrbFastReq.componentType = namedtype.NamedTypes( + namedtype.NamedType('fast-options', FastOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('req-body', KDC_REQ_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) +) + + +class KrbFastResponse(univ.Sequence): + pass + + +KrbFastResponse.componentType = namedtype.NamedTypes( + namedtype.NamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('strengthen-key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), + namedtype.OptionalNamedType('finished', KrbFastFinished().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) +) + + class MessageTypeValues(univ.Integer): pass @@ -871,6 +948,24 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( ) +class PA_FX_FAST_REPLY(univ.Choice): + pass + + +PA_FX_FAST_REPLY.componentType = namedtype.NamedTypes( + namedtype.NamedType('armored-data', KrbFastArmoredRep().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))) +) + + +class PA_FX_FAST_REQUEST(univ.Choice): + pass + + +PA_FX_FAST_REQUEST.componentType = namedtype.NamedTypes( + namedtype.NamedType('armored-data', KrbFastArmoredReq().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))) +) + + class PACOptionFlags(KerberosFlags): pass @@ -980,7 +1075,8 @@ PADataTypeValues.namedValues = namedval.NamedValues( ('kRB5-PADATA-PKINIT-KX', 147), ('kRB5-PADATA-PKU2U-NAME', 148), ('kRB5-PADATA-REQ-ENC-PA-REP', 149), - ('kRB5-PADATA-SUPPORTED-ETYPES', 165) + ('kRB5-PADATA-SUPPORTED-ETYPES', 165), + ('kRB5-PADATA-PAC-OPTIONS', 167) ) -- 2.25.1 From 6d2cc0297101f8955c9dae1fbc4c6a9df43c5c42 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 10:23:26 +1200 Subject: [PATCH 046/108] tests/krb5: Add more methods to create ASN1 objects for FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d) --- python/samba/tests/krb5/raw_testcase.py | 70 +++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 4f399467cfe..46ce7605edf 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1013,6 +1013,17 @@ class RawKerberosTest(TestCaseInTempDir): } return PrincipalName_obj + def AuthorizationData_create(self, ad_type, ad_data): + # AuthorizationData ::= SEQUENCE { + # ad-type [0] Int32, + # ad-data [1] OCTET STRING + # } + AUTH_DATA_obj = { + 'ad-type': ad_type, + 'ad-data': ad_data + } + return AUTH_DATA_obj + def PA_DATA_create(self, padata_type, padata_value): # PA-DATA ::= SEQUENCE { # -- NOTE: first tag is [1], not [0] @@ -1036,6 +1047,65 @@ class RawKerberosTest(TestCaseInTempDir): } return PA_ENC_TS_ENC_obj + def PA_PAC_OPTIONS_create(self, options): + # PA-PAC-OPTIONS ::= SEQUENCE { + # options [0] PACOptionFlags + # } + PA_PAC_OPTIONS_obj = { + 'options': options + } + return PA_PAC_OPTIONS_obj + + def KRB_FAST_ARMOR_create(self, armor_type, armor_value): + # KrbFastArmor ::= SEQUENCE { + # armor-type [0] Int32, + # armor-value [1] OCTET STRING, + # ... + # } + KRB_FAST_ARMOR_obj = { + 'armor-type': armor_type, + 'armor-value': armor_value + } + return KRB_FAST_ARMOR_obj + + def KRB_FAST_REQ_create(self, fast_options, padata, req_body): + # KrbFastReq ::= SEQUENCE { + # fast-options [0] FastOptions, + # padata [1] SEQUENCE OF PA-DATA, + # req-body [2] KDC-REQ-BODY, + # ... + # } + KRB_FAST_REQ_obj = { + 'fast-options': fast_options, + 'padata': padata, + 'req-body': req_body + } + return KRB_FAST_REQ_obj + + def KRB_FAST_ARMORED_REQ_create(self, armor, req_checksum, enc_fast_req): + # KrbFastArmoredReq ::= SEQUENCE { + # armor [0] KrbFastArmor OPTIONAL, + # req-checksum [1] Checksum, + # enc-fast-req [2] EncryptedData -- KrbFastReq -- + # } + KRB_FAST_ARMORED_REQ_obj = { + 'req-checksum': req_checksum, + 'enc-fast-req': enc_fast_req + } + if armor is not None: + KRB_FAST_ARMORED_REQ_obj['armor'] = armor + return KRB_FAST_ARMORED_REQ_obj + + def PA_FX_FAST_REQUEST_create(self, armored_data): + # PA-FX-FAST-REQUEST ::= CHOICE { + # armored-data [0] KrbFastArmoredReq, + # ... + # } + PA_FX_FAST_REQUEST_obj = { + 'armored-data': armored_data + } + return PA_FX_FAST_REQUEST_obj + def KERB_PA_PAC_REQUEST_create(self, include_pac, pa_data_create=True): # KERB-PA-PAC-REQUEST ::= SEQUENCE { # include-pac[0] BOOLEAN --If TRUE, and no pac present, -- 2.25.1 From 4d33155b81ed0ed2cfb4638c2609a69ddfaaa685 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 12:47:18 +1200 Subject: [PATCH 047/108] tests/krb5: Add method to generate FAST encrypted challenge padata Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit aafc86896969d02ff1daecdf2668bfa642860082) --- python/samba/tests/krb5/kdc_base_test.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 1b550179e0e..24a1e7cfbc8 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -54,11 +54,13 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_TGS_REP, KRB_ERROR, KU_AS_REP_ENC_PART, + KU_ENC_CHALLENGE_CLIENT, KU_PA_ENC_TIMESTAMP, KU_TGS_REP_ENC_PART_SUB_KEY, KU_TICKET, NT_PRINCIPAL, NT_SRV_HST, + PADATA_ENCRYPTED_CHALLENGE, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO2, ) @@ -511,6 +513,23 @@ class KDCBaseTest(RawKerberosTest): return padata + def get_challenge_pa_data(self, client_challenge_key, skew=0): + patime, pausec = self.get_KerberosTimeWithUsec(offset=skew) + padata = self.PA_ENC_TS_ENC_create(patime, pausec) + padata = self.der_encode(padata, + asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + padata = self.EncryptedData_create(client_challenge_key, + KU_ENC_CHALLENGE_CLIENT, + padata) + padata = self.der_encode(padata, + asn1Spec=krb5_asn1.EncryptedData()) + + padata = self.PA_DATA_create(PADATA_ENCRYPTED_CHALLENGE, + padata) + + return padata + def get_as_rep_enc_data(self, key, rep): ''' Decrypt and Decode the encrypted data in an AS-REP ''' -- 2.25.1 From 8afe0334040616d85f0e6baee9f4f463e55a1833 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 6 Jul 2021 12:49:05 +1200 Subject: [PATCH 048/108] tests/krb5: Add methods to calculate keys for FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 080894067469d60e2c71961c2d1c1990ba15b917) --- python/samba/tests/krb5/raw_testcase.py | 37 +++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 46ce7605edf..113f08628b6 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2137,6 +2137,43 @@ class RawKerberosTest(TestCaseInTempDir): return subkey, subkey_usage + def generate_armor_key(self, subkey, session_key): + armor_key = kcrypto.cf2(subkey.key, + session_key.key, + b'subkeyarmor', + b'ticketarmor') + armor_key = Krb5EncryptionKey(armor_key, None) + + return armor_key + + def generate_strengthen_reply_key(self, strengthen_key, reply_key): + strengthen_reply_key = kcrypto.cf2(strengthen_key.key, + reply_key.key, + b'strengthenkey', + b'replykey') + strengthen_reply_key = Krb5EncryptionKey(strengthen_reply_key, + reply_key.kvno) + + return strengthen_reply_key + + def generate_client_challenge_key(self, armor_key, longterm_key): + client_challenge_key = kcrypto.cf2(armor_key.key, + longterm_key.key, + b'clientchallengearmor', + b'challengelongterm') + client_challenge_key = Krb5EncryptionKey(client_challenge_key, None) + + return client_challenge_key + + def generate_kdc_challenge_key(self, armor_key, longterm_key): + kdc_challenge_key = kcrypto.cf2(armor_key.key, + longterm_key.key, + b'kdcchallengearmor', + b'challengelongterm') + kdc_challenge_key = Krb5EncryptionKey(kdc_challenge_key, None) + + return kdc_challenge_key + def _test_as_exchange(self, cname, realm, -- 2.25.1 From ccc6b8513b72a6fc7e34125aea81d0f6e588f7ad Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Jul 2021 20:49:12 +1200 Subject: [PATCH 049/108] tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error() This method will also be useful in checking TGS-REP error replies. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 74f332c6f9e31b933837cefee69b219054970713) --- python/samba/tests/krb5/as_req_tests.py | 2 +- python/samba/tests/krb5/raw_testcase.py | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index b5a6cfd31c7..fd258e8164a 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -99,7 +99,7 @@ class AsReqKerberosTests(KDCBaseTest): expected_srealm=expected_srealm, expected_sname=expected_sname, generate_padata_fn=generate_padata_fn, - check_error_fn=self.generic_check_as_error, + check_error_fn=self.generic_check_kdc_error, check_rep_fn=None, expected_error_mode=expected_error_mode, client_as_etypes=client_as_etypes, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 113f08628b6..047bf413b34 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1888,10 +1888,10 @@ class RawKerberosTest(TestCaseInTempDir): kdc_exchange_dict['rep_ticket_creds'] = ticket_creds - def generic_check_as_error(self, - kdc_exchange_dict, - callback_dict, - rep): + def generic_check_kdc_error(self, + kdc_exchange_dict, + callback_dict, + rep): expected_crealm = kdc_exchange_dict['expected_crealm'] expected_cname = kdc_exchange_dict['expected_cname'] @@ -2208,7 +2208,7 @@ class RawKerberosTest(TestCaseInTempDir): check_error_fn = None check_rep_fn = self.generic_check_kdc_rep else: - check_error_fn = self.generic_check_as_error + check_error_fn = self.generic_check_kdc_error check_rep_fn = None if padata is not None: -- 2.25.1 From eae52f6e25f33ce398a7ae9eae8ca372cc466b1a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Jul 2021 10:19:46 +1200 Subject: [PATCH 050/108] tests/krb5: Include authenticator_subkey in AS-REQ exchange dict This is needed for FAST. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d554b6dc0f4e14d154e487dc2a842321aa746155) --- python/samba/tests/krb5/raw_testcase.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 047bf413b34..9375f39937e 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1632,6 +1632,7 @@ class RawKerberosTest(TestCaseInTempDir): expected_error_mode=0, client_as_etypes=None, expected_salt=None, + authenticator_subkey=None, kdc_options=''): kdc_exchange_dict = { 'req_msg_type': KRB_AS_REQ, @@ -1653,6 +1654,7 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_error_mode': expected_error_mode, 'client_as_etypes': client_as_etypes, 'expected_salt': expected_salt, + 'authenticator_subkey': authenticator_subkey, 'kdc_options': kdc_options, } if callback_dict is None: -- 2.25.1 From 3ea07f0835106e34fa6dd128586ea72f2379ed25 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Jul 2021 10:33:10 +1200 Subject: [PATCH 051/108] tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e) --- python/samba/tests/krb5/raw_testcase.py | 45 ++++++++++++++++++------- 1 file changed, 32 insertions(+), 13 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 9375f39937e..29ea41ec92b 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -49,6 +49,7 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_ERROR, KRB_TGS_REP, KRB_TGS_REQ, + KU_AP_REQ_AUTH, KU_AS_REP_ENC_PART, KU_NON_KERB_CKSUM_SALT, KU_TGS_REP_ENC_PART_SESSION, @@ -1563,7 +1564,8 @@ class RawKerberosTest(TestCaseInTempDir): tgs_req = self.generate_ap_req(kdc_exchange_dict, callback_dict, - req_body) + req_body, + armor=False) tgs_req_padata = self.PA_DATA_create(PADATA_KDC_REQ, tgs_req) if generate_padata_fn is not None: @@ -1633,6 +1635,8 @@ class RawKerberosTest(TestCaseInTempDir): client_as_etypes=None, expected_salt=None, authenticator_subkey=None, + armor_tgt=None, + armor_subkey=None, kdc_options=''): kdc_exchange_dict = { 'req_msg_type': KRB_AS_REQ, @@ -1655,6 +1659,8 @@ class RawKerberosTest(TestCaseInTempDir): 'client_as_etypes': client_as_etypes, 'expected_salt': expected_salt, 'authenticator_subkey': authenticator_subkey, + 'armor_tgt': armor_tgt, + 'armor_subkey': armor_subkey, 'kdc_options': kdc_options, } if callback_dict is None: @@ -1675,6 +1681,8 @@ class RawKerberosTest(TestCaseInTempDir): check_kdc_private_fn=None, callback_dict=None, tgt=None, + armor_tgt=None, + armor_subkey=None, authenticator_subkey=None, body_checksum_type=None, kdc_options=''): @@ -1697,6 +1705,8 @@ class RawKerberosTest(TestCaseInTempDir): 'callback_dict': callback_dict, 'tgt': tgt, 'body_checksum_type': body_checksum_type, + 'armor_tgt': armor_tgt, + 'armor_subkey': armor_subkey, 'authenticator_subkey': authenticator_subkey, 'kdc_options': kdc_options } @@ -2068,18 +2078,25 @@ class RawKerberosTest(TestCaseInTempDir): def generate_ap_req(self, kdc_exchange_dict, _callback_dict, - req_body): - tgt = kdc_exchange_dict['tgt'] - authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] - body_checksum_type = kdc_exchange_dict['body_checksum_type'] + req_body, + armor): + if armor: + tgt = kdc_exchange_dict['armor_tgt'] + authenticator_subkey = kdc_exchange_dict['armor_subkey'] - req_body_blob = self.der_encode(req_body, - asn1Spec=krb5_asn1.KDC_REQ_BODY()) + req_body_checksum = None + else: + tgt = kdc_exchange_dict['tgt'] + authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] + body_checksum_type = kdc_exchange_dict['body_checksum_type'] - req_body_checksum = self.Checksum_create(tgt.session_key, - KU_TGS_REQ_AUTH_CKSUM, - req_body_blob, - ctype=body_checksum_type) + req_body_blob = self.der_encode(req_body, + asn1Spec=krb5_asn1.KDC_REQ_BODY()) + + req_body_checksum = self.Checksum_create(tgt.session_key, + KU_TGS_REQ_AUTH_CKSUM, + req_body_blob, + ctype=body_checksum_type) subkey_obj = None if authenticator_subkey is not None: @@ -2099,8 +2116,9 @@ class RawKerberosTest(TestCaseInTempDir): authenticator_obj, asn1Spec=krb5_asn1.Authenticator()) + usage = KU_AP_REQ_AUTH if armor else KU_TGS_REQ_AUTH authenticator = self.EncryptedData_create(tgt.session_key, - KU_TGS_REQ_AUTH, + usage, authenticator_blob) ap_options = krb5_asn1.APOptions('0') @@ -2117,7 +2135,8 @@ class RawKerberosTest(TestCaseInTempDir): req_body): ap_req = self.generate_ap_req(kdc_exchange_dict, callback_dict, - req_body) + req_body, + armor=False) pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) padata = [pa_tgs_req] -- 2.25.1 From eff975614bfc31fc9b411b759b2c9204a1e3dce5 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Jul 2021 10:33:24 +1200 Subject: [PATCH 052/108] tests/krb5: Add FAST armor generation to _generic_kdc_exchange() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0df385fc49cc2693c195209936a29e31216df16d) --- python/samba/tests/krb5/raw_testcase.py | 95 +++++++++++++++++++++++-- 1 file changed, 88 insertions(+), 7 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 29ea41ec92b..151dc0355a3 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -42,6 +42,7 @@ from samba.tests import TestCaseInTempDir import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( + FX_FAST_ARMOR_AP_REQUEST, KDC_ERR_GENERIC, KRB_AP_REQ, KRB_AS_REP, @@ -51,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_TGS_REQ, KU_AP_REQ_AUTH, KU_AS_REP_ENC_PART, + KU_FAST_REQ_CHKSUM, KU_NON_KERB_CKSUM_SALT, KU_TGS_REP_ENC_PART_SESSION, KU_TGS_REP_ENC_PART_SUB_KEY, @@ -1522,6 +1524,9 @@ class RawKerberosTest(TestCaseInTempDir): check_error_fn = kdc_exchange_dict['check_error_fn'] check_rep_fn = kdc_exchange_dict['check_rep_fn'] + generate_fast_fn = kdc_exchange_dict['generate_fast_fn'] + generate_fast_armor_fn = kdc_exchange_dict['generate_fast_armor_fn'] + generate_fast_padata_fn = kdc_exchange_dict['generate_fast_padata_fn'] generate_padata_fn = kdc_exchange_dict['generate_padata_fn'] callback_dict = kdc_exchange_dict['callback_dict'] req_msg_type = kdc_exchange_dict['req_msg_type'] @@ -1568,25 +1573,81 @@ class RawKerberosTest(TestCaseInTempDir): armor=False) tgs_req_padata = self.PA_DATA_create(PADATA_KDC_REQ, tgs_req) + if generate_fast_padata_fn is not None: + self.assertIsNotNone(generate_fast_fn) + # This can alter req_body... + fast_padata, req_body = generate_fast_padata_fn(kdc_exchange_dict, + callback_dict, + req_body) + else: + fast_padata = [] + + if generate_fast_armor_fn is not None: + self.assertIsNotNone(generate_fast_fn) + fast_ap_req = generate_fast_armor_fn(kdc_exchange_dict, + callback_dict, + req_body, + armor=True) + + fast_armor_type = kdc_exchange_dict['fast_armor_type'] + fast_armor = self.KRB_FAST_ARMOR_create(fast_armor_type, + fast_ap_req) + else: + fast_armor = None + if generate_padata_fn is not None: # This can alter req_body... - padata, req_body = generate_padata_fn(kdc_exchange_dict, - callback_dict, - req_body) - self.assertIsNotNone(padata) + outer_padata, req_body = generate_padata_fn(kdc_exchange_dict, + callback_dict, + req_body) + self.assertIsNotNone(outer_padata) self.assertNotIn(PADATA_KDC_REQ, - [pa['padata-type'] for pa in padata], + [pa['padata-type'] for pa in outer_padata], 'Don\'t create TGS-REQ manually') else: - padata = [] + outer_padata = None + + if generate_fast_fn is not None: + armor_key = kdc_exchange_dict['armor_key'] + self.assertIsNotNone(armor_key) + + if req_msg_type == KRB_AS_REQ: + checksum_blob = self.der_encode( + req_body, + asn1Spec=krb5_asn1.KDC_REQ_BODY()) + else: + self.assertEqual(KRB_TGS_REQ, req_msg_type) + checksum_blob = tgs_req + + checksum = self.Checksum_create(armor_key, + KU_FAST_REQ_CHKSUM, + checksum_blob) + + fast = generate_fast_fn(kdc_exchange_dict, + callback_dict, + req_body, + fast_padata, + fast_armor, + checksum) + else: + fast = None + + padata = [] if tgs_req_padata is not None: - padata.insert(0, tgs_req_padata) + padata.append(tgs_req_padata) + + if fast is not None: + padata.append(fast) + + if outer_padata is not None: + padata += outer_padata if not padata: padata = None kdc_exchange_dict['req_padata'] = padata + kdc_exchange_dict['fast_padata'] = fast_padata kdc_exchange_dict['req_body'] = req_body req_obj, req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, @@ -1625,6 +1686,10 @@ class RawKerberosTest(TestCaseInTempDir): expected_srealm=None, expected_sname=None, ticket_decryption_key=None, + generate_fast_fn=None, + generate_fast_armor_fn=None, + generate_fast_padata_fn=None, + fast_armor_type=FX_FAST_ARMOR_AP_REQUEST, generate_padata_fn=None, check_error_fn=None, check_rep_fn=None, @@ -1635,6 +1700,7 @@ class RawKerberosTest(TestCaseInTempDir): client_as_etypes=None, expected_salt=None, authenticator_subkey=None, + armor_key=None, armor_tgt=None, armor_subkey=None, kdc_options=''): @@ -1649,6 +1715,10 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_srealm': expected_srealm, 'expected_sname': expected_sname, 'ticket_decryption_key': ticket_decryption_key, + 'generate_fast_fn': generate_fast_fn, + 'generate_fast_armor_fn': generate_fast_armor_fn, + 'generate_fast_padata_fn': generate_fast_padata_fn, + 'fast_armor_type': fast_armor_type, 'generate_padata_fn': generate_padata_fn, 'check_error_fn': check_error_fn, 'check_rep_fn': check_rep_fn, @@ -1659,6 +1729,7 @@ class RawKerberosTest(TestCaseInTempDir): 'client_as_etypes': client_as_etypes, 'expected_salt': expected_salt, 'authenticator_subkey': authenticator_subkey, + 'armor_key': armor_key, 'armor_tgt': armor_tgt, 'armor_subkey': armor_subkey, 'kdc_options': kdc_options, @@ -1674,6 +1745,10 @@ class RawKerberosTest(TestCaseInTempDir): expected_srealm=None, expected_sname=None, ticket_decryption_key=None, + generate_fast_fn=None, + generate_fast_armor_fn=None, + generate_fast_padata_fn=None, + fast_armor_type=FX_FAST_ARMOR_AP_REQUEST, generate_padata_fn=None, check_error_fn=None, check_rep_fn=None, @@ -1681,6 +1756,7 @@ class RawKerberosTest(TestCaseInTempDir): check_kdc_private_fn=None, callback_dict=None, tgt=None, + armor_key=None, armor_tgt=None, armor_subkey=None, authenticator_subkey=None, @@ -1697,6 +1773,10 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_srealm': expected_srealm, 'expected_sname': expected_sname, 'ticket_decryption_key': ticket_decryption_key, + 'generate_fast_fn': generate_fast_fn, + 'generate_fast_armor_fn': generate_fast_armor_fn, + 'generate_fast_padata_fn': generate_fast_padata_fn, + 'fast_armor_type': fast_armor_type, 'generate_padata_fn': generate_padata_fn, 'check_error_fn': check_error_fn, 'check_rep_fn': check_rep_fn, @@ -1705,6 +1785,7 @@ class RawKerberosTest(TestCaseInTempDir): 'callback_dict': callback_dict, 'tgt': tgt, 'body_checksum_type': body_checksum_type, + 'armor_key': armor_key, 'armor_tgt': armor_tgt, 'armor_subkey': armor_subkey, 'authenticator_subkey': authenticator_subkey, -- 2.25.1 From da0c58231757c04e2590f8ca3bc5337c01cb521a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:01:36 +1200 Subject: [PATCH 053/108] tests/krb5: Allow specifying parameters specific to the outer request body This is useful for testing FAST. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb) --- python/samba/tests/krb5/raw_testcase.py | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 151dc0355a3..a173caf98d1 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1536,6 +1536,9 @@ class RawKerberosTest(TestCaseInTempDir): expected_error_mode = kdc_exchange_dict['expected_error_mode'] kdc_options = kdc_exchange_dict['kdc_options'] + # Parameters specific to the outer request body + outer_req = kdc_exchange_dict['outer_req'] + if till_time is None: till_time = self.get_KerberosTime(offset=36000) @@ -1561,6 +1564,14 @@ class RawKerberosTest(TestCaseInTempDir): EncAuthorizationData_key=EncAuthorizationData_key, EncAuthorizationData_usage=EncAuthorizationData_usage) + inner_req_body = dict(req_body) + if outer_req is not None: + for key, value in outer_req.items(): + if value is not None: + req_body[key] = value + else: + del req_body[key] + if req_msg_type == KRB_AS_REQ: tgs_req = None tgs_req_padata = None @@ -1625,7 +1636,7 @@ class RawKerberosTest(TestCaseInTempDir): fast = generate_fast_fn(kdc_exchange_dict, callback_dict, - req_body, + inner_req_body, fast_padata, fast_armor, checksum) @@ -1648,7 +1659,7 @@ class RawKerberosTest(TestCaseInTempDir): kdc_exchange_dict['req_padata'] = padata kdc_exchange_dict['fast_padata'] = fast_padata - kdc_exchange_dict['req_body'] = req_body + kdc_exchange_dict['req_body'] = inner_req_body req_obj, req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, padata=padata, @@ -1703,7 +1714,8 @@ class RawKerberosTest(TestCaseInTempDir): armor_key=None, armor_tgt=None, armor_subkey=None, - kdc_options=''): + kdc_options='', + outer_req=None): kdc_exchange_dict = { 'req_msg_type': KRB_AS_REQ, 'req_asn1Spec': krb5_asn1.AS_REQ, @@ -1733,6 +1745,7 @@ class RawKerberosTest(TestCaseInTempDir): 'armor_tgt': armor_tgt, 'armor_subkey': armor_subkey, 'kdc_options': kdc_options, + 'outer_req': outer_req } if callback_dict is None: callback_dict = {} @@ -1761,7 +1774,8 @@ class RawKerberosTest(TestCaseInTempDir): armor_subkey=None, authenticator_subkey=None, body_checksum_type=None, - kdc_options=''): + kdc_options='', + outer_req=None): kdc_exchange_dict = { 'req_msg_type': KRB_TGS_REQ, 'req_asn1Spec': krb5_asn1.TGS_REQ, @@ -1789,7 +1803,8 @@ class RawKerberosTest(TestCaseInTempDir): 'armor_tgt': armor_tgt, 'armor_subkey': armor_subkey, 'authenticator_subkey': authenticator_subkey, - 'kdc_options': kdc_options + 'kdc_options': kdc_options, + 'outer_req': outer_req } if callback_dict is None: callback_dict = {} -- 2.25.1 From 740eff93e927affc68dc8a145137a44256e6423d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:04:37 +1200 Subject: [PATCH 054/108] tests/krb5: Add method to check PA-FX-FAST-REPLY Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b62488113f6053755f9be9faa9b757e7193074fa) --- python/samba/tests/krb5/raw_testcase.py | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index a173caf98d1..dd733aea09b 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -52,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_TGS_REQ, KU_AP_REQ_AUTH, KU_AS_REP_ENC_PART, + KU_FAST_REP, KU_FAST_REQ_CHKSUM, KU_NON_KERB_CKSUM_SALT, KU_TGS_REP_ENC_PART_SESSION, @@ -1910,6 +1911,36 @@ class RawKerberosTest(TestCaseInTempDir): return rep + def check_fx_fast_data(self, + kdc_exchange_dict, + fx_fast_data, + armor_key, + finished=False, + expect_strengthen_key=True): + fx_fast_data = self.der_decode(fx_fast_data, + asn1Spec=krb5_asn1.PA_FX_FAST_REPLY()) + + enc_fast_rep = fx_fast_data['armored-data']['enc-fast-rep'] + self.assertEqual(enc_fast_rep['etype'], armor_key.etype) + + fast_rep = armor_key.decrypt(KU_FAST_REP, enc_fast_rep['cipher']) + + fast_response = self.der_decode(fast_rep, + asn1Spec=krb5_asn1.KrbFastResponse()) + + if expect_strengthen_key and self.strict_checking: + self.assertIn('strengthen-key', fast_response) + + if finished: + self.assertIn('finished', fast_response) + + # Ensure that the nonce matches the nonce in the body of the request + # (RFC6113 5.4.3). + nonce = kdc_exchange_dict['nonce'] + self.assertEqual(nonce, fast_response['nonce']) + + return fast_response + def generic_check_kdc_private(self, kdc_exchange_dict, callback_dict, -- 2.25.1 From a5a94e2b4e5a484b5f8410120378c149149ba72a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:10:13 +1200 Subject: [PATCH 055/108] tests/krb5: Add method to verify ticket checksum for FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4ca05402b36ba13a987b07b2402906764d3cd49b) --- python/samba/tests/krb5/raw_testcase.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index dd733aea09b..da38a9dfa62 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -52,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_TGS_REQ, KU_AP_REQ_AUTH, KU_AS_REP_ENC_PART, + KU_FAST_FINISHED, KU_FAST_REP, KU_FAST_REQ_CHKSUM, KU_NON_KERB_CKSUM_SALT, @@ -2322,6 +2323,17 @@ class RawKerberosTest(TestCaseInTempDir): return kdc_challenge_key + def verify_ticket_checksum(self, ticket, expected_checksum, armor_key): + expected_type = expected_checksum['cksumtype'] + self.assertEqual(armor_key.ctype, expected_type) + + ticket_blob = self.der_encode(ticket, + asn1Spec=krb5_asn1.Ticket()) + checksum = self.Checksum_create(armor_key, + KU_FAST_FINISHED, + ticket_blob) + self.assertEqual(expected_checksum, checksum) + def _test_as_exchange(self, cname, realm, -- 2.25.1 From d66f14f8d067b06f71ed4d13905be28983d63f9f Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:42:57 +1200 Subject: [PATCH 056/108] tests/krb5: Check FAST response Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e) --- python/samba/tests/krb5/raw_testcase.py | 41 +++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index da38a9dfa62..ab1f711cde1 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -67,6 +67,7 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_ETYPE_INFO, PADATA_ETYPE_INFO2, PADATA_FOR_USER, + PADATA_FX_FAST, PADATA_KDC_REQ, PADATA_PAC_REQUEST, PADATA_PK_AS_REQ, @@ -1827,6 +1828,7 @@ class RawKerberosTest(TestCaseInTempDir): check_kdc_private_fn = kdc_exchange_dict['check_kdc_private_fn'] rep_encpart_asn1Spec = kdc_exchange_dict['rep_encpart_asn1Spec'] msg_type = kdc_exchange_dict['rep_msg_type'] + armor_key = kdc_exchange_dict['armor_key'] self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP padata = self.getElementValue(rep, 'padata') @@ -1862,6 +1864,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(encpart, 'cipher') encpart_cipher = self.getElementValue(encpart, 'cipher') + ticket_checksum = None + encpart_decryption_key = None self.assertIsNotNone(check_padata_fn) if check_padata_fn is not None: @@ -1870,6 +1874,33 @@ class RawKerberosTest(TestCaseInTempDir): check_padata_fn(kdc_exchange_dict, callback_dict, rep, padata)) + if armor_key is not None: + pa_dict = self.get_pa_dict(padata) + + if PADATA_FX_FAST in pa_dict: + fx_fast_data = pa_dict[PADATA_FX_FAST] + fast_response = self.check_fx_fast_data(kdc_exchange_dict, + fx_fast_data, + armor_key, + finished=True) + + if 'strengthen-key' in fast_response: + strengthen_key = self.EncryptionKey_import( + fast_response['strengthen-key']) + encpart_decryption_key = ( + self.generate_strengthen_reply_key( + strengthen_key, + encpart_decryption_key)) + + fast_finished = fast_response.get('finished', None) + if fast_finished is not None: + ticket_checksum = fast_finished['ticket-checksum'] + + self.check_rep_padata(kdc_exchange_dict, + callback_dict, + rep, + fast_response['padata']) + ticket_private = None self.assertIsNotNone(ticket_decryption_key) if ticket_decryption_key is not None: @@ -1908,7 +1939,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(check_kdc_private_fn) if check_kdc_private_fn is not None: check_kdc_private_fn(kdc_exchange_dict, callback_dict, - rep, ticket_private, encpart_private) + rep, ticket_private, encpart_private, + ticket_checksum) return rep @@ -1947,7 +1979,8 @@ class RawKerberosTest(TestCaseInTempDir): callback_dict, rep, ticket_private, - encpart_private): + encpart_private, + ticket_checksum): expected_crealm = kdc_exchange_dict['expected_crealm'] expected_cname = kdc_exchange_dict['expected_cname'] @@ -1957,6 +1990,10 @@ class RawKerberosTest(TestCaseInTempDir): ticket = self.getElementValue(rep, 'ticket') + if ticket_checksum is not None: + armor_key = kdc_exchange_dict['armor_key'] + self.verify_ticket_checksum(ticket, ticket_checksum, armor_key) + ticket_session_key = None if ticket_private is not None: self.assertElementPresent(ticket_private, 'flags') -- 2.25.1 From 8ffb87cca457b8f2e754fc452627baf577869214 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 15:20:44 +1200 Subject: [PATCH 057/108] tests/krb5: Add functions to get dicts of request padata Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6) --- python/samba/tests/krb5/raw_testcase.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index ab1f711cde1..2963df70003 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2371,6 +2371,17 @@ class RawKerberosTest(TestCaseInTempDir): ticket_blob) self.assertEqual(expected_checksum, checksum) + def get_outer_pa_dict(self, kdc_exchange_dict): + return self.get_pa_dict(kdc_exchange_dict['req_padata']) + + def get_fast_pa_dict(self, kdc_exchange_dict): + req_pa_dict = self.get_pa_dict(kdc_exchange_dict['fast_padata']) + + if req_pa_dict: + return req_pa_dict + + return self.get_outer_pa_dict(kdc_exchange_dict) + def _test_as_exchange(self, cname, realm, -- 2.25.1 From f42dca4239beac10e2f6f5ac6dbe243485b9252a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 15:21:01 +1200 Subject: [PATCH 058/108] tests/krb5: Add methods to determine whether elements were included in the request Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2) --- python/samba/tests/krb5/raw_testcase.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 2963df70003..d96cd1cfc15 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -69,6 +69,7 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_FOR_USER, PADATA_FX_FAST, PADATA_KDC_REQ, + PADATA_PAC_OPTIONS, PADATA_PAC_REQUEST, PADATA_PK_AS_REQ, PADATA_PK_AS_REP_19 @@ -2382,6 +2383,30 @@ class RawKerberosTest(TestCaseInTempDir): return self.get_outer_pa_dict(kdc_exchange_dict) + def sent_fast(self, kdc_exchange_dict): + outer_pa_dict = self.get_outer_pa_dict(kdc_exchange_dict) + + return PADATA_FX_FAST in outer_pa_dict + + def sent_enc_challenge(self, kdc_exchange_dict): + fast_pa_dict = self.get_fast_pa_dict(kdc_exchange_dict) + + return PADATA_ENCRYPTED_CHALLENGE in fast_pa_dict + + def sent_claims(self, kdc_exchange_dict): + fast_pa_dict = self.get_fast_pa_dict(kdc_exchange_dict) + + if PADATA_PAC_OPTIONS not in fast_pa_dict: + return False + + pac_options = self.der_decode(fast_pa_dict[PADATA_PAC_OPTIONS], + asn1Spec=krb5_asn1.PA_PAC_OPTIONS()) + pac_options = pac_options['options'] + claims_pos = len(tuple(krb5_asn1.PACOptionFlags('claims'))) - 1 + + return (claims_pos < len(pac_options) + and pac_options[claims_pos] == '1') + def _test_as_exchange(self, cname, realm, -- 2.25.1 From 8c8c065d51c212fc61bce02e9d4ee3b651419732 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:34:49 +1200 Subject: [PATCH 059/108] tests/krb5: Check encrypted-pa-data Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0c029e780cf16a49c674593e8329eaf3b87aec69) --- python/samba/tests/krb5/raw_testcase.py | 52 ++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index d96cd1cfc15..2512ee1b99f 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -72,7 +72,8 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_PAC_OPTIONS, PADATA_PAC_REQUEST, PADATA_PK_AS_REQ, - PADATA_PK_AS_REP_19 + PADATA_PK_AS_REP_19, + PADATA_SUPPORTED_ETYPES ) import samba.tests.krb5.kcrypto as kcrypto @@ -1982,6 +1983,10 @@ class RawKerberosTest(TestCaseInTempDir): ticket_private, encpart_private, ticket_checksum): + kdc_options = kdc_exchange_dict['kdc_options'] + canon_pos = len(tuple(krb5_asn1.KDCOptions('canonicalize'))) - 1 + canonicalize = (canon_pos < len(kdc_options) + and kdc_options[canon_pos] == '1') expected_crealm = kdc_exchange_dict['expected_crealm'] expected_cname = kdc_exchange_dict['expected_cname'] @@ -2044,6 +2049,46 @@ class RawKerberosTest(TestCaseInTempDir): expected_sname) # TODO self.assertElementMissing(encpart_private, 'caddr') + sent_claims = self.sent_claims(kdc_exchange_dict) + + if self.strict_checking: + if sent_claims or canonicalize: + self.assertElementPresent(encpart_private, + 'encrypted-pa-data') + enc_pa_dict = self.get_pa_dict( + encpart_private['encrypted-pa-data']) + if canonicalize: + self.assertIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict) + + (supported_etypes,) = struct.unpack( + ' Date: Tue, 27 Jul 2021 14:05:59 +1200 Subject: [PATCH 060/108] tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict This is useful for testing the 'hide client names' FAST option. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d) --- python/samba/tests/krb5/raw_testcase.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 2512ee1b99f..b79b84686a6 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1699,6 +1699,7 @@ class RawKerberosTest(TestCaseInTempDir): def as_exchange_dict(self, expected_crealm=None, expected_cname=None, + expected_cname_private=None, expected_srealm=None, expected_sname=None, ticket_decryption_key=None, @@ -1752,6 +1753,10 @@ class RawKerberosTest(TestCaseInTempDir): 'kdc_options': kdc_options, 'outer_req': outer_req } + if expected_cname_private is not None: + kdc_exchange_dict['expected_cname_private'] = ( + expected_cname_private) + if callback_dict is None: callback_dict = {} @@ -1760,6 +1765,7 @@ class RawKerberosTest(TestCaseInTempDir): def tgs_exchange_dict(self, expected_crealm=None, expected_cname=None, + expected_cname_private=None, expected_srealm=None, expected_sname=None, ticket_decryption_key=None, @@ -1811,6 +1817,10 @@ class RawKerberosTest(TestCaseInTempDir): 'kdc_options': kdc_options, 'outer_req': outer_req } + if expected_cname_private is not None: + kdc_exchange_dict['expected_cname_private'] = ( + expected_cname_private) + if callback_dict is None: callback_dict = {} @@ -1989,11 +1999,15 @@ class RawKerberosTest(TestCaseInTempDir): and kdc_options[canon_pos] == '1') expected_crealm = kdc_exchange_dict['expected_crealm'] - expected_cname = kdc_exchange_dict['expected_cname'] expected_srealm = kdc_exchange_dict['expected_srealm'] expected_sname = kdc_exchange_dict['expected_sname'] ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key'] + try: + expected_cname = kdc_exchange_dict['expected_cname_private'] + except KeyError: + expected_cname = kdc_exchange_dict['expected_cname'] + ticket = self.getElementValue(rep, 'ticket') if ticket_checksum is not None: -- 2.25.1 From 7499c5ab1b37f7e5d82f9d9b5b99bb60e1810f26 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:18:29 +1200 Subject: [PATCH 061/108] tests/krb5: Include authdata in kdc_exchange_dict Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ea1ed63e8819926db1cf15974009601c7d37e944) --- python/samba/tests/krb5/raw_testcase.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index b79b84686a6..c1dfe44dfd1 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1720,6 +1720,7 @@ class RawKerberosTest(TestCaseInTempDir): armor_key=None, armor_tgt=None, armor_subkey=None, + auth_data=None, kdc_options='', outer_req=None): kdc_exchange_dict = { @@ -1750,6 +1751,7 @@ class RawKerberosTest(TestCaseInTempDir): 'armor_key': armor_key, 'armor_tgt': armor_tgt, 'armor_subkey': armor_subkey, + 'auth_data': auth_data, 'kdc_options': kdc_options, 'outer_req': outer_req } @@ -1784,6 +1786,7 @@ class RawKerberosTest(TestCaseInTempDir): armor_tgt=None, armor_subkey=None, authenticator_subkey=None, + auth_data=None, body_checksum_type=None, kdc_options='', outer_req=None): @@ -1813,6 +1816,7 @@ class RawKerberosTest(TestCaseInTempDir): 'armor_key': armor_key, 'armor_tgt': armor_tgt, 'armor_subkey': armor_subkey, + 'auth_data': auth_data, 'authenticator_subkey': authenticator_subkey, 'kdc_options': kdc_options, 'outer_req': outer_req @@ -2328,6 +2332,8 @@ class RawKerberosTest(TestCaseInTempDir): req_body_blob, ctype=body_checksum_type) + auth_data = kdc_exchange_dict['auth_data'] + subkey_obj = None if authenticator_subkey is not None: subkey_obj = authenticator_subkey.export_obj() @@ -2341,7 +2347,7 @@ class RawKerberosTest(TestCaseInTempDir): ctime=ctime, subkey=subkey_obj, seq_number=seq_number, - authorization_data=None) + authorization_data=auth_data) authenticator_blob = self.der_encode( authenticator_obj, asn1Spec=krb5_asn1.Authenticator()) -- 2.25.1 From 6577e0c11731a91fb481e0e3c9cc8b7086002f2b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 15:20:09 +1200 Subject: [PATCH 062/108] tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1389ba346df81c9ea1e1143c4e819212939f6aeb) --- python/samba/tests/krb5/raw_testcase.py | 34 +++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index c1dfe44dfd1..a557c424527 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -52,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_TGS_REQ, KU_AP_REQ_AUTH, KU_AS_REP_ENC_PART, + KU_FAST_ENC, KU_FAST_FINISHED, KU_FAST_REP, KU_FAST_REQ_CHKSUM, @@ -2309,6 +2310,39 @@ class RawKerberosTest(TestCaseInTempDir): kdc_exchange_dict['preauth_etype_info2'] = etype_info2 return + def generate_simple_fast(self, + kdc_exchange_dict, + _callback_dict, + req_body, + fast_padata, + fast_armor, + checksum, + fast_options=''): + armor_key = kdc_exchange_dict['armor_key'] + + fast_req = self.KRB_FAST_REQ_create(fast_options, + fast_padata, + req_body) + fast_req = self.der_encode(fast_req, + asn1Spec=krb5_asn1.KrbFastReq()) + fast_req = self.EncryptedData_create(armor_key, + KU_FAST_ENC, + fast_req) + + fast_armored_req = self.KRB_FAST_ARMORED_REQ_create(fast_armor, + checksum, + fast_req) + + fx_fast_request = self.PA_FX_FAST_REQUEST_create(fast_armored_req) + fx_fast_request = self.der_encode( + fx_fast_request, + asn1Spec=krb5_asn1.PA_FX_FAST_REQUEST()) + + fast_padata = self.PA_DATA_create(PADATA_FX_FAST, + fx_fast_request) + + return fast_padata + def generate_ap_req(self, kdc_exchange_dict, _callback_dict, -- 2.25.1 From 0ef347e0b01cb4cdccc64da528a1c5cddd0ddc06 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 16:21:14 +1200 Subject: [PATCH 063/108] tests/krb5: Add check_rep_padata() method to check padata in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab) --- python/samba/tests/krb5/raw_testcase.py | 83 ++++++++++++++----------- 1 file changed, 48 insertions(+), 35 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index a557c424527..80c60682bd1 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2144,13 +2144,54 @@ class RawKerberosTest(TestCaseInTempDir): expected_cname = kdc_exchange_dict['expected_cname'] expected_srealm = kdc_exchange_dict['expected_srealm'] expected_sname = kdc_exchange_dict['expected_sname'] - expected_salt = kdc_exchange_dict['expected_salt'] - client_as_etypes = kdc_exchange_dict['client_as_etypes'] + expected_error_mode = kdc_exchange_dict['expected_error_mode'] + + self.assertElementEqual(rep, 'pvno', 5) + self.assertElementEqual(rep, 'msg-type', KRB_ERROR) + self.assertElementEqual(rep, 'error-code', expected_error_mode) + if self.strict_checking: + self.assertElementMissing(rep, 'ctime') + self.assertElementMissing(rep, 'cusec') + self.assertElementPresent(rep, 'stime') + self.assertElementPresent(rep, 'susec') + # error-code checked above + if self.strict_checking: + self.assertElementMissing(rep, 'crealm') + self.assertElementMissing(rep, 'cname') + self.assertElementEqualUTF8(rep, 'realm', expected_srealm) + self.assertElementEqualPrincipal(rep, 'sname', expected_sname) + self.assertElementMissing(rep, 'e-text') + if expected_error_mode == KDC_ERR_GENERIC: + self.assertElementMissing(rep, 'e-data') + return rep + edata = self.getElementValue(rep, 'e-data') + if self.strict_checking: + self.assertIsNotNone(edata) + if edata is not None: + rep_padata = self.der_decode(edata, + asn1Spec=krb5_asn1.METHOD_DATA()) + self.assertGreater(len(rep_padata), 0) + else: + rep_padata = [] + + etype_info2 = self.check_rep_padata(kdc_exchange_dict, + callback_dict, + rep, + rep_padata) + + kdc_exchange_dict['preauth_etype_info2'] = etype_info2 + + return rep + + def check_rep_padata(self, + kdc_exchange_dict, + callback_dict, + rep, + rep_padata): expected_error_mode = kdc_exchange_dict['expected_error_mode'] req_body = kdc_exchange_dict['req_body'] proposed_etypes = req_body['etype'] - - kdc_exchange_dict['preauth_etype_info2'] = None + client_as_etypes = kdc_exchange_dict.get('client_as_etypes', []) expect_etype_info2 = () expect_etype_info = False @@ -2188,34 +2229,6 @@ class RawKerberosTest(TestCaseInTempDir): expected_patypes += (PADATA_PK_AS_REQ,) expected_patypes += (PADATA_PK_AS_REP_19,) - self.assertElementEqual(rep, 'pvno', 5) - self.assertElementEqual(rep, 'msg-type', KRB_ERROR) - self.assertElementEqual(rep, 'error-code', expected_error_mode) - if self.strict_checking: - self.assertElementMissing(rep, 'ctime') - self.assertElementMissing(rep, 'cusec') - self.assertElementPresent(rep, 'stime') - self.assertElementPresent(rep, 'susec') - # error-code checked above - if self.strict_checking: - self.assertElementMissing(rep, 'crealm') - self.assertElementMissing(rep, 'cname') - self.assertElementEqualUTF8(rep, 'realm', expected_srealm) - self.assertElementEqualPrincipal(rep, 'sname', expected_sname) - self.assertElementMissing(rep, 'e-text') - if expected_error_mode == KDC_ERR_GENERIC: - self.assertElementMissing(rep, 'e-data') - return - edata = self.getElementValue(rep, 'e-data') - if self.strict_checking: - self.assertIsNotNone(edata) - if edata is not None: - rep_padata = self.der_decode(edata, - asn1Spec=krb5_asn1.METHOD_DATA()) - self.assertGreater(len(rep_padata), 0) - else: - rep_padata = [] - if self.strict_checking: for i, patype in enumerate(expected_patypes): self.assertElementEqual(rep_padata[i], 'padata-type', patype) @@ -2265,7 +2278,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(enc_timestamp) self.assertIsNotNone(pk_as_req) self.assertIsNotNone(pk_as_rep19) - return + return None if self.strict_checking: self.assertIsNotNone(etype_info2) @@ -2288,6 +2301,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNone(salt) else: self.assertIsNotNone(salt) + expected_salt = kdc_exchange_dict['expected_salt'] if expected_salt is not None: self.assertEqual(salt, expected_salt) s2kparams = self.getElementValue(etype_info2[i], 's2kparams') @@ -2307,8 +2321,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(pk_as_req) self.assertIsNotNone(pk_as_rep19) - kdc_exchange_dict['preauth_etype_info2'] = etype_info2 - return + return etype_info2 def generate_simple_fast(self, kdc_exchange_dict, -- 2.25.1 From 5fbfceb11893d64346d266b6b9fb19ddd8342685 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 16:35:32 +1200 Subject: [PATCH 064/108] tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 705e45e37f4752e283a80626be10c38b29232359) --- python/samba/tests/krb5/raw_testcase.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 80c60682bd1..7a66b74adfe 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2208,7 +2208,7 @@ class RawKerberosTest(TestCaseInTempDir): if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): if etype > expected_aes_type: expected_aes_type = etype - if etype in (kcrypto.Enctype.RC4,): + if etype in (kcrypto.Enctype.RC4,) and expected_error_mode != 0: unexpect_etype_info = False if etype > expected_rc4_type: expected_rc4_type = etype -- 2.25.1 From e5f484d682d02307e880469043ffe75cad78821d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 16:26:06 +1200 Subject: [PATCH 065/108] tests/krb5: Remove unused variables Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5edbabeb26e110648d4588c90843e4715ec1ac5c) --- python/samba/tests/krb5/kdc_base_test.py | 2 -- python/samba/tests/krb5/raw_testcase.py | 1 - 2 files changed, 3 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 24a1e7cfbc8..b148fa01f65 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -256,8 +256,6 @@ class KDCBaseTest(RawKerberosTest): rid = identifier.sid.split()[1] - forced_keys = dict() - net_ctx = net.Net(admin_creds) keys = {} diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 7a66b74adfe..60d35923b35 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2140,7 +2140,6 @@ class RawKerberosTest(TestCaseInTempDir): callback_dict, rep): - expected_crealm = kdc_exchange_dict['expected_crealm'] expected_cname = kdc_exchange_dict['expected_cname'] expected_srealm = kdc_exchange_dict['expected_srealm'] expected_sname = kdc_exchange_dict['expected_sname'] -- 2.25.1 From 4e36b65a851e79448efe9084173e6342500a999c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 11:15:00 +1200 Subject: [PATCH 066/108] tests/krb5: Add get_krbtgt_sname() method Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit dbe98005d5873440063b91e56679937149535be7) --- python/samba/tests/krb5/raw_testcase.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 60d35923b35..8351de1e6e3 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -64,6 +64,7 @@ from samba.tests.krb5.rfc4120_constants import ( KU_TGS_REQ_AUTH_DAT_SESSION, KU_TGS_REQ_AUTH_DAT_SUBKEY, KU_TICKET, + NT_SRV_INST, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO, PADATA_ETYPE_INFO2, @@ -2523,6 +2524,15 @@ class RawKerberosTest(TestCaseInTempDir): return (claims_pos < len(pac_options) and pac_options[claims_pos] == '1') + def get_krbtgt_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + krbtgt_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + return krbtgt_sname + def _test_as_exchange(self, cname, realm, -- 2.25.1 From 987cca088d0749b43adc54ae440de8973c0d4d65 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 16:25:39 +1200 Subject: [PATCH 067/108] tests/krb5: Check sname is krbtgt for FAST generic error Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 7a27b75621908a4a6449efaecb54eb20fa45aca0) --- python/samba/tests/krb5/raw_testcase.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 8351de1e6e3..77b682e57ea 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2146,6 +2146,8 @@ class RawKerberosTest(TestCaseInTempDir): expected_sname = kdc_exchange_dict['expected_sname'] expected_error_mode = kdc_exchange_dict['expected_error_mode'] + sent_fast = self.sent_fast(kdc_exchange_dict) + self.assertElementEqual(rep, 'pvno', 5) self.assertElementEqual(rep, 'msg-type', KRB_ERROR) self.assertElementEqual(rep, 'error-code', expected_error_mode) @@ -2159,7 +2161,11 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementMissing(rep, 'crealm') self.assertElementMissing(rep, 'cname') self.assertElementEqualUTF8(rep, 'realm', expected_srealm) - self.assertElementEqualPrincipal(rep, 'sname', expected_sname) + if sent_fast and expected_error_mode == KDC_ERR_GENERIC: + self.assertElementEqualPrincipal(rep, 'sname', + self.get_krbtgt_sname()) + else: + self.assertElementEqualPrincipal(rep, 'sname', expected_sname) self.assertElementMissing(rep, 'e-text') if expected_error_mode == KDC_ERR_GENERIC: self.assertElementMissing(rep, 'e-data') -- 2.25.1 From c0d3cf7c1a7214e4cb36337b002cb1c642a2fd0a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 16:31:39 +1200 Subject: [PATCH 068/108] tests/krb5: Check reply FAST padata if request included FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 056fb71832e7aa16132c58ff393ab8b752ef6a93) --- python/samba/tests/krb5/raw_testcase.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 77b682e57ea..965a8f9fb00 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2177,6 +2177,21 @@ class RawKerberosTest(TestCaseInTempDir): rep_padata = self.der_decode(edata, asn1Spec=krb5_asn1.METHOD_DATA()) self.assertGreater(len(rep_padata), 0) + + if sent_fast: + self.assertEqual(1, len(rep_padata)) + rep_pa_dict = self.get_pa_dict(rep_padata) + self.assertIn(PADATA_FX_FAST, rep_pa_dict) + + armor_key = kdc_exchange_dict['armor_key'] + self.assertIsNotNone(armor_key) + fast_response = self.check_fx_fast_data( + kdc_exchange_dict, + rep_pa_dict[PADATA_FX_FAST], + armor_key, + expect_strengthen_key=False) + + rep_padata = fast_response['padata'] else: rep_padata = [] -- 2.25.1 From 48c244bd12c284e0fed6a624349397cd81eb6dfc Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 16:42:26 +1200 Subject: [PATCH 069/108] tests/krb5: Adjust reply padata checking depending on whether FAST was sent Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 44a44109db96eab08a3da3683c34446bc13b295b) --- python/samba/tests/krb5/raw_testcase.py | 62 ++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 965a8f9fb00..529d4d925e6 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -44,6 +44,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( FX_FAST_ARMOR_AP_REQUEST, KDC_ERR_GENERIC, + KDC_ERR_PREAUTH_FAILED, KRB_AP_REQ, KRB_AS_REP, KRB_AS_REQ, @@ -65,10 +66,13 @@ from samba.tests.krb5.rfc4120_constants import ( KU_TGS_REQ_AUTH_DAT_SUBKEY, KU_TICKET, NT_SRV_INST, + PADATA_ENCRYPTED_CHALLENGE, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO, PADATA_ETYPE_INFO2, PADATA_FOR_USER, + PADATA_FX_COOKIE, + PADATA_FX_ERROR, PADATA_FX_FAST, PADATA_KDC_REQ, PADATA_PAC_OPTIONS, @@ -407,6 +411,8 @@ class RawKerberosTest(TestCaseInTempDir): # obtained. cls.creds_dict = {} + cls.kdc_fast_support = False + def setUp(self): super().setUp() self.do_asn1_print = False @@ -2214,6 +2220,9 @@ class RawKerberosTest(TestCaseInTempDir): proposed_etypes = req_body['etype'] client_as_etypes = kdc_exchange_dict.get('client_as_etypes', []) + sent_fast = self.sent_fast(kdc_exchange_dict) + sent_enc_challenge = self.sent_enc_challenge(kdc_exchange_dict) + expect_etype_info2 = () expect_etype_info = False unexpect_etype_info = True @@ -2240,15 +2249,31 @@ class RawKerberosTest(TestCaseInTempDir): expect_etype_info2 += (expected_rc4_type,) expected_patypes = () + if sent_fast and expected_error_mode != 0: + expected_patypes += (PADATA_FX_ERROR,) + expected_patypes += (PADATA_FX_COOKIE,) + if expect_etype_info: self.assertGreater(len(expect_etype_info2), 0) expected_patypes += (PADATA_ETYPE_INFO,) if len(expect_etype_info2) != 0: expected_patypes += (PADATA_ETYPE_INFO2,) - expected_patypes += (PADATA_ENC_TIMESTAMP,) - expected_patypes += (PADATA_PK_AS_REQ,) - expected_patypes += (PADATA_PK_AS_REP_19,) + if expected_error_mode != KDC_ERR_PREAUTH_FAILED: + if sent_fast: + expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) + else: + expected_patypes += (PADATA_ENC_TIMESTAMP,) + + if not sent_enc_challenge: + expected_patypes += (PADATA_PK_AS_REQ,) + expected_patypes += (PADATA_PK_AS_REP_19,) + + if (self.kdc_fast_support + and not sent_fast + and not sent_enc_challenge): + expected_patypes += (PADATA_FX_FAST,) + expected_patypes += (PADATA_FX_COOKIE,) if self.strict_checking: for i, patype in enumerate(expected_patypes): @@ -2296,7 +2321,12 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNone(etype_info2) self.assertIsNone(etype_info) if self.strict_checking: - self.assertIsNotNone(enc_timestamp) + if sent_fast: + self.assertIsNotNone(enc_challenge) + self.assertIsNone(enc_timestamp) + else: + self.assertIsNotNone(enc_timestamp) + self.assertIsNone(enc_challenge) self.assertIsNotNone(pk_as_req) self.assertIsNotNone(pk_as_rep19) return None @@ -2338,9 +2368,27 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(salt) self.assertEqual(len(salt), 0) - self.assertIsNotNone(enc_timestamp) - self.assertIsNotNone(pk_as_req) - self.assertIsNotNone(pk_as_rep19) + if expected_error_mode != KDC_ERR_PREAUTH_FAILED: + if sent_fast: + self.assertIsNotNone(enc_challenge) + if self.strict_checking: + self.assertIsNone(enc_timestamp) + else: + self.assertIsNotNone(enc_timestamp) + if self.strict_checking: + self.assertIsNone(enc_challenge) + if not sent_enc_challenge: + self.assertIsNotNone(pk_as_req) + self.assertIsNotNone(pk_as_rep19) + else: + self.assertIsNone(pk_as_req) + self.assertIsNone(pk_as_rep19) + else: + if self.strict_checking: + self.assertIsNone(enc_timestamp) + self.assertIsNone(enc_challenge) + self.assertIsNone(pk_as_req) + self.assertIsNone(pk_as_rep19) return etype_info2 -- 2.25.1 From fbed93065486a971b9fa3254161254a8ba4fcd55 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:36:56 +1200 Subject: [PATCH 070/108] tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd) --- python/samba/tests/krb5/raw_testcase.py | 54 +++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 529d4d925e6..ca967c1ac13 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -53,6 +53,7 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_TGS_REQ, KU_AP_REQ_AUTH, KU_AS_REP_ENC_PART, + KU_ENC_CHALLENGE_KDC, KU_FAST_ENC, KU_FAST_FINISHED, KU_FAST_REP, @@ -2283,6 +2284,7 @@ class RawKerberosTest(TestCaseInTempDir): etype_info2 = None etype_info = None enc_timestamp = None + enc_challenge = None pk_as_req = None pk_as_rep19 = None for pa in rep_padata: @@ -2303,6 +2305,10 @@ class RawKerberosTest(TestCaseInTempDir): enc_timestamp = pavalue self.assertEqual(len(enc_timestamp), 0) continue + if patype == PADATA_ENCRYPTED_CHALLENGE: + self.assertIsNone(enc_challenge) + enc_challenge = pavalue + continue if patype == PADATA_PK_AS_REQ: self.assertIsNone(pk_as_req) pk_as_req = pavalue @@ -2314,6 +2320,54 @@ class RawKerberosTest(TestCaseInTempDir): self.assertEqual(len(pk_as_rep19), 0) continue + if enc_challenge is not None: + if not sent_enc_challenge: + self.assertEqual(len(enc_challenge), 0) + else: + armor_key = kdc_exchange_dict['armor_key'] + self.assertIsNotNone(armor_key) + + check_padata_fn = kdc_exchange_dict['check_padata_fn'] + padata = self.getElementValue(rep, 'padata') + self.assertIsNotNone(check_padata_fn) + preauth_key, _ = check_padata_fn(kdc_exchange_dict, + callback_dict, + rep, + padata) + + kdc_challenge_key = self.generate_kdc_challenge_key( + armor_key, preauth_key) + + # Ensure that the encrypted challenge FAST factor is supported + # (RFC6113 5.4.6). + if self.strict_checking: + self.assertNotEqual(len(enc_challenge), 0) + if len(enc_challenge) != 0: + encrypted_challenge = self.der_decode( + enc_challenge, + asn1Spec=krb5_asn1.EncryptedData()) + self.assertEqual(encrypted_challenge['etype'], + kdc_challenge_key.etype) + + challenge = kdc_challenge_key.decrypt( + KU_ENC_CHALLENGE_KDC, + encrypted_challenge['cipher']) + challenge = self.der_decode( + challenge, + asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + # Retrieve the returned timestamp. + rep_patime = challenge['patimestamp'] + self.assertIn('pausec', challenge) + + # Ensure the returned time is within five minutes of the + # current time. + rep_time = self.get_EpochFromKerberosTime(rep_patime) + current_time = time.time() + + self.assertLess(current_time - 300, rep_time) + self.assertLess(rep_time, current_time) + if all(etype not in client_as_etypes or etype not in proposed_etypes for etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128, -- 2.25.1 From 63a505ab04505d68aa79ff42b33c84dc52463067 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:49:12 +1200 Subject: [PATCH 071/108] tests/krb5: Check PADATA-FX-COOKIE in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7) --- python/samba/tests/krb5/raw_testcase.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index ca967c1ac13..23a4e70c22f 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2287,6 +2287,8 @@ class RawKerberosTest(TestCaseInTempDir): enc_challenge = None pk_as_req = None pk_as_rep19 = None + fast_cookie = None + fx_fast = None for pa in rep_padata: patype = self.getElementValue(pa, 'padata-type') pavalue = self.getElementValue(pa, 'padata-value') @@ -2319,6 +2321,19 @@ class RawKerberosTest(TestCaseInTempDir): pk_as_rep19 = pavalue self.assertEqual(len(pk_as_rep19), 0) continue + if patype == PADATA_FX_COOKIE: + self.assertIsNone(fast_cookie) + fast_cookie = pavalue + self.assertIsNotNone(fast_cookie) + continue + if patype == PADATA_FX_FAST: + self.assertIsNone(fx_fast) + fx_fast = pavalue + self.assertEqual(len(fx_fast), 0) + continue + + if fast_cookie is not None: + kdc_exchange_dict['fast_cookie'] = fast_cookie if enc_challenge is not None: if not sent_enc_challenge: -- 2.25.1 From 0d3a852ff4977157b1560e80d039a4782b9187d8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Jul 2021 20:49:25 +1200 Subject: [PATCH 072/108] tests/krb5: Make check_rep_padata() also work for checking TGS replies Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ab4e7028a6ac01eab9531c8a26507a912df54278) --- python/samba/tests/krb5/raw_testcase.py | 72 +++++++++++++++---------- 1 file changed, 45 insertions(+), 27 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 23a4e70c22f..14f86fb87a8 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1789,6 +1789,7 @@ class RawKerberosTest(TestCaseInTempDir): check_rep_fn=None, check_padata_fn=None, check_kdc_private_fn=None, + expected_error_mode=0, callback_dict=None, tgt=None, armor_key=None, @@ -1820,6 +1821,7 @@ class RawKerberosTest(TestCaseInTempDir): 'check_padata_fn': check_padata_fn, 'check_kdc_private_fn': check_kdc_private_fn, 'callback_dict': callback_dict, + 'expected_error_mode': expected_error_mode, 'tgt': tgt, 'body_checksum_type': body_checksum_type, 'armor_key': armor_key, @@ -2216,6 +2218,8 @@ class RawKerberosTest(TestCaseInTempDir): callback_dict, rep, rep_padata): + rep_msg_type = kdc_exchange_dict['rep_msg_type'] + expected_error_mode = kdc_exchange_dict['expected_error_mode'] req_body = kdc_exchange_dict['req_body'] proposed_etypes = req_body['etype'] @@ -2224,6 +2228,9 @@ class RawKerberosTest(TestCaseInTempDir): sent_fast = self.sent_fast(kdc_exchange_dict) sent_enc_challenge = self.sent_enc_challenge(kdc_exchange_dict) + if rep_msg_type == KRB_TGS_REP: + self.assertTrue(sent_fast) + expect_etype_info2 = () expect_etype_info = False unexpect_etype_info = True @@ -2254,27 +2261,32 @@ class RawKerberosTest(TestCaseInTempDir): expected_patypes += (PADATA_FX_ERROR,) expected_patypes += (PADATA_FX_COOKIE,) - if expect_etype_info: - self.assertGreater(len(expect_etype_info2), 0) - expected_patypes += (PADATA_ETYPE_INFO,) - if len(expect_etype_info2) != 0: - expected_patypes += (PADATA_ETYPE_INFO2,) + if rep_msg_type == KRB_TGS_REP: + sent_claims = self.sent_claims(kdc_exchange_dict) + if sent_claims and expected_error_mode != 0: + expected_patypes += (PADATA_PAC_OPTIONS,) + else: + if expect_etype_info: + self.assertGreater(len(expect_etype_info2), 0) + expected_patypes += (PADATA_ETYPE_INFO,) + if len(expect_etype_info2) != 0: + expected_patypes += (PADATA_ETYPE_INFO2,) - if expected_error_mode != KDC_ERR_PREAUTH_FAILED: - if sent_fast: - expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) - else: - expected_patypes += (PADATA_ENC_TIMESTAMP,) + if expected_error_mode != KDC_ERR_PREAUTH_FAILED: + if sent_fast: + expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) + else: + expected_patypes += (PADATA_ENC_TIMESTAMP,) - if not sent_enc_challenge: - expected_patypes += (PADATA_PK_AS_REQ,) - expected_patypes += (PADATA_PK_AS_REP_19,) + if not sent_enc_challenge: + expected_patypes += (PADATA_PK_AS_REQ,) + expected_patypes += (PADATA_PK_AS_REP_19,) - if (self.kdc_fast_support - and not sent_fast - and not sent_enc_challenge): - expected_patypes += (PADATA_FX_FAST,) - expected_patypes += (PADATA_FX_COOKIE,) + if (self.kdc_fast_support + and not sent_fast + and not sent_enc_challenge): + expected_patypes += (PADATA_FX_FAST,) + expected_patypes += (PADATA_FX_COOKIE,) if self.strict_checking: for i, patype in enumerate(expected_patypes): @@ -2389,15 +2401,21 @@ class RawKerberosTest(TestCaseInTempDir): kcrypto.Enctype.RC4)): self.assertIsNone(etype_info2) self.assertIsNone(etype_info) - if self.strict_checking: - if sent_fast: - self.assertIsNotNone(enc_challenge) - self.assertIsNone(enc_timestamp) - else: - self.assertIsNotNone(enc_timestamp) - self.assertIsNone(enc_challenge) - self.assertIsNotNone(pk_as_req) - self.assertIsNotNone(pk_as_rep19) + if rep_msg_type == KRB_AS_REP: + if self.strict_checking: + if sent_fast: + self.assertIsNotNone(enc_challenge) + self.assertIsNone(enc_timestamp) + else: + self.assertIsNotNone(enc_timestamp) + self.assertIsNone(enc_challenge) + self.assertIsNotNone(pk_as_req) + self.assertIsNotNone(pk_as_rep19) + else: + self.assertIsNone(enc_timestamp) + self.assertIsNone(enc_challenge) + self.assertIsNone(pk_as_req) + self.assertIsNone(pk_as_rep19) return None if self.strict_checking: -- 2.25.1 From b5d9c38669accfe7a9b44aeb6d10fd02df5e16a0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 16:29:39 +1200 Subject: [PATCH 073/108] tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 29070e74baa18d94642efcd36930b9bab216e10c) --- python/samba/tests/krb5/raw_testcase.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 14f86fb87a8..8cbf3edbbab 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -45,6 +45,7 @@ from samba.tests.krb5.rfc4120_constants import ( FX_FAST_ARMOR_AP_REQUEST, KDC_ERR_GENERIC, KDC_ERR_PREAUTH_FAILED, + KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, KRB_AP_REQ, KRB_AS_REP, KRB_AS_REQ, @@ -2150,6 +2151,8 @@ class RawKerberosTest(TestCaseInTempDir): callback_dict, rep): + rep_msg_type = kdc_exchange_dict['rep_msg_type'] + expected_cname = kdc_exchange_dict['expected_cname'] expected_srealm = kdc_exchange_dict['expected_srealm'] expected_sname = kdc_exchange_dict['expected_sname'] @@ -2157,6 +2160,8 @@ class RawKerberosTest(TestCaseInTempDir): sent_fast = self.sent_fast(kdc_exchange_dict) + fast_armor_type = kdc_exchange_dict['fast_armor_type'] + self.assertElementEqual(rep, 'pvno', 5) self.assertElementEqual(rep, 'msg-type', KRB_ERROR) self.assertElementEqual(rep, 'error-code', expected_error_mode) @@ -2176,7 +2181,12 @@ class RawKerberosTest(TestCaseInTempDir): else: self.assertElementEqualPrincipal(rep, 'sname', expected_sname) self.assertElementMissing(rep, 'e-text') - if expected_error_mode == KDC_ERR_GENERIC: + if (expected_error_mode in (KDC_ERR_GENERIC, + KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS) + or (rep_msg_type == KRB_TGS_REP + and not sent_fast) + or (sent_fast and fast_armor_type is not None + and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST)): self.assertElementMissing(rep, 'e-data') return rep edata = self.getElementValue(rep, 'e-data') -- 2.25.1 From ff1701ab29f63bed878a0e3858df26f19184f81d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:50:20 +1200 Subject: [PATCH 074/108] tests/krb5: Check PADATA-PAC-OPTIONS in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07) --- python/samba/tests/krb5/raw_testcase.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 8cbf3edbbab..5016e14783c 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2311,6 +2311,7 @@ class RawKerberosTest(TestCaseInTempDir): pk_as_rep19 = None fast_cookie = None fx_fast = None + pac_options = None for pa in rep_padata: patype = self.getElementValue(pa, 'padata-type') pavalue = self.getElementValue(pa, 'padata-value') @@ -2353,10 +2354,18 @@ class RawKerberosTest(TestCaseInTempDir): fx_fast = pavalue self.assertEqual(len(fx_fast), 0) continue + if patype == PADATA_PAC_OPTIONS: + self.assertIsNone(pac_options) + pac_options = pavalue + self.assertIsNotNone(pac_options) + continue if fast_cookie is not None: kdc_exchange_dict['fast_cookie'] = fast_cookie + if pac_options is not None: + self.check_pac_options_claims_support(pac_options) + if enc_challenge is not None: if not sent_enc_challenge: self.assertEqual(len(enc_challenge), 0) -- 2.25.1 From 6627a97065f3b194fb43bea0a89d4af02fc46e9f Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Jul 2021 11:50:16 +1200 Subject: [PATCH 075/108] tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 66e1eb58bedf036ad25a868993d44480c4e0e055) --- python/samba/tests/krb5/raw_testcase.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 5016e14783c..4ebab367141 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -68,6 +68,7 @@ from samba.tests.krb5.rfc4120_constants import ( KU_TGS_REQ_AUTH_DAT_SUBKEY, KU_TICKET, NT_SRV_INST, + NT_WELLKNOWN, PADATA_ENCRYPTED_CHALLENGE, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO, @@ -2149,7 +2150,8 @@ class RawKerberosTest(TestCaseInTempDir): def generic_check_kdc_error(self, kdc_exchange_dict, callback_dict, - rep): + rep, + inner=False): rep_msg_type = kdc_exchange_dict['rep_msg_type'] @@ -2173,7 +2175,10 @@ class RawKerberosTest(TestCaseInTempDir): # error-code checked above if self.strict_checking: self.assertElementMissing(rep, 'crealm') - self.assertElementMissing(rep, 'cname') + if expected_cname['name-type'] == NT_WELLKNOWN and not inner: + self.assertElementEqualPrincipal(rep, 'cname', expected_cname) + else: + self.assertElementMissing(rep, 'cname') self.assertElementEqualUTF8(rep, 'realm', expected_srealm) if sent_fast and expected_error_mode == KDC_ERR_GENERIC: self.assertElementEqualPrincipal(rep, 'sname', @@ -2186,7 +2191,8 @@ class RawKerberosTest(TestCaseInTempDir): or (rep_msg_type == KRB_TGS_REP and not sent_fast) or (sent_fast and fast_armor_type is not None - and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST)): + and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST) + or inner): self.assertElementMissing(rep, 'e-data') return rep edata = self.getElementValue(rep, 'e-data') -- 2.25.1 From 39b840750fa0eaeb6bb83c8500d02364e506ecef Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 27 Jul 2021 14:49:58 +1200 Subject: [PATCH 076/108] tests/krb5: Check PADATA-FX-ERROR in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit aa2c221f4e1bfc3403de857e62eaeaee1577560c) --- python/samba/tests/krb5/raw_testcase.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 4ebab367141..17ef8df5daa 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2316,6 +2316,7 @@ class RawKerberosTest(TestCaseInTempDir): pk_as_req = None pk_as_rep19 = None fast_cookie = None + fast_error = None fx_fast = None pac_options = None for pa in rep_padata: @@ -2355,6 +2356,11 @@ class RawKerberosTest(TestCaseInTempDir): fast_cookie = pavalue self.assertIsNotNone(fast_cookie) continue + if patype == PADATA_FX_ERROR: + self.assertIsNone(fast_error) + fast_error = pavalue + self.assertIsNotNone(fast_error) + continue if patype == PADATA_FX_FAST: self.assertIsNone(fx_fast) fx_fast = pavalue @@ -2369,6 +2375,14 @@ class RawKerberosTest(TestCaseInTempDir): if fast_cookie is not None: kdc_exchange_dict['fast_cookie'] = fast_cookie + if fast_error is not None: + fast_error = self.der_decode(fast_error, + asn1Spec=krb5_asn1.KRB_ERROR()) + self.generic_check_kdc_error(kdc_exchange_dict, + callback_dict, + fast_error, + inner=True) + if pac_options is not None: self.check_pac_options_claims_support(pac_options) -- 2.25.1 From f49fe011568c4332515dac5850ad0d2cdc43ffac Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Thu, 10 Jun 2021 09:56:58 +1200 Subject: [PATCH 077/108] initial FAST tests Currently incomplete, and tested only against MIT Kerberos. [abartlet@samba.org Originally "WIP inital FAST tests" Samba's general policy that we don't push WIP patches, we polish into a 'perfect' patch stream. However, I think there are good reasons to keep this patch distinct in this particular case. Gary is being modest in titling this WIP (now removed from the title to avoid confusion). They are not WIP in the normal sense of partially or untested code or random unfinished thoughts. The primary issue is that at that point where Gary had to finish up he had trouble getting FAST support enabled on Windows, so couldn't test against our standard reference. They are instead good, working initial tests written against the RFC and tested against Samba's AD DC in the mode backed by MIT Kerberos. This preserves clear authorship for the two distinct bodies of work, as in the next patch Joseph was able to extend and improve the tests significantly. ] Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b7b62957bdce9929fabd3812b9378bdbd6c12966) --- python/samba/tests/krb5/fast_tests.py | 245 ++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 8 + source4/selftest/tests.py | 8 + 4 files changed, 262 insertions(+) create mode 100755 python/samba/tests/krb5/fast_tests.py diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py new file mode 100755 index 00000000000..c4d1c2c5d82 --- /dev/null +++ b/python/samba/tests/krb5/fast_tests.py @@ -0,0 +1,245 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.kdc_base_test import KDCBaseTest +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + NT_PRINCIPAL, + NT_SRV_INST, + PADATA_FX_COOKIE, + PADATA_FX_FAST, +) +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +global_asn1_print = False +global_hexdump = False + + +class FAST_Tests(KDCBaseTest): + ''' + ''' + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def get_padata_element(self, rep, padata_type): + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + for pa in rep_padata: + if pa['padata-type'] == padata_type: + return pa['padata-value'] + return None + + def test_fast_supported(self): + '''Confirm that the kdc supports FAST + The KDC SHOULD return an empty PA-FX-FAST in a + PREAUTH_REQUIRED error if FAST is supported + + + ''' + + # Create a user account for the test. + # + samdb = self.get_samdb() + user_name = "krb5fastusr" + (uc, dn) = self.create_account(samdb, user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + + fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) + self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") + + def test_explicit_PA_FX_FAST_in_as_req(self): + ''' + Add an empty PA-FX-FAST in the initial AS-REQ + This should get rejected with a Generic error. + + ''' + + # Create a user account for the test. + # + samdb = self.get_samdb() + user_name = "krb5fastusr" + (uc, dn) = self.create_account(samdb, user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a generic error response + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + x = self.PA_DATA_create(PADATA_FX_FAST, b'') + padata = [x] + rep = self.as_req(cname, sname, realm, etype, padata) + + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 60) + + def test_fast_cookie_retured_in_pre_auth(self): + '''Confirm that the kdc returns PA-FX-COOKIE + ''' + + # Create a user account for the test. + # + samdb = self.get_samdb() + user_name = "krb5fastusr" + (uc, dn) = self.create_account(samdb, user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + + fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) + self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") + + fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) + self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") + + def test_ignore_fast(self): + ''' + TODO reword this + Attempt to authenticate with out FAST, i.e. ignoring the + FAST advertised in the pre-auth + ''' + + # Create a user account for the test. + # + samdb = self.get_samdb() + user_name = "krb5fastusr" + (uc, dn) = self.create_account(samdb, user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + + fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) + self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") + + fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) + self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") + + # Do the next AS-REQ + padata = [self.get_enc_timestamp_pa_data(uc, rep)] + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + def test_fast(self): + ''' + Attempt to authenticate with + ''' + + # Create a user account for the test. + # + samdb = self.get_samdb() + user_name = "krb5fastusr" + (uc, dn) = self.create_account(samdb, user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + + fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) + self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") + + fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) + self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") + + cookie = self.PA_DATA_create(PADATA_FX_COOKIE, fx_cookie) + + # Do the next AS-REQ + padata = [self.get_enc_timestamp_pa_data(uc, rep)] + padata.append(cookie) + # req = self.AS_REQ_create(padata=padata, + # kdc_options=str(kdc_options), + # cname=cname, + # realm=realm, + # sname=sname, + # from_time=None, + # till_time=till, + # renew_time=None, + # nonce=0x7fffffff, + # etypes=etypes, + # addresses=None, + # EncAuthorizationData=None, + # EncAuthorizationData_key=None, + # additional_tickets=None) + # rep = self.as_req(cname, sname, realm, etype, padata=padata) + # self.check_as_reply(rep) + + +if __name__ == "__main__": + global_asn1_print = False + global_hexdump = False + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 27497e069d1..7cdf25b48ae 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -102,6 +102,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/test_smb.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', 'python/samba/tests/krb5/as_req_tests.py', + 'python/samba/tests/krb5/fast_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 4e6ee93ce96..66f07cebc14 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -14,3 +14,11 @@ ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c +# +# MIT specific FAST tests, +# +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_explicit_PA_FX_FAST_in_as_req\(ad_dc\) +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast\(ad_dc\) +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_cookie_retured_in_pre_auth\(ad_dc\) +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_supported\(ad_dc\) +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_ignore_fast\(ad_dc\) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 8938754d0fc..56444fc5aa5 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1476,6 +1476,14 @@ planpythontestsuite( 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD' }) +planpythontestsuite( + "ad_dc", + "samba.tests.krb5.fast_tests", + environ={ + 'ADMIN_USERNAME': '$USERNAME', + 'ADMIN_PASSWORD': '$PASSWORD', + 'SERVICE_USERNAME': '$SERVER' + }) planpythontestsuite( "ad_dc", "samba.tests.krb5.ms_kile_client_principal_lookup_tests", -- 2.25.1 From 28508e9ad3768649d4bf923b0715cab927d3c44e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Jul 2021 10:58:44 +1200 Subject: [PATCH 078/108] tests/krb5: Add FAST tests Example command: SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \ KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \ PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184 (cherry picked from commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854) --- python/samba/tests/krb5/fast_tests.py | 1649 ++++++++++++++++++++++--- selftest/knownfail_heimdal_kdc | 54 +- selftest/knownfail_mit_kdc | 53 + source4/selftest/tests.py | 2 +- 4 files changed, 1585 insertions(+), 173 deletions(-) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index c4d1c2c5d82..e38b2e0a6e1 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -17,225 +17,1542 @@ # along with this program. If not, see . # -import sys +import functools import os +import sys -sys.path.insert(0, "bin/python") -os.environ["PYTHONUNBUFFERED"] = "1" +import ldb +from samba.dcerpc import security +from samba.tests.krb5.raw_testcase import ( + KerberosTicketCreds, + Krb5EncryptionKey +) from samba.tests.krb5.kdc_base_test import KDCBaseTest from samba.tests.krb5.rfc4120_constants import ( + AD_FX_FAST_ARMOR, + AD_FX_FAST_USED, AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, + FX_FAST_ARMOR_AP_REQUEST, + KDC_ERR_ETYPE_NOSUPP, + KDC_ERR_GENERIC, + KDC_ERR_NOT_US, + KDC_ERR_PREAUTH_FAILED, + KDC_ERR_PREAUTH_REQUIRED, + KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, + KRB_AS_REP, + KRB_TGS_REP, + KU_AS_REP_ENC_PART, + KU_TICKET, NT_PRINCIPAL, NT_SRV_INST, + NT_WELLKNOWN, PADATA_FX_COOKIE, PADATA_FX_FAST, + PADATA_PAC_OPTIONS ) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +import samba.tests.krb5.kcrypto as kcrypto + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" global_asn1_print = False global_hexdump = False class FAST_Tests(KDCBaseTest): - ''' - ''' + @classmethod + def setUpClass(cls): + super().setUpClass() + + cls.user_tgt = None + cls.user_enc_part = None + cls.user_service_ticket = None + + cls.mach_tgt = None + cls.mach_enc_part = None + cls.mach_service_ticket = None def setUp(self): super().setUp() self.do_asn1_print = global_asn1_print self.do_hexdump = global_hexdump - def get_padata_element(self, rep, padata_type): - rep_padata = self.der_decode( - rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) - for pa in rep_padata: - if pa['padata-type'] == padata_type: - return pa['padata-value'] - return None + def test_simple(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_timestamp_padata + } + ]) - def test_fast_supported(self): - '''Confirm that the kdc supports FAST - The KDC SHOULD return an empty PA-FX-FAST in a - PREAUTH_REQUIRED error if FAST is supported + def test_simple_tgs(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_tgt_fn': self.get_user_tgt + } + ]) + def test_simple_tgs_wrong_principal(self): + mach_creds = self.get_mach_creds() + mach_name = mach_creds.get_username() + expected_cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[mach_name]) - ''' + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_tgt_fn': self.get_mach_tgt, + 'expected_cname': expected_cname + } + ]) - # Create a user account for the test. - # - samdb = self.get_samdb() - user_name = "krb5fastusr" - (uc, dn) = self.create_account(samdb, user_name) - realm = uc.get_realm().lower() + def test_simple_tgs_service_ticket(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_NOT_US, + 'use_fast': False, + 'gen_tgt_fn': self.get_user_service_ticket, + } + ]) - # Do the initial AS-REQ, should get a pre-authentication required - # response - etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - cname = self.PrincipalName_create( - name_type=NT_PRINCIPAL, names=[user_name]) - sname = self.PrincipalName_create( - name_type=NT_SRV_INST, names=["krbtgt", realm]) + def test_simple_tgs_service_ticket_mach(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_NOT_US, + 'use_fast': False, + 'gen_tgt_fn': self.get_mach_service_ticket, + } + ]) - rep = self.as_req(cname, sname, realm, etype) - self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], 30) - self.assertEqual(rep['error-code'], 25) + def test_fast_no_claims(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'pac_options': '0' + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'pac_options': '0' + } + ]) - fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) - self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") + def test_fast_tgs_no_claims(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'pac_options': '0' + } + ]) - def test_explicit_PA_FX_FAST_in_as_req(self): - ''' - Add an empty PA-FX-FAST in the initial AS-REQ - This should get rejected with a Generic error. + def test_fast_no_claims_or_canon(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'pac_options': '0', + 'kdc_options': '0' + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'pac_options': '0', + 'kdc_options': '0' + } + ]) - ''' + def test_fast_tgs_no_claims_or_canon(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'pac_options': '0', + 'kdc_options': '0' + } + ]) - # Create a user account for the test. - # - samdb = self.get_samdb() - user_name = "krb5fastusr" - (uc, dn) = self.create_account(samdb, user_name) - realm = uc.get_realm().lower() + def test_fast_no_canon(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'kdc_options': '0' + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'kdc_options': '0' + } + ]) - # Do the initial AS-REQ, should get a generic error response - # response - etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - cname = self.PrincipalName_create( - name_type=NT_PRINCIPAL, names=[user_name]) - sname = self.PrincipalName_create( - name_type=NT_SRV_INST, names=["krbtgt", realm]) + def test_fast_tgs_no_canon(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'kdc_options': '0' + } + ]) + + def test_simple_tgs_no_etypes(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, + 'use_fast': False, + 'gen_tgt_fn': self.get_mach_tgt, + 'etypes': () + } + ]) + + def test_fast_tgs_no_etypes(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, + 'use_fast': True, + 'gen_tgt_fn': self.get_mach_tgt, + 'fast_armor': None, + 'etypes': () + } + ]) + + def test_simple_no_etypes(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, + 'use_fast': False, + 'etypes': () + } + ]) + + def test_simple_fast_no_etypes(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'etypes': () + } + ]) + + def test_empty_fast(self): + # Add an empty PA-FX-FAST in the initial AS-REQ. This should get + # rejected with a Generic error. + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'gen_fast_fn': self.generate_empty_fast, + 'fast_armor': None, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_unknown_critical_option(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, + 'use_fast': True, + 'fast_options': '001', # unsupported critical option + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_unarmored_as_req(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'fast_armor': None, # no armor, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_invalid_armor_type(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, + 'use_fast': True, + 'fast_armor': 0, # invalid armor type + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_invalid_armor_type2(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, + 'use_fast': True, + 'fast_armor': 2, # invalid armor type + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_encrypted_challenge(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_encrypted_challenge_wrong_key(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_encrypted_challenge_wrong_key_kdc(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, + 'use_fast': True, + 'gen_padata_fn': + self.generate_enc_challenge_padata_wrong_key_kdc, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_encrypted_challenge_clock_skew(self): + # The KDC is supposed to confirm that the timestamp is within its + # current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113 + # 5.4.6). However, Windows accepts a skewed timestamp in the encrypted + # challenge. + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': functools.partial( + self.generate_enc_challenge_padata, + skew=10000), + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_invalid_tgt(self): + # The armor ticket 'sname' field is required to identify the target + # realm TGS (RFC6113 5.4.1.1). However, Windows will still accept a + # service ticket identifying a different server principal. + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_user_service_ticket + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_user_service_ticket + # ticket not identifying TGS of current + # realm + } + ]) + + def test_fast_invalid_tgt_mach(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_service_ticket + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_service_ticket + # ticket not identifying TGS of current + # realm + } + ]) + + def test_fast_enc_timestamp(self): + # Provide ENC-TIMESTAMP as FAST padata when we should be providing + # ENCRYPTED-CHALLENGE - ensure that we get PREAUTH_REQUIRED. + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_timestamp_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_tgs(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None + } + ]) + + def test_fast_tgs_armor(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST + } + ]) + + def test_fast_outer_wrong_realm(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'realm': 'TEST' # should be ignored + } + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'realm': 'TEST' # should be ignored + } + } + ]) + + def test_fast_tgs_outer_wrong_realm(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'outer_req': { + 'realm': 'TEST' # should be ignored + } + } + ]) + + def test_fast_outer_wrong_nonce(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'nonce': '123' # should be ignored + } + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'nonce': '123' # should be ignored + } + } + ]) + + def test_fast_tgs_outer_wrong_nonce(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'outer_req': { + 'nonce': '123' # should be ignored + } + } + ]) + + def test_fast_outer_wrong_flags(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'kdc-options': '11111111111111111' # should be ignored + } + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'kdc-options': '11111111111111111' # should be ignored + } + } + ]) + + def test_fast_tgs_outer_wrong_flags(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'outer_req': { + 'kdc-options': '11111111111111111' # should be ignored + } + } + ]) + + def test_fast_outer_wrong_till(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'till': '15000101000000Z' # should be ignored + } + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'till': '15000101000000Z' # should be ignored + } + } + ]) + + def test_fast_tgs_outer_wrong_till(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'outer_req': { + 'till': '15000101000000Z' # should be ignored + } + } + ]) + + def test_fast_authdata_fast_used(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_authdata_fn': self.generate_fast_used_auth_data, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None + } + ]) + + def test_fast_authdata_fast_not_used(self): + # The AD-fx-fast-used authdata type can be included in the + # authenticator or the TGT authentication data to indicate that FAST + # must be used. The KDC must return KRB_APP_ERR_MODIFIED if it receives + # this authdata type in a request not using FAST (RFC6113 5.4.2). + self._run_test_sequence([ + # This request works without FAST. + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_tgt_fn': self.get_user_tgt + }, + # Add the 'FAST used' auth data and it now fails. + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + # should be KRB_APP_ERR_MODIFIED + 'use_fast': False, + 'gen_authdata_fn': self.generate_fast_used_auth_data, + 'gen_tgt_fn': self.get_user_tgt + } + ]) + + def test_fast_ad_fx_fast_armor(self): + # If the authenticator or TGT authentication data contains the + # AD-fx-fast-armor authdata type, the KDC must reject the request + # (RFC6113 5.4.1.1). + self._run_test_sequence([ + # This request works. + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None + }, + # Add the 'FAST armor' auth data and it now fails. + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'gen_authdata_fn': self.generate_fast_armor_auth_data, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None + } + ]) + + def test_fast_ad_fx_fast_armor2(self): + # Show that we can still use the AD-fx-fast-armor authorization data in + # FAST armor tickets. + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'gen_authdata_fn': self.generate_fast_armor_auth_data, + # include the auth data in the FAST armor. + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + } + ]) + + def test_fast_ad_fx_fast_armor_ticket(self): + # If the authenticator or TGT authentication data contains the + # AD-fx-fast-armor authdata type, the KDC must reject the request + # (RFC6113 5.4.2). + self._run_test_sequence([ + # This request works. + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None + }, + # Add AD-fx-fast-armor authdata element to user TGT. This request + # fails. + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'gen_tgt_fn': self.gen_tgt_fast_armor_auth_data, + 'fast_armor': None + } + ]) + + def test_fast_ad_fx_fast_armor_ticket2(self): + self._run_test_sequence([ + # Show that we can still use the modified ticket as armor. + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.gen_tgt_fast_armor_auth_data + } + ]) + + def test_fast_tgs_service_ticket(self): + # Try to use a non-TGT ticket to establish an armor key, which fails + # (RFC6113 5.4.2). + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_NOT_US, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_service_ticket, # fails + 'fast_armor': None + } + ]) + + def test_fast_tgs_service_ticket_mach(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_NOT_US, # fails + 'use_fast': True, + 'gen_tgt_fn': self.get_mach_service_ticket, + 'fast_armor': None + } + ]) + + def test_simple_tgs_no_subkey(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_tgt_fn': self.get_user_tgt, + 'include_subkey': False + } + ]) + + def test_fast_tgs_no_subkey(self): + # Show that omitting the subkey in the TGS-REQ authenticator fails + # (RFC6113 5.4.2). + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'include_subkey': False + } + ]) + + def test_fast_hide_client_names(self): + user_creds = self.get_client_creds() + user_name = user_creds.get_username() + user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[user_name]) + + expected_cname = self.PrincipalName_create( + name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS']) + + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_options': '01', # hide client names + 'expected_cname': expected_cname + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_options': '01', # hide client names + 'expected_cname': expected_cname, + 'expected_cname_private': user_cname + } + ]) + + def test_fast_tgs_hide_client_names(self): + user_creds = self.get_client_creds() + user_name = user_creds.get_username() + user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[user_name]) + + expected_cname = self.PrincipalName_create( + name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS']) + + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'fast_options': '01', # hide client names + 'expected_cname': expected_cname, + 'expected_cname_private': user_cname + } + ]) + + def test_fast_encrypted_challenge_replay(self): + # The KDC is supposed to check that encrypted challenges are not + # replays (RFC6113 5.4.6), but timestamps may be reused; an encrypted + # challenge is only considered a replay if the ciphertext is identical + # to a previous challenge. Windows does not perform this check. + + class GenerateEncChallengePadataReplay: + def __init__(replay): + replay._padata = None + + def __call__(replay, key, armor_key): + if replay._padata is None: + client_challenge_key = ( + self.generate_client_challenge_key(armor_key, key)) + replay._padata = self.get_challenge_pa_data( + client_challenge_key) + + return replay._padata + + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': GenerateEncChallengePadataReplay(), + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'repeat': 2 + } + ]) + + def generate_enc_timestamp_padata(self, key, _armor_key): + return self.get_enc_timestamp_pa_data_from_key(key) + + def generate_enc_challenge_padata(self, key, armor_key, skew=0): + client_challenge_key = ( + self.generate_client_challenge_key(armor_key, key)) + return self.get_challenge_pa_data(client_challenge_key, skew=skew) + + def generate_enc_challenge_padata_wrong_key_kdc(self, key, armor_key): + kdc_challenge_key = ( + self.generate_kdc_challenge_key(armor_key, key)) + return self.get_challenge_pa_data(kdc_challenge_key) + + def generate_enc_challenge_padata_wrong_key(self, key, _armor_key): + return self.get_challenge_pa_data(key) + + def generate_empty_fast(self, + _kdc_exchange_dict, + _callback_dict, + _req_body, + _fast_padata, + _fast_armor, + _checksum, + _fast_options=''): + fast_padata = self.PA_DATA_create(PADATA_FX_FAST, b'') + + return fast_padata + + def _run_test_sequence(self, test_sequence): + if self.strict_checking: + self.check_kdc_fast_support() + + kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,' + 'renewable,' + 'canonicalize,' + 'renewable-ok')) + + pac_request = self.get_pa_pac_request() + + client_creds = self.get_client_creds() + target_creds = self.get_service_creds() + krbtgt_creds = self.get_krbtgt_creds() + + client_username = client_creds.get_username() + client_realm = client_creds.get_realm() + client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_username]) + + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + krbtgt_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + krbtgt_decryption_key = self.TicketDecryptionKey_from_creds( + krbtgt_creds) + + target_username = target_creds.get_username()[:-1] + target_realm = target_creds.get_realm() + target_service = 'host' + target_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[target_service, target_username]) + target_decryption_key = self.TicketDecryptionKey_from_creds( + target_creds, etype=kcrypto.Enctype.RC4) + + fast_cookie = None + preauth_etype_info2 = None + + preauth_key = None + + for kdc_dict in test_sequence: + rep_type = kdc_dict.pop('rep_type') + self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP)) + + expected_error_mode = kdc_dict.pop('expected_error_mode') + self.assertIn(expected_error_mode, range(240)) + + use_fast = kdc_dict.pop('use_fast') + self.assertIs(type(use_fast), bool) + + if use_fast: + self.assertIn('fast_armor', kdc_dict) + fast_armor_type = kdc_dict.pop('fast_armor') + + if fast_armor_type is not None: + self.assertIn('gen_armor_tgt_fn', kdc_dict) + elif expected_error_mode != KDC_ERR_GENERIC: + self.assertNotIn('gen_armor_tgt_fn', kdc_dict) + + gen_armor_tgt_fn = kdc_dict.pop('gen_armor_tgt_fn', None) + if gen_armor_tgt_fn is not None: + armor_tgt = gen_armor_tgt_fn() + else: + armor_tgt = None - x = self.PA_DATA_create(PADATA_FX_FAST, b'') - padata = [x] - rep = self.as_req(cname, sname, realm, etype, padata) + fast_options = kdc_dict.pop('fast_options', '') + else: + fast_armor_type = None + armor_tgt = None - self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], 30) - self.assertEqual(rep['error-code'], 60) + self.assertNotIn('fast_options', kdc_dict) + fast_options = None - def test_fast_cookie_retured_in_pre_auth(self): - '''Confirm that the kdc returns PA-FX-COOKIE - ''' + if rep_type == KRB_TGS_REP: + gen_tgt_fn = kdc_dict.pop('gen_tgt_fn') + tgt = gen_tgt_fn() + else: + self.assertNotIn('gen_tgt_fn', kdc_dict) + tgt = None + + if expected_error_mode != 0: + check_error_fn = self.generic_check_kdc_error + check_rep_fn = None + else: + check_error_fn = None + check_rep_fn = self.generic_check_kdc_rep + + etypes = kdc_dict.pop('etypes', (AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5)) + + cname = client_cname if rep_type == KRB_AS_REP else None + crealm = client_realm + + if rep_type == KRB_AS_REP: + sname = krbtgt_sname + srealm = krbtgt_realm + else: # KRB_TGS_REP + sname = target_sname + srealm = target_realm + + expected_cname = kdc_dict.pop('expected_cname', client_cname) + expected_cname_private = kdc_dict.pop('expected_cname_private', + None) + expected_crealm = kdc_dict.pop('expected_crealm', client_realm) + expected_sname = kdc_dict.pop('expected_sname', sname) + expected_srealm = kdc_dict.pop('expected_srealm', srealm) + + expected_salt = client_creds.get_salt() + + authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) + if rep_type == KRB_AS_REP: + if use_fast: + armor_key = self.generate_armor_key(authenticator_subkey, + armor_tgt.session_key) + armor_subkey = authenticator_subkey + else: + armor_key = None + armor_subkey = authenticator_subkey + else: # KRB_TGS_REP + if fast_armor_type is not None: + armor_subkey = self.RandomKey(kcrypto.Enctype.AES256) + explicit_armor_key = self.generate_armor_key( + armor_subkey, + armor_tgt.session_key) + armor_key = kcrypto.cf2(explicit_armor_key.key, + authenticator_subkey.key, + b'explicitarmor', + b'tgsarmor') + armor_key = Krb5EncryptionKey(armor_key, None) + else: + armor_key = self.generate_armor_key(authenticator_subkey, + tgt.session_key) + armor_subkey = authenticator_subkey + + if not kdc_dict.pop('include_subkey', True): + authenticator_subkey = None + + if use_fast: + generate_fast_fn = kdc_dict.pop('gen_fast_fn', None) + if generate_fast_fn is None: + generate_fast_fn = functools.partial( + self.generate_simple_fast, + fast_options=fast_options) + else: + generate_fast_fn = None + + generate_fast_armor_fn = ( + self.generate_ap_req + if fast_armor_type is not None + else None) + + def _generate_padata_copy(_kdc_exchange_dict, + _callback_dict, + req_body, + padata): + return padata, req_body + + def _check_padata_preauth_key(_kdc_exchange_dict, + _callback_dict, + _rep, + _padata): + as_rep_usage = KU_AS_REP_ENC_PART + return preauth_key, as_rep_usage + + pac_options = kdc_dict.pop('pac_options', '1') # claims support + pac_options = self.get_pa_pac_options(pac_options) + + kdc_options = kdc_dict.pop('kdc_options', kdc_options_default) + + if rep_type == KRB_AS_REP: + padata = [pac_request, pac_options] + else: + padata = [pac_options] + + gen_padata_fn = kdc_dict.pop('gen_padata_fn', None) + if gen_padata_fn is not None: + self.assertEqual(KRB_AS_REP, rep_type) + self.assertIsNotNone(preauth_etype_info2) + + preauth_key = self.PasswordKey_from_etype_info2( + client_creds, + preauth_etype_info2[0], + client_creds.get_kvno()) + gen_padata = gen_padata_fn(preauth_key, armor_key) + padata.insert(0, gen_padata) + else: + preauth_key = None + + if rep_type == KRB_AS_REP: + check_padata_fn = _check_padata_preauth_key + else: + check_padata_fn = self.check_simple_tgs_padata + + if use_fast: + inner_padata = padata + outer_padata = [] + else: + inner_padata = [] + outer_padata = padata + + if use_fast and fast_cookie is not None: + outer_padata.append(fast_cookie) + + generate_fast_padata_fn = (functools.partial(_generate_padata_copy, + padata=inner_padata) + if inner_padata else None) + generate_padata_fn = (functools.partial(_generate_padata_copy, + padata=outer_padata) + if outer_padata else None) + + gen_authdata_fn = kdc_dict.pop('gen_authdata_fn', None) + if gen_authdata_fn is not None: + auth_data = [gen_authdata_fn()] + else: + auth_data = None + + if not use_fast: + self.assertNotIn('outer_req', kdc_dict) + outer_req = kdc_dict.pop('outer_req', None) + + if rep_type == KRB_AS_REP: + kdc_exchange_dict = self.as_exchange_dict( + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_cname_private=expected_cname_private, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + ticket_decryption_key=krbtgt_decryption_key, + generate_fast_fn=generate_fast_fn, + generate_fast_armor_fn=generate_fast_armor_fn, + generate_fast_padata_fn=generate_fast_padata_fn, + fast_armor_type=fast_armor_type, + generate_padata_fn=generate_padata_fn, + check_error_fn=check_error_fn, + check_rep_fn=check_rep_fn, + check_padata_fn=check_padata_fn, + check_kdc_private_fn=self.generic_check_kdc_private, + callback_dict={}, + expected_error_mode=expected_error_mode, + client_as_etypes=etypes, + expected_salt=expected_salt, + authenticator_subkey=authenticator_subkey, + auth_data=auth_data, + armor_key=armor_key, + armor_tgt=armor_tgt, + armor_subkey=armor_subkey, + kdc_options=kdc_options, + outer_req=outer_req) + else: # KRB_TGS_REP + kdc_exchange_dict = self.tgs_exchange_dict( + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_cname_private=expected_cname_private, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + ticket_decryption_key=target_decryption_key, + generate_fast_fn=generate_fast_fn, + generate_fast_armor_fn=generate_fast_armor_fn, + generate_fast_padata_fn=generate_fast_padata_fn, + fast_armor_type=fast_armor_type, + generate_padata_fn=generate_padata_fn, + check_error_fn=check_error_fn, + check_rep_fn=check_rep_fn, + check_padata_fn=check_padata_fn, + check_kdc_private_fn=self.generic_check_kdc_private, + expected_error_mode=expected_error_mode, + callback_dict={}, + tgt=tgt, + armor_key=armor_key, + armor_tgt=armor_tgt, + armor_subkey=armor_subkey, + authenticator_subkey=authenticator_subkey, + auth_data=auth_data, + body_checksum_type=None, + kdc_options=kdc_options, + outer_req=outer_req) + + repeat = kdc_dict.pop('repeat', 1) + for _ in range(repeat): + rep = self._generic_kdc_exchange(kdc_exchange_dict, + cname=cname, + realm=crealm, + sname=sname, + etypes=etypes) + if expected_error_mode == 0: + self.check_reply(rep, rep_type) + + fast_cookie = None + preauth_etype_info2 = None + else: + self.check_error_rep(rep, expected_error_mode) + + if 'fast_cookie' in kdc_exchange_dict: + fast_cookie = self.create_fast_cookie( + kdc_exchange_dict['fast_cookie']) + else: + fast_cookie = None + + if expected_error_mode == KDC_ERR_PREAUTH_REQUIRED: + preauth_etype_info2 = ( + kdc_exchange_dict['preauth_etype_info2']) + else: + preauth_etype_info2 = None + + # Ensure we used all the parameters given to us. + self.assertEqual({}, kdc_dict) + + def generate_fast_armor_auth_data(self): + auth_data = self.AuthorizationData_create(AD_FX_FAST_ARMOR, b'') + + return auth_data + + def generate_fast_used_auth_data(self): + auth_data = self.AuthorizationData_create(AD_FX_FAST_USED, b'') + + return auth_data + + def gen_tgt_fast_armor_auth_data(self): + user_tgt = self.get_user_tgt() + + ticket_decryption_key = user_tgt.decryption_key + + tgt_encpart = self.getElementValue(user_tgt.ticket, 'enc-part') + self.assertElementEqual(tgt_encpart, 'etype', + ticket_decryption_key.etype) + self.assertElementKVNO(tgt_encpart, 'kvno', + ticket_decryption_key.kvno) + tgt_cipher = self.getElementValue(tgt_encpart, 'cipher') + tgt_decpart = ticket_decryption_key.decrypt(KU_TICKET, tgt_cipher) + tgt_private = self.der_decode(tgt_decpart, + asn1Spec=krb5_asn1.EncTicketPart()) + + auth_data = self.generate_fast_armor_auth_data() + tgt_private['authorization-data'].append(auth_data) + + # Re-encrypt the user TGT. + tgt_private_new = self.der_encode( + tgt_private, + asn1Spec=krb5_asn1.EncTicketPart()) + tgt_encpart = self.EncryptedData_create(ticket_decryption_key, + KU_TICKET, + tgt_private_new) + user_ticket = user_tgt.ticket.copy() + user_ticket['enc-part'] = tgt_encpart + + user_tgt = KerberosTicketCreds( + user_ticket, + session_key=user_tgt.session_key, + crealm=user_tgt.crealm, + cname=user_tgt.cname, + srealm=user_tgt.srealm, + sname=user_tgt.sname, + decryption_key=user_tgt.decryption_key, + ticket_private=tgt_private, + encpart_private=user_tgt.encpart_private) + + # Use our modifed TGT to replace the one in the request. + return user_tgt + + def create_fast_cookie(self, cookie): + self.assertIsNotNone(cookie) + if self.strict_checking: + self.assertNotEqual(0, len(cookie)) + + return self.PA_DATA_create(PADATA_FX_COOKIE, cookie) + + def get_pa_pac_request(self, request_pac=True): + pac_request = self.KERB_PA_PAC_REQUEST_create(request_pac) + + return pac_request + + def get_pa_pac_options(self, options): + pac_options = self.PA_PAC_OPTIONS_create(options) + pac_options = self.der_encode(pac_options, + asn1Spec=krb5_asn1.PA_PAC_OPTIONS()) + pac_options = self.PA_DATA_create(PADATA_PAC_OPTIONS, pac_options) + + return pac_options + + def check_kdc_fast_support(self): + # Check that the KDC supports FAST - # Create a user account for the test. - # samdb = self.get_samdb() - user_name = "krb5fastusr" - (uc, dn) = self.create_account(samdb, user_name) - realm = uc.get_realm().lower() - # Do the initial AS-REQ, should get a pre-authentication required - # response + krbtgt_rid = 502 + krbtgt_sid = '%s-%d' % (samdb.get_domain_sid(), krbtgt_rid) + + res = samdb.search(base='' % krbtgt_sid, + scope=ldb.SCOPE_BASE, + attrs=['msDS-SupportedEncryptionTypes']) + + krbtgt_etypes = int(res[0]['msDS-SupportedEncryptionTypes'][0]) + + self.assertTrue( + security.KERB_ENCTYPE_FAST_SUPPORTED & krbtgt_etypes) + self.assertTrue( + security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED & krbtgt_etypes) + self.assertTrue( + security.KERB_ENCTYPE_CLAIMS_SUPPORTED & krbtgt_etypes) + + def get_service_ticket(self, tgt, target_creds, service='host'): etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - cname = self.PrincipalName_create( - name_type=NT_PRINCIPAL, names=[user_name]) - sname = self.PrincipalName_create( - name_type=NT_SRV_INST, names=["krbtgt", realm]) - - rep = self.as_req(cname, sname, realm, etype) - self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], 30) - self.assertEqual(rep['error-code'], 25) - - fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) - self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") - - fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) - self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") - - def test_ignore_fast(self): - ''' - TODO reword this - Attempt to authenticate with out FAST, i.e. ignoring the - FAST advertised in the pre-auth - ''' - - # Create a user account for the test. - # - samdb = self.get_samdb() - user_name = "krb5fastusr" - (uc, dn) = self.create_account(samdb, user_name) - realm = uc.get_realm().lower() - # Do the initial AS-REQ, should get a pre-authentication required - # response + key = tgt.session_key + ticket = tgt.ticket + + cname = tgt.cname + realm = tgt.crealm + + target_name = target_creds.get_username()[:-1] + sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[service, target_name]) + + rep, enc_part = self.tgs_req(cname, sname, realm, ticket, key, etype) + + service_ticket = rep['ticket'] + + ticket_etype = service_ticket['enc-part']['etype'] + target_key = self.TicketDecryptionKey_from_creds(target_creds, + etype=ticket_etype) + + session_key = self.EncryptionKey_import(enc_part['key']) + + service_ticket_creds = KerberosTicketCreds(service_ticket, + session_key, + crealm=realm, + cname=cname, + srealm=realm, + sname=sname, + decryption_key=target_key) + + return service_ticket_creds + + def get_tgt(self, creds): + user_name = creds.get_username() + realm = creds.get_realm() + + salt = creds.get_salt() + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - cname = self.PrincipalName_create( - name_type=NT_PRINCIPAL, names=[user_name]) - sname = self.PrincipalName_create( - name_type=NT_SRV_INST, names=["krbtgt", realm]) + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create(name_type=NT_SRV_INST, + names=['krbtgt', realm]) - rep = self.as_req(cname, sname, realm, etype) - self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], 30) - self.assertEqual(rep['error-code'], 25) + till = self.get_KerberosTime(offset=36000) - fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) - self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") + krbtgt_creds = self.get_krbtgt_creds() + ticket_decryption_key = ( + self.TicketDecryptionKey_from_creds(krbtgt_creds)) - fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) - self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") + kdc_options = str(krb5_asn1.KDCOptions('forwardable,' + 'renewable,' + 'canonicalize,' + 'renewable-ok')) - # Do the next AS-REQ - padata = [self.get_enc_timestamp_pa_data(uc, rep)] - rep = self.as_req(cname, sname, realm, etype, padata=padata) + pac_request = self.get_pa_pac_request() + pac_options = self.get_pa_pac_options('1') # supports claims + + padata = [pac_request, pac_options] + + rep, kdc_exchange_dict = self._test_as_exchange( + cname=cname, + realm=realm, + sname=sname, + till=till, + client_as_etypes=etype, + expected_error_mode=KDC_ERR_PREAUTH_REQUIRED, + expected_crealm=realm, + expected_cname=cname, + expected_srealm=realm, + expected_sname=sname, + expected_salt=salt, + etypes=etype, + padata=padata, + kdc_options=kdc_options, + preauth_key=None, + ticket_decryption_key=ticket_decryption_key) + self.check_pre_authentication(rep) + + etype_info2 = kdc_exchange_dict['preauth_etype_info2'] + + preauth_key = self.PasswordKey_from_etype_info2(creds, + etype_info2[0], + creds.get_kvno()) + + ts_enc_padata = self.get_enc_timestamp_pa_data(creds, rep) + + padata = [ts_enc_padata, pac_request, pac_options] + + expected_realm = realm.upper() + + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=['krbtgt', realm.upper()]) + + rep, kdc_exchange_dict = self._test_as_exchange( + cname=cname, + realm=realm, + sname=sname, + till=till, + client_as_etypes=etype, + expected_error_mode=0, + expected_crealm=expected_realm, + expected_cname=cname, + expected_srealm=expected_realm, + expected_sname=expected_sname, + expected_salt=salt, + etypes=etype, + padata=padata, + kdc_options=kdc_options, + preauth_key=preauth_key, + ticket_decryption_key=ticket_decryption_key) self.check_as_reply(rep) - def test_fast(self): - ''' - Attempt to authenticate with - ''' + tgt = rep['ticket'] - # Create a user account for the test. - # - samdb = self.get_samdb() - user_name = "krb5fastusr" - (uc, dn) = self.create_account(samdb, user_name) - realm = uc.get_realm().lower() + enc_part = self.get_as_rep_enc_data(preauth_key, rep) + session_key = self.EncryptionKey_import(enc_part['key']) - # Do the initial AS-REQ, should get a pre-authentication required - # response - etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - cname = self.PrincipalName_create( - name_type=NT_PRINCIPAL, names=[user_name]) - sname = self.PrincipalName_create( - name_type=NT_SRV_INST, names=["krbtgt", realm]) - - rep = self.as_req(cname, sname, realm, etype) - self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], 30) - self.assertEqual(rep['error-code'], 25) - - fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) - self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") - - fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) - self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") - - cookie = self.PA_DATA_create(PADATA_FX_COOKIE, fx_cookie) - - # Do the next AS-REQ - padata = [self.get_enc_timestamp_pa_data(uc, rep)] - padata.append(cookie) - # req = self.AS_REQ_create(padata=padata, - # kdc_options=str(kdc_options), - # cname=cname, - # realm=realm, - # sname=sname, - # from_time=None, - # till_time=till, - # renew_time=None, - # nonce=0x7fffffff, - # etypes=etypes, - # addresses=None, - # EncAuthorizationData=None, - # EncAuthorizationData_key=None, - # additional_tickets=None) - # rep = self.as_req(cname, sname, realm, etype, padata=padata) - # self.check_as_reply(rep) + ticket_creds = KerberosTicketCreds( + tgt, + session_key, + crealm=realm, + cname=cname, + srealm=realm, + sname=sname, + decryption_key=ticket_decryption_key) + + return ticket_creds, enc_part + + def get_mach_tgt(self): + if self.mach_tgt is None: + mach_creds = self.get_mach_creds() + type(self).mach_tgt, type(self).mach_enc_part = ( + self.get_tgt(mach_creds)) + + return self.mach_tgt + + def get_user_tgt(self): + if self.user_tgt is None: + user_creds = self.get_client_creds() + type(self).user_tgt, type(self).user_enc_part = ( + self.get_tgt(user_creds)) + + return self.user_tgt + + def get_user_service_ticket(self): + if self.user_service_ticket is None: + user_tgt = self.get_user_tgt() + service_creds = self.get_service_creds() + type(self).user_service_ticket = ( + self.get_service_ticket(user_tgt, service_creds)) + + return self.user_service_ticket + + def get_mach_service_ticket(self): + if self.mach_service_ticket is None: + mach_tgt = self.get_mach_tgt() + service_creds = self.get_service_creds() + type(self).mach_service_ticket = ( + self.get_service_ticket(mach_tgt, service_creds)) + + return self.mach_service_ticket if __name__ == "__main__": diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 66f07cebc14..02a3db1a3cd 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -15,10 +15,52 @@ ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c # -# MIT specific FAST tests, +# FAST tests # -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_explicit_PA_FX_FAST_in_as_req\(ad_dc\) -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast\(ad_dc\) -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_cookie_retured_in_pre_auth\(ad_dc\) -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_supported\(ad_dc\) -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_ignore_fast\(ad_dc\) +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_empty_fast.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor2.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket2.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_used.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims_or_canon.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_flags.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_nonce.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_realm.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_till.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_etypes.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_etypes.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index fffa5c3cd7e..0e302343111 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -647,3 +647,56 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # # fl2000dc doesn't support AES ^samba4.krb5.kdc.*as-req-aes.*fl2000dc +# +# FAST tests +# +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_empty_fast.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor2.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket2.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_used.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims_or_canon.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_flags.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_nonce.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_realm.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_till.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_canon.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims_or_canon.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_etypes.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_etypes.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 56444fc5aa5..aed0fb36dc5 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1482,7 +1482,7 @@ planpythontestsuite( environ={ 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', - 'SERVICE_USERNAME': '$SERVER' + 'STRICT_CHECKING': '0', }) planpythontestsuite( "ad_dc", -- 2.25.1 From 54bc85633c0813d5e0d8a1f527b4a2db1514fd87 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 14 Jul 2021 12:49:11 +0200 Subject: [PATCH 079/108] mit-samba: Define debug class for kdb module Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 41d906301b8d13f831b155dcec37d88889b9f36c) --- source4/kdc/mit-kdb/kdb_samba_change_pwd.c | 3 +++ source4/kdc/mit-kdb/kdb_samba_common.c | 3 +++ source4/kdc/mit-kdb/kdb_samba_masterkey.c | 3 +++ source4/kdc/mit-kdb/kdb_samba_pac.c | 3 +++ source4/kdc/mit-kdb/kdb_samba_policies.c | 3 +++ source4/kdc/mit-kdb/kdb_samba_principals.c | 3 +++ source4/kdc/mit_samba.c | 3 +++ 7 files changed, 21 insertions(+) diff --git a/source4/kdc/mit-kdb/kdb_samba_change_pwd.c b/source4/kdc/mit-kdb/kdb_samba_change_pwd.c index e0264cb4f09..ad7bb5d54ea 100644 --- a/source4/kdc/mit-kdb/kdb_samba_change_pwd.c +++ b/source4/kdc/mit-kdb/kdb_samba_change_pwd.c @@ -30,6 +30,9 @@ #include "kdc/mit_samba.h" #include "kdb_samba.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_KERBEROS + krb5_error_code kdb_samba_change_pwd(krb5_context context, krb5_keyblock *master_key, krb5_key_salt_tuple *ks_tuple, diff --git a/source4/kdc/mit-kdb/kdb_samba_common.c b/source4/kdc/mit-kdb/kdb_samba_common.c index e89aed6aeba..35cac193a44 100644 --- a/source4/kdc/mit-kdb/kdb_samba_common.c +++ b/source4/kdc/mit-kdb/kdb_samba_common.c @@ -30,6 +30,9 @@ #include "kdc/mit_samba.h" #include "kdb_samba.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_KERBEROS + struct mit_samba_context *ks_get_context(krb5_context kcontext) { void *db_ctx; diff --git a/source4/kdc/mit-kdb/kdb_samba_masterkey.c b/source4/kdc/mit-kdb/kdb_samba_masterkey.c index 2c4fe72d8c2..b068d964735 100644 --- a/source4/kdc/mit-kdb/kdb_samba_masterkey.c +++ b/source4/kdc/mit-kdb/kdb_samba_masterkey.c @@ -31,6 +31,9 @@ #include "kdc/mit_samba.h" #include "kdb_samba.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_KERBEROS + krb5_error_code kdb_samba_fetch_master_key(krb5_context context, krb5_principal name, krb5_keyblock *key, diff --git a/source4/kdc/mit-kdb/kdb_samba_pac.c b/source4/kdc/mit-kdb/kdb_samba_pac.c index 15497603b10..75b05a62a07 100644 --- a/source4/kdc/mit-kdb/kdb_samba_pac.c +++ b/source4/kdc/mit-kdb/kdb_samba_pac.c @@ -30,6 +30,9 @@ #include "kdc/mit_samba.h" #include "kdb_samba.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_KERBEROS + krb5_error_code kdb_samba_dbekd_decrypt_key_data(krb5_context context, const krb5_keyblock *mkey, const krb5_key_data *key_data, diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 9197551ed61..a8cf280bdb3 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -30,6 +30,9 @@ #include "kdc/mit_samba.h" #include "kdb_samba.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_KERBEROS + /* FIXME: This is a krb5 function which is exported, but in no header */ extern krb5_error_code decode_krb5_padata_sequence(const krb5_data *output, krb5_pa_data ***rep); diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c index 8b67436dc47..c17fe8b0a14 100644 --- a/source4/kdc/mit-kdb/kdb_samba_principals.c +++ b/source4/kdc/mit-kdb/kdb_samba_principals.c @@ -30,6 +30,9 @@ #include "kdc/mit_samba.h" #include "kdb_samba.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_KERBEROS + #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index feacc1b5f19..b3bb6b1b032 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -40,6 +40,9 @@ #include "mit_samba.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_KERBEROS + void mit_samba_context_free(struct mit_samba_context *ctx) { /* free heimdal's krb5_context */ -- 2.25.1 From 8be08f23aba902635eef8dadcbc45cda9ba69269 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 11 Jun 2018 16:15:10 +0200 Subject: [PATCH 080/108] mit-samba: Send the logging to the kdc log facility Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit dd8138236bec3635c25e5b482b7a14faa0a9c36b) --- source4/kdc/mit_samba.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index b3bb6b1b032..0a142513608 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -25,6 +25,7 @@ #include "param/param.h" #include "dsdb/samdb/samdb.h" #include "system/kerberos.h" +#include #include #include #include "kdc/sdb.h" @@ -54,6 +55,22 @@ void mit_samba_context_free(struct mit_samba_context *ctx) talloc_free(ctx); } +/* + * Implemant a callback to log to the MIT KDC log facility + * + * http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html#logging-from-kdc-and-kadmind-plugin-modules + */ +static void mit_samba_debug(void *private_ptr, int msg_level, const char *msg) +{ + int is_error = 1; + + if (msg_level > 0) { + is_error = 0; + } + + com_err("", is_error, "%s", msg); +} + int mit_samba_context_init(struct mit_samba_context **_ctx) { NTSTATUS status; @@ -80,7 +97,7 @@ int mit_samba_context_init(struct mit_samba_context **_ctx) goto done; } - setup_logging("mitkdc", DEBUG_DEFAULT_STDOUT); + debug_set_callback(NULL, mit_samba_debug); /* init s4 configuration */ s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx); -- 2.25.1 From 4961b9ec21f06ff1c5bdc85b49c8b10dba382771 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 12 Jul 2021 13:05:59 +0200 Subject: [PATCH 081/108] mit-samba: Use talloc_get_type_abort() instead of casting This is safer to use and fixes compiler warnings. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 60159e03850f88cdee332ba65939cfe4582cb5e1) --- source4/kdc/mit_samba.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 0a142513608..0a0d3a98315 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -1076,7 +1076,8 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, struct samr_DomInfo1 *dominfo; const char *error_string = NULL; struct auth_user_info_dc *user_info_dc; - struct samba_kdc_entry *p; + struct samba_kdc_entry *p = + talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry); krb5_error_code code = 0; #ifdef DEBUG_PASSWORD @@ -1088,8 +1089,6 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, return ENOMEM; } - p = (struct samba_kdc_entry *)db_entry->e_data; - status = authsam_make_user_info_dc(tmp_ctx, ctx->db_ctx->samdb, lpcfg_netbios_name(ctx->db_ctx->lp_ctx), @@ -1165,11 +1164,10 @@ out: void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry) { struct netr_SendToSamBase *send_to_sam = NULL; - struct samba_kdc_entry *p; + struct samba_kdc_entry *p = + talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry); struct ldb_dn *domain_dn; - p = (struct samba_kdc_entry *)db_entry->e_data; - domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb); authsam_logon_success_accounting(p->kdc_db_ctx->samdb, @@ -1183,9 +1181,8 @@ void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry) void mit_samba_update_bad_password_count(krb5_db_entry *db_entry) { - struct samba_kdc_entry *p; - - p = (struct samba_kdc_entry *)db_entry->e_data; + struct samba_kdc_entry *p = + talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry); authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb, p->msg, -- 2.25.1 From ef08506e25d0b5f68bcc7c46b53fb7a40d0aa421 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 15 Jul 2021 08:48:37 +0200 Subject: [PATCH 082/108] mit-samba: Only set the function opening bracket once Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Aug 5 10:33:18 UTC 2021 on sn-devel-184 (cherry picked from commit 104fc3539090ae9e161945ef9d18d897e3b71fed) --- source4/kdc/mit-kdb/kdb_samba_policies.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index a8cf280bdb3..c431567a7f4 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -304,7 +304,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_timestamp authtime, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data) -{ #else krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, unsigned int flags, @@ -324,8 +323,8 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, void *authdata_info, krb5_data ***auth_indicators, krb5_authdata ***signed_auth_data) -{ #endif +{ krb5_authdata **authdata = NULL; krb5_boolean is_as_req; krb5_error_code code; -- 2.25.1 From 18abf791b091df900fa01410db5034b2e449ab06 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 Aug 2021 19:41:15 +1200 Subject: [PATCH 083/108] samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb This avoids opening the database again by having the caller pass in the DB open BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit 423f808ff48e297745f576a52b2118c4b920a3e4) --- python/samba/netcmd/domain_backup.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py index 5cccccd40ec..4f669a940b7 100644 --- a/python/samba/netcmd/domain_backup.py +++ b/python/samba/netcmd/domain_backup.py @@ -1020,8 +1020,7 @@ class cmd_domain_backup_offline(samba.netcmd.Command): else: logger.info('Starting transaction on ' + sam_ldb_path) copy_function = self.offline_tdb_copy - sam_obj = Ldb(sam_ldb_path, lp=lp, flags=ldb.FLG_DONT_CREATE_DB) - sam_obj.transaction_start() + samdb.transaction_start() logger.info(' backing up ' + sam_ldb_path) self.offline_tdb_copy(sam_ldb_path) @@ -1036,7 +1035,7 @@ class cmd_domain_backup_offline(samba.netcmd.Command): shutil.copyfile(sam_file, sam_file + self.backup_ext) if not mdb_backend: - sam_obj.transaction_cancel() + samdb.transaction_cancel() # Find where a path should go in the fixed backup archive structure. def get_arc_path(self, path, conf_paths): @@ -1072,9 +1071,6 @@ class cmd_domain_backup_offline(samba.netcmd.Command): check_targetdir(logger, targetdir) - samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp, - flags=ldb.FLG_RDONLY) - # Iterating over the directories in this specific order ensures that # when the private directory contains hardlinks that are also contained # in other directories to be backed up (such as in paths.binddns_dir), @@ -1117,7 +1113,12 @@ class cmd_domain_backup_offline(samba.netcmd.Command): all_files.append(full_path) - # Backup secrets, sam.ldb and their downstream files + # We would prefer to open with FLG_RDONLY but then we can't + # start a transaction which is the strong isolation we want + # for the backup. + samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp, + flags=ldb.FLG_DONT_CREATE_DB) + self.backup_secrets(paths.private_dir, lp, logger) self.backup_smb_dbs(paths.private_dir, samdb, lp, logger) -- 2.25.1 From 6c225aace1a9e793cd94114030fd34650e9a0c3f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 Aug 2021 18:14:16 +1200 Subject: [PATCH 084/108] samba-tool: Rework transations/locks to hold a lock during mdb backup We now also get sidForRestore under that lock, rather than after the backup. This avoids using the database again after the backup process While not entirely clear how/why this matters with LMDB as seen in Fedora 34, likely due to the same issues seen with 0.9.26 or later fixed by commmit bb3dcd403ced922574a89011dd3814c4fe87dd76. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit 958931ad379af26dcbc55cfbc49e7886ef8e0550) --- python/samba/netcmd/domain_backup.py | 38 +++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py index 4f669a940b7..3a2622c5c80 100644 --- a/python/samba/netcmd/domain_backup.py +++ b/python/samba/netcmd/domain_backup.py @@ -1004,7 +1004,12 @@ class cmd_domain_backup_offline(samba.netcmd.Command): # sam.ldb must have a transaction started on it before backing up # everything in sam.ldb.d with the appropriate backup function. + # + # Obtains the sidForRestore (SID for the new DC) and returns it + # from under the transaction def backup_smb_dbs(self, private_dir, samdb, lp, logger): + sam_ldb_path = os.path.join(private_dir, 'sam.ldb') + # First, determine if DB backend is MDB. Assume not unless there is a # 'backendStore' attribute on @PARTITION containing the text 'mdb' store_label = "backendStore" @@ -1012,11 +1017,24 @@ class cmd_domain_backup_offline(samba.netcmd.Command): attrs=[store_label]) mdb_backend = store_label in res[0] and str(res[0][store_label][0]) == 'mdb' - sam_ldb_path = os.path.join(private_dir, 'sam.ldb') + # This is needed to keep this variable in scope until the end + # of the transaction. + res_iterator = None + copy_function = None if mdb_backend: logger.info('MDB backend detected. Using mdb backup function.') copy_function = self.offline_mdb_copy + + # We can't backup with a write transaction open, so get a + # read lock with a search_iterator(). + # + # We have tests in lib/ldb/tests/python/api.py that the + # search iterator takes a read lock effective against a + # transaction. This in turn will ensure there are no + # transactions on either the main or sub-database, even if + # the read locks were not enforced globally (they are). + res_iterator = samdb.search_iterator() else: logger.info('Starting transaction on ' + sam_ldb_path) copy_function = self.offline_tdb_copy @@ -1034,9 +1052,16 @@ class cmd_domain_backup_offline(samba.netcmd.Command): logger.info(' copying locked/related file ' + sam_file) shutil.copyfile(sam_file, sam_file + self.backup_ext) - if not mdb_backend: + sid = get_sid_for_restore(samdb, logger) + + if mdb_backend: + # Delete the iterator, release the read lock + del(res_iterator) + else: samdb.transaction_cancel() + return sid + # Find where a path should go in the fixed backup archive structure. def get_arc_path(self, path, conf_paths): backup_dirs = {"private": conf_paths.private_dir, @@ -1119,16 +1144,17 @@ class cmd_domain_backup_offline(samba.netcmd.Command): samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp, flags=ldb.FLG_DONT_CREATE_DB) + # Backup secrets, sam.ldb and their downstream files self.backup_secrets(paths.private_dir, lp, logger) - self.backup_smb_dbs(paths.private_dir, samdb, lp, logger) + sid = self.backup_smb_dbs(paths.private_dir, samdb, lp, logger) # Get the domain SID so we can later place it in the backup dom_sid_str = samdb.get_domain_sid() dom_sid = security.dom_sid(dom_sid_str) - sid = get_sid_for_restore(samdb, logger) - - # Close the original samdb + # Close the original samdb, to avoid any confusion, we will + # not use this any more as the data has all been copied under + # the transaction samdb = None # Open the new backed up samdb, flag it as backed up, and write -- 2.25.1 From b3f2088bece28d3be2c641eabbd3853c8d8753f6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 Aug 2021 20:45:50 +1200 Subject: [PATCH 085/108] samba-tool domain backup: Use tdbbackup on metadata.tdb metadata.tdb is inside sam.ldb.d/ but should be backed up with tdbbackup. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Tue Aug 24 13:22:04 UTC 2021 on sn-devel-184 (cherry picked from commit 78942ad7d17a92cd39d9c46ae1b8348e9673ac30) --- python/samba/netcmd/domain_backup.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py index 3a2622c5c80..81738196385 100644 --- a/python/samba/netcmd/domain_backup.py +++ b/python/samba/netcmd/domain_backup.py @@ -1048,6 +1048,9 @@ class cmd_domain_backup_offline(samba.netcmd.Command): if sam_file.endswith('.ldb'): logger.info(' backing up locked/related file ' + sam_file) copy_function(sam_file) + elif sam_file.endswith('.tdb'): + logger.info(' tdbbackup of locked/related file ' + sam_file) + self.offline_tdb_copy(sam_file) else: logger.info(' copying locked/related file ' + sam_file) shutil.copyfile(sam_file, sam_file + self.backup_ext) -- 2.25.1 From ac9883d77f20055e3b41990b69e3f2ba0428aeb6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Aug 2021 13:40:39 +1200 Subject: [PATCH 086/108] autobuild.py: Explain why each job is removed from the default set Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 167ad96136b42b5cb601decc0fc68c9603c8b172) --- script/autobuild.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/script/autobuild.py b/script/autobuild.py index b1dcece0093..d4a335c0320 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -1002,14 +1002,26 @@ defaulttasks = list(tasks.keys()) defaulttasks.remove("pass") defaulttasks.remove("fail") + +# The build tasks will be brought in by the test tasks as needed defaulttasks.remove("samba-def-build") defaulttasks.remove("samba-nt4-build") defaulttasks.remove("samba-mit-build") defaulttasks.remove("samba-h5l-build") defaulttasks.remove("samba-no-opath-build") + +# This is not a normal test, but a task to support manually running +# one test under autobuild defaulttasks.remove("samba-test-only") + +# Only built on GitLab CI and not in the default autobuild because it +# uses too much space (4GB of semi-static binaries) defaulttasks.remove("samba-fuzz") + +# The FIPS build runs only in GitLab CI on a current Fedora Docker +# container where a simulated FIPS mode is possible. defaulttasks.remove("samba-fips") + if os.environ.get("AUTOBUILD_SKIP_SAMBA_O3", "0") == "1": defaulttasks.remove("samba-o3") -- 2.25.1 From 0a3725918e1fc1f48126b495a737c65805d3e210 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 18 Aug 2021 14:59:47 +1200 Subject: [PATCH 087/108] gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos Because the MIT KDC builds are moving to current MIT and out of the default autobuild this ensures that on our default host, which is closer to what most of our users operate, Samba still works with Kerberos. This uses the ktest environment that does not require the KDC to exist and instead uses a static ccache and keytab. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6145c388d201d817444322dee67ca1ec1989ecd1) --- .gitlab-ci-main.yml | 7 +++++++ script/autobuild.py | 24 ++++++++++++++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 657b28e274f..0ac6f67fcdf 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -383,6 +383,13 @@ samba-fips: samba-fileserver: extends: .needs_samba-h5l-build-private +# This is a full build without the AD DC so we test the build with MIT +# Kerberos from the default system (Ubuntu 18.04 at this stage). +# Runtime behaviour checked via the ktest (static ccache and keytab) +# environment +samba-ktest-mit: + extends: .shared_template + samba-ad-dc-1: extends: .needs_samba-def-build-private diff --git a/script/autobuild.py b/script/autobuild.py index d4a335c0320..9db8c88f2c7 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -426,8 +426,28 @@ tasks = { "fileserver_smb1", "fileserver_smb1_done", "maptoguest", - "ktest", # ktest is also tested in samba and samba-mitkrb5 - # but is tested here against a system Heimdal + "ktest", # ktest is also tested in samba-ktest-mit samba + # and samba-mitkrb5 but is tested here against + # a system Heimdal + ])), + ("lcov", LCOV_CMD), + ("check-clean-tree", CLEAN_SOURCE_TREE_CMD), + ], + }, + + # This is a full build without the AD DC so we test the build with + # MIT Kerberos from the current system. Runtime behaviour is + # confirmed via the ktest (static ccache and keytab) environment + + "samba-ktest-mit": { + "sequence": [ + ("random-sleep", random_sleep(300, 900)), + ("configure", "./configure.developer --without-ad-dc --with-system-mitkrb5 " + samba_configure_params), + ("make", "make -j"), + ("test", make_test(include_envs=[ + "ktest", # ktest is also tested in fileserver, samba and + # samba-mitkrb5 but is tested here against a + # system MIT krb5 ])), ("lcov", LCOV_CMD), ("check-clean-tree", CLEAN_SOURCE_TREE_CMD), -- 2.25.1 From c67b55158b25d7c60c13f48b1e0e8e1213795c2e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Aug 2021 13:52:04 +1200 Subject: [PATCH 088/108] gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC Fedora packages current MIT builds pretty fast so we base our MIT KDC tests there, as this avoids backporting and tests against the most current code. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 649b0741e17909afce762a5b84c1231600eec5f0) --- .gitlab-ci-main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 0ac6f67fcdf..ce80561ba0f 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -234,10 +234,14 @@ samba-def-build: samba-mit-build: extends: .shared_template_build_only + variables: + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} stage: build_first .needs_samba-mit-build: extends: .shared_template_test_only + variables: + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} needs: - job: samba-mit-build artifacts: true @@ -274,6 +278,8 @@ samba: samba-mitkrb5: extends: .shared_template + variables: + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} samba-minimal-smbd: extends: .shared_template -- 2.25.1 From 35661ede9fbe7a1e44471a3ff22f701fface8636 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Aug 2021 13:53:58 +1200 Subject: [PATCH 089/108] autobuild.py: Do not build MIT builds by default (eg sn-devel) This avoids the need for MIT KDC tests and the MIT KDC glue code to operate against the older MIT 1.16 found on Ubuntu 18.04, which is our current build environment. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ff267c3c790c0ae9f276225f67fb543d6371cb53) --- script/autobuild.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/script/autobuild.py b/script/autobuild.py index 9db8c88f2c7..97731215282 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -1042,6 +1042,17 @@ defaulttasks.remove("samba-fuzz") # container where a simulated FIPS mode is possible. defaulttasks.remove("samba-fips") +# The MIT build runs on a current Fedora where an up to date MIT KDC +# is already packaged. This avoids needing to backport a current MIT +# to the default Ubuntu 18.04, particularly during development, and +# the need to install on the shared sn-devel-184. + +defaulttasks.remove("samba-mitkrb5") +defaulttasks.remove("samba-admem-mit") +defaulttasks.remove("samba-addc-mit-1") +defaulttasks.remove("samba-addc-mit-4a") +defaulttasks.remove("samba-addc-mit-4b") + if os.environ.get("AUTOBUILD_SKIP_SAMBA_O3", "0") == "1": defaulttasks.remove("samba-o3") -- 2.25.1 From 1c2df04b9ea62a14c08e92a45adb111ac65b7b00 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Aug 2021 14:25:54 +1200 Subject: [PATCH 090/108] build: Move minimum MIT krb5 version to 1.19 to align with what is tested This avoid shipping untested code and aligns with the version used in GitLab CI for all the MIT builds. The "bronze bit" (CVE-2020-17049) security fixes will need a new MIT KDB version in any case, this prepares the ground by removing the older version support. (knownfail_mit_kdc updates taken from a patch by Andreas Schneider that did this optionally) Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 554bdfa8a04fd95c710b486890277dd92f685f2f) --- selftest/knownfail_mit_kdc | 20 -------------------- selftest/knownfail_mit_krb5_pre_1_18 | 1 - selftest/wscript | 3 --- wscript_configure_system_mitkrb5 | 4 +--- 4 files changed, 1 insertion(+), 27 deletions(-) delete mode 100644 selftest/knownfail_mit_krb5_pre_1_18 diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 0e302343111..8b3015f254a 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -146,14 +146,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( @@ -170,10 +162,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_AsReqSelf\( @@ -239,14 +227,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\( -^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_AsReqSelf\( diff --git a/selftest/knownfail_mit_krb5_pre_1_18 b/selftest/knownfail_mit_krb5_pre_1_18 deleted file mode 100644 index ef1a3d5aa91..00000000000 --- a/selftest/knownfail_mit_krb5_pre_1_18 +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.kinit.kinit.with.canonicalize diff --git a/selftest/wscript b/selftest/wscript index afb1fa936cd..a6be06c2ae9 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -142,9 +142,6 @@ def cmd_testonly(opt): '--flapping=${srcdir}/selftest/flapping ' '--flapping=${srcdir}/selftest/flapping.d') - if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_18'): - env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_krb5_pre_1_18' - if Options.options.FAIL_IMMEDIATELY: env.FILTER_XFAIL += ' --fail-immediately' diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index f971194c2cd..6f7bbd4ed13 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -9,7 +9,7 @@ krb5_min_required_version = "1.9" # Requried versions krb5_required_version = krb5_min_required_version if conf.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): - krb5_required_version = "1.15.1" + krb5_required_version = "1.19" def parse_version(v): return tuple(map(int, (v.split(".")))) @@ -77,8 +77,6 @@ if conf.env.KRB5_CONFIG: else: Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version)) - if parse_version(krb5_version) < parse_version('1.18'): - conf.DEFINE('HAVE_MIT_KRB5_PRE_1_18', 1) conf.define('USING_SYSTEM_MITKRB5', '"%s"' % krb5_version) conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err") -- 2.25.1 From 5afdc0a08ee9a0eba15d674d04324aa14093cc52 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Aug 2021 14:46:31 +1200 Subject: [PATCH 091/108] mit-kdc: Remove build time support for KDB_API < 10 The previous commits restricted to MIT KDC build to MIT 1.19 and this removes the #ifdef in the code of what will become untested code. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Aug 26 07:05:44 UTC 2021 on sn-devel-184 (cherry picked from commit 9b9fd2a0d9ca81aa16ddfe2f7e219b94e2ac158b) --- source4/kdc/mit-kdb/kdb_samba.h | 32 ------------------ source4/kdc/mit-kdb/kdb_samba_policies.c | 38 ---------------------- source4/kdc/mit-kdb/kdb_samba_principals.c | 7 ---- 3 files changed, 77 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h index ad4f6e27573..8a29334bcea 100644 --- a/source4/kdc/mit-kdb/kdb_samba.h +++ b/source4/kdc/mit-kdb/kdb_samba.h @@ -71,18 +71,11 @@ krb5_error_code kdb_samba_db_put_principal(krb5_context context, krb5_error_code kdb_samba_db_delete_principal(krb5_context context, krb5_const_principal princ); -#if KRB5_KDB_API_VERSION >= 8 krb5_error_code kdb_samba_db_iterate(krb5_context context, char *match_entry, int (*func)(krb5_pointer, krb5_db_entry *), krb5_pointer func_arg, krb5_flags iterflags); -#else -krb5_error_code kdb_samba_db_iterate(krb5_context context, - char *match_entry, - int (*func)(krb5_pointer, krb5_db_entry *), - krb5_pointer func_arg); -#endif /* from kdb_samba_masterkey.c */ @@ -114,21 +107,6 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context, /* from kdb_samba_policies.c */ -#if KRB5_KDB_API_VERSION < 10 -krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - unsigned int flags, - krb5_const_principal client_princ, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_keyblock *session_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, - krb5_authdata ***signed_auth_data); -#else krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, unsigned int flags, krb5_const_principal client_princ, @@ -147,7 +125,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, void *authdata_info, krb5_data ***auth_indicators, krb5_authdata ***signed_auth_data); -#endif krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, krb5_kdc_req *kdcreq, @@ -162,7 +139,6 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, const krb5_db_entry *server, krb5_const_principal proxy); -#if KRB5_KDB_API_VERSION >= 9 void kdb_samba_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, const krb5_address *local_addr, @@ -171,14 +147,6 @@ void kdb_samba_db_audit_as_req(krb5_context kcontext, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); -#else -void kdb_samba_db_audit_as_req(krb5_context kcontext, - krb5_kdc_req *request, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_timestamp authtime, - krb5_error_code error_code); -#endif /* from kdb_samba_change_pwd.c */ diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index c431567a7f4..ac9865aac60 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -290,21 +290,6 @@ done: return code; } -#if KRB5_KDB_API_VERSION < 10 -krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - unsigned int flags, - krb5_const_principal client_princ, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_keyblock *session_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, - krb5_authdata ***signed_auth_data) -#else krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, unsigned int flags, krb5_const_principal client_princ, @@ -323,7 +308,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, void *authdata_info, krb5_data ***auth_indicators, krb5_authdata ***signed_auth_data) -#endif { krb5_authdata **authdata = NULL; krb5_boolean is_as_req; @@ -331,10 +315,8 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_pac pac = NULL; krb5_data pac_data; -#if KRB5_KDB_API_VERSION >= 10 krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; -#endif /* FIXME: We don't support S4U yet */ if (flags & KRB5_KDB_FLAGS_S4U) { @@ -477,7 +459,6 @@ static void samba_bad_password_count(krb5_db_entry *client, } } -#if KRB5_KDB_API_VERSION >= 9 void kdb_samba_db_audit_as_req(krb5_context context, krb5_kdc_req *request, const krb5_address *local_addr, @@ -499,22 +480,3 @@ void kdb_samba_db_audit_as_req(krb5_context context, /* TODO: perform proper audit logging for addresses */ } -#else -void kdb_samba_db_audit_as_req(krb5_context context, - krb5_kdc_req *request, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_timestamp authtime, - krb5_error_code error_code) -{ - /* - * FIXME: This segfaulted with a FAST test - * FIND_FAST: for , Unknown FAST armor type 0 - */ - if (client == NULL) { - return; - } - - samba_bad_password_count(client, error_code); -} -#endif diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c index c17fe8b0a14..a8c99b025c9 100644 --- a/source4/kdc/mit-kdb/kdb_samba_principals.c +++ b/source4/kdc/mit-kdb/kdb_samba_principals.c @@ -311,18 +311,11 @@ krb5_error_code kdb_samba_db_delete_principal(krb5_context context, return KRB5_KDB_DB_INUSE; } -#if KRB5_KDB_API_VERSION >= 8 krb5_error_code kdb_samba_db_iterate(krb5_context context, char *match_entry, int (*func)(krb5_pointer, krb5_db_entry *), krb5_pointer func_arg, krb5_flags iterflags) -#else -krb5_error_code kdb_samba_db_iterate(krb5_context context, - char *match_entry, - int (*func)(krb5_pointer, krb5_db_entry *), - krb5_pointer func_arg) -#endif { struct mit_samba_context *mit_ctx; krb5_db_entry *kentry = NULL; -- 2.25.1 From 784c5b87deada359b59a658f7d92d3d6f0a04213 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Sep 2021 20:45:03 +1200 Subject: [PATCH 092/108] bootstrap: Update to get newer krb5 on Fedora 34 We need the update FEDORA-2021-20b495cb94 (krb5) to get a fix for CVE-2021-37750 (explicit NULL deref on KDC) so our CI will pass as we have a test for this. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit e9c8ac4adbca2f8cb45470ccb45a45039188a285) --- .gitlab-ci-main.yml | 2 +- bootstrap/config.py | 3 +++ bootstrap/sha1sum.txt | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index ce80561ba0f..4b2f17938c8 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: b5333a93306e20ba549f5fac3c6c74e0b103c1d6 + SAMBA_CI_CONTAINER_TAG: 733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/config.py b/bootstrap/config.py index 821ce3d5cc2..ba4304bb9f8 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -20,6 +20,9 @@ Manage dependencies and bootstrap environments for Samba. Config file for packages and templates. +Update the lists in this file to require new packages in the +container images used in GitLab CI + Author: Joe Guo """ import os diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index e7de92cc504..e433f698b68 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -b5333a93306e20ba549f5fac3c6c74e0b103c1d6 +733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0 -- 2.25.1 From 1ce57c393c9cbd9f5750b3f50a7868061c2421b5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Sep 2021 20:55:40 +1200 Subject: [PATCH 093/108] bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5805a7c49aa13b578a717cbbc46460741d325c65) --- bootstrap/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/README.md b/bootstrap/README.md index 47ef1c67836..d825e30dc05 100644 --- a/bootstrap/README.md +++ b/bootstrap/README.md @@ -32,7 +32,7 @@ Just calculate the sha1sum for consistency checks: bootstrap/template.py --sha1sum The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in -the toplevel .gitlab-ci.yml file. +the toplevel .gitlab-ci-main.yml file. ## User Stories -- 2.25.1 From 31e27e1f384307efab70395ce7709bfea210d5bf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Sep 2021 20:53:45 +1200 Subject: [PATCH 094/108] Update common on currently supported Fedora versions Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d9edad89f3b268c6da8f988a42f8cf2a3b697fe7) --- bootstrap/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/README.md b/bootstrap/README.md index d825e30dc05..44a354de545 100644 --- a/bootstrap/README.md +++ b/bootstrap/README.md @@ -13,7 +13,7 @@ A pure python3 module with CLI to bootstrap Samba envs for multiple distribution ## Supported Distributions deb: Debian 10, Ubuntu 1604|1804|2004 -rpm: CentOS 7|8, Fedora 32|33, openSUSE Leap 15.1|15.2 +rpm: CentOS 7|8, Fedora 33|34, openSUSE Leap 15.1|15.2 Easy to add more. -- 2.25.1 From 093e191433d2a897abf6720bd8404c8d5e1315bd Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 27 Aug 2021 13:35:59 +1200 Subject: [PATCH 095/108] tests/krb5: Make e-data checking less strict Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC, instead failing when obtaining a TGT for the user or machine. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit 79dda329f2a8382f1e46b50f4b9692e78d687826) --- python/samba/tests/krb5/raw_testcase.py | 5 +- selftest/knownfail_mit_kdc | 341 ------------------------ 2 files changed, 3 insertions(+), 343 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 17ef8df5daa..22f64f25f14 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2504,8 +2504,9 @@ class RawKerberosTest(TestCaseInTempDir): if self.strict_checking: self.assertIsNone(enc_challenge) if not sent_enc_challenge: - self.assertIsNotNone(pk_as_req) - self.assertIsNotNone(pk_as_rep19) + if self.strict_checking: + self.assertIsNotNone(pk_as_req) + self.assertIsNotNone(pk_as_rep19) else: self.assertIsNone(pk_as_req) self.assertIsNone(pk_as_rep19) diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 8b3015f254a..ae1d8702e18 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -271,356 +271,15 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c # -# MIT currently fails the test_as_req_enc_timestamp test. -# -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp.fl2008r2dc -# # MIT currently fails some as_req_no_preauth tests. # ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_False -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_True.fl2008r2dc ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_True.fl2008r2dc ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_True.fl2008r2dc ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2003dc ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2008r2dc ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2003dc ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_True.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_False.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_False.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_None.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_None.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_True.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_True.fl2008r2dc # Differences in our KDC compared to windows # ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally -- 2.25.1 From e4d36ccedf57d2ac74b50fb863e85bec0efa7ad1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 14:43:53 +1200 Subject: [PATCH 096/108] tests/krb5: Make cname checking less strict Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 36798f5b651a02b74b6844c024101f7a026f1f68) --- python/samba/tests/krb5/raw_testcase.py | 5 ++-- selftest/knownfail_mit_kdc | 39 ------------------------- 2 files changed, 3 insertions(+), 41 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 22f64f25f14..32de51c2da4 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2043,8 +2043,9 @@ class RawKerberosTest(TestCaseInTempDir): ticket_session_key = self.EncryptionKey_import(ticket_key) self.assertElementEqualUTF8(ticket_private, 'crealm', expected_crealm) - self.assertElementEqualPrincipal(ticket_private, 'cname', - expected_cname) + if self.strict_checking: + self.assertElementEqualPrincipal(ticket_private, 'cname', + expected_cname) self.assertElementPresent(ticket_private, 'transited') self.assertElementPresent(ticket_private, 'authtime') if self.strict_checking: diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index ae1d8702e18..be590f997a0 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -289,53 +289,14 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # # FAST tests # -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_empty_fast.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor2.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket2.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_used.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims_or_canon.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_flags.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_nonce.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_realm.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_till.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_canon.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims_or_canon.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_etypes.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_etypes.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc -- 2.25.1 From 950199343e8f0b360a1ede409a70b094020a274a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Jul 2021 16:52:29 +1200 Subject: [PATCH 097/108] tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST Note: This test crashed the MIT KDC prior to MIT commit fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given CVE-2021-36222. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit 15f9f040fe537ebd30419a4751aa0f13b20f242b) --- python/samba/tests/krb5/fast_tests.py | 15 +++++++++++++++ selftest/knownfail_heimdal_kdc | 1 + 2 files changed, 16 insertions(+) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index e38b2e0a6e1..6d08ad942e1 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -405,6 +405,21 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_encrypted_challenge_no_fast(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key + } + ]) + def test_fast_encrypted_challenge_clock_skew(self): # The KDC is supposed to confirm that the timestamp is within its # current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113 diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 02a3db1a3cd..c177706822e 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -28,6 +28,7 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_no_fast.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc -- 2.25.1 From 4ce37ac6d1bda9368667e8c1a89cd625bd29fef2 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Fri, 27 Aug 2021 11:42:48 +1000 Subject: [PATCH 098/108] CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ In tgs_build_reply(), validate the server name in the TGS-REQ is present before dereferencing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abartlet@samba.org backported from from Heimdal commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference to an earlier patch by Joseph Sutton] RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ Reviewed-by: Andreas Schneider (cherry picked from commit 0cb4b939f192376bf5e33637863a91a20f74c5a5) --- source4/heimdal/kdc/krb5tgs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index b76726cdd64..d143eb739eb 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1603,6 +1603,10 @@ tgs_build_reply(krb5_context context, s = &adtkt.cname; r = adtkt.crealm; + } else if (s == NULL) { + ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + krb5_set_error_message(context, ret, "No server in request"); + goto out; } _krb5_principalname2krb5_principal(context, &sp, *s, r); -- 2.25.1 From 04bcff7678e9a9da24f40f2c61447bb5ed9143f0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Jul 2021 12:25:06 +1200 Subject: [PATCH 099/108] CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would crash the Heimdal KDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit b8e2515552ffa158fab1e86a39004de4cc419da5) --- python/samba/tests/krb5/fast_tests.py | 39 +++++++++++++++++++++++++++ selftest/knownfail_heimdal_kdc | 2 ++ selftest/knownfail_mit_kdc | 2 ++ 3 files changed, 43 insertions(+) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 6d08ad942e1..559f5dc14c6 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -670,6 +670,45 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_outer_no_sname(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'sname': None # should be ignored + } + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'sname': None # should be ignored + } + } + ]) + + def test_fast_tgs_outer_no_sname(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'outer_req': { + 'sname': None # should be ignored + } + } + ]) + def test_fast_outer_wrong_till(self): self._run_test_sequence([ { diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index c177706822e..f430bda9cd8 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -65,3 +65,5 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index be590f997a0..1be74250570 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -300,3 +300,5 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc -- 2.25.1 From e88fb2e10d902ddd33b159b92de6105aa9d1c566 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Sep 2021 10:43:06 +1200 Subject: [PATCH 100/108] tests/krb5: Remove harmful and a-typical return in as_req testcase A test in a TestCase class should not return a value, the test is determined by the assertions raised. Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2] to not always be filled, so we need to remove this rudundent code. This also fixes a *lot* of tests against the MIT KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5) --- python/samba/tests/krb5/as_req_tests.py | 14 ++++++-------- selftest/knownfail_mit_kdc | 10 ---------- 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index fd258e8164a..82ff3f4845c 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -106,13 +106,11 @@ class AsReqKerberosTests(KDCBaseTest): expected_salt=expected_salt, kdc_options=str(initial_kdc_options)) - rep = self._generic_kdc_exchange(kdc_exchange_dict, - cname=cname, - realm=realm, - sname=sname, - etypes=initial_etypes) - - return kdc_exchange_dict['preauth_etype_info2'] + self._generic_kdc_exchange(kdc_exchange_dict, + cname=cname, + realm=realm, + sname=sname, + etypes=initial_etypes) def _test_as_req_no_preauth_with_args(self, etype_idx, pac): name, etypes = self.etype_test_permutation_by_idx(etype_idx) @@ -121,7 +119,7 @@ class AsReqKerberosTests(KDCBaseTest): else: pa_pac = self.KERB_PA_PAC_REQUEST_create(pac) padata = [pa_pac] - return self._test_as_req_nopreauth( + self._test_as_req_nopreauth( initial_padata=padata, initial_etypes=etypes, initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 1be74250570..02dbe1aa2fb 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -270,16 +270,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c -# -# MIT currently fails some as_req_no_preauth tests. -# -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2008r2dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2003dc -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2008r2dc # Differences in our KDC compared to windows # ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally -- 2.25.1 From 63aa511df153c3b006a61f3d9efee20e7943243e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 27 Aug 2021 13:00:21 +1200 Subject: [PATCH 101/108] tests/krb5: Check e-data element for TGS-REP errors without FAST BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a) --- python/samba/tests/krb5/raw_testcase.py | 52 ++++++++++++-------- python/samba/tests/krb5/rfc4120_constants.py | 2 + 2 files changed, 34 insertions(+), 20 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 32de51c2da4..ba6d07ce465 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -82,6 +82,7 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_PAC_REQUEST, PADATA_PK_AS_REQ, PADATA_PK_AS_REP_19, + PADATA_PW_SALT, PADATA_SUPPORTED_ETYPES ) import samba.tests.krb5.kcrypto as kcrypto @@ -2187,8 +2188,7 @@ class RawKerberosTest(TestCaseInTempDir): else: self.assertElementEqualPrincipal(rep, 'sname', expected_sname) self.assertElementMissing(rep, 'e-text') - if (expected_error_mode in (KDC_ERR_GENERIC, - KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS) + if (expected_error_mode == KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS or (rep_msg_type == KRB_TGS_REP and not sent_fast) or (sent_fast and fast_armor_type is not None @@ -2198,10 +2198,17 @@ class RawKerberosTest(TestCaseInTempDir): return rep edata = self.getElementValue(rep, 'e-data') if self.strict_checking: - self.assertIsNotNone(edata) + if expected_error_mode != KDC_ERR_GENERIC: + # Predicting whether an ERR_GENERIC error contains e-data is + # more complicated. + self.assertIsNotNone(edata) if edata is not None: - rep_padata = self.der_decode(edata, - asn1Spec=krb5_asn1.METHOD_DATA()) + if rep_msg_type == KRB_TGS_REP and not sent_fast: + rep_padata = [self.der_decode(edata, + asn1Spec=krb5_asn1.PA_DATA())] + else: + rep_padata = self.der_decode(edata, + asn1Spec=krb5_asn1.METHOD_DATA()) self.assertGreater(len(rep_padata), 0) if sent_fast: @@ -2218,15 +2225,13 @@ class RawKerberosTest(TestCaseInTempDir): expect_strengthen_key=False) rep_padata = fast_response['padata'] - else: - rep_padata = [] - etype_info2 = self.check_rep_padata(kdc_exchange_dict, - callback_dict, - rep, - rep_padata) + etype_info2 = self.check_rep_padata(kdc_exchange_dict, + callback_dict, + rep, + rep_padata) - kdc_exchange_dict['preauth_etype_info2'] = etype_info2 + kdc_exchange_dict['preauth_etype_info2'] = etype_info2 return rep @@ -2279,10 +2284,13 @@ class RawKerberosTest(TestCaseInTempDir): expected_patypes += (PADATA_FX_COOKIE,) if rep_msg_type == KRB_TGS_REP: - sent_claims = self.sent_claims(kdc_exchange_dict) - if sent_claims and expected_error_mode != 0: - expected_patypes += (PADATA_PAC_OPTIONS,) - else: + if not sent_fast and expected_error_mode != 0: + expected_patypes += (PADATA_PW_SALT,) + else: + sent_claims = self.sent_claims(kdc_exchange_dict) + if sent_claims and expected_error_mode not in (0, KDC_ERR_GENERIC): + expected_patypes += (PADATA_PAC_OPTIONS,) + elif expected_error_mode != KDC_ERR_GENERIC: if expect_etype_info: self.assertGreater(len(expect_etype_info2), 0) expected_patypes += (PADATA_ETYPE_INFO,) @@ -2458,8 +2466,11 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNone(pk_as_rep19) return None - if self.strict_checking: - self.assertIsNotNone(etype_info2) + if expected_error_mode != KDC_ERR_GENERIC: + if self.strict_checking: + self.assertIsNotNone(etype_info2) + else: + self.assertIsNone(etype_info2) if expect_etype_info: self.assertIsNotNone(etype_info) else: @@ -2468,7 +2479,7 @@ class RawKerberosTest(TestCaseInTempDir): if unexpect_etype_info: self.assertIsNone(etype_info) - if self.strict_checking: + if expected_error_mode != KDC_ERR_GENERIC and self.strict_checking: self.assertGreaterEqual(len(etype_info2), 1) self.assertEqual(len(etype_info2), len(expect_etype_info2)) for i in range(0, len(etype_info2)): @@ -2495,7 +2506,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(salt) self.assertEqual(len(salt), 0) - if expected_error_mode != KDC_ERR_PREAUTH_FAILED: + if expected_error_mode not in (KDC_ERR_PREAUTH_FAILED, + KDC_ERR_GENERIC): if sent_fast: self.assertIsNotNone(enc_challenge) if self.strict_checking: diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index e1a688991a7..c70ce309b95 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -60,6 +60,8 @@ PADATA_PK_AS_REQ = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ')) PADATA_PK_AS_REP_19 = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19')) +PADATA_PW_SALT = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-PW-SALT')) PADATA_SUPPORTED_ETYPES = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-SUPPORTED-ETYPES')) -- 2.25.1 From c46fa8212314b039c0a67acc6db5966a94105f4c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 27 Aug 2021 13:00:37 +1200 Subject: [PATCH 102/108] tests/krb5: Check PADATA-PW-SALT element in e-data BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit 1e4d757394a0bbda587d5ff91801f88539b712b1) --- python/samba/tests/krb5/raw_testcase.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index ba6d07ce465..4e7891ae89a 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2328,6 +2328,7 @@ class RawKerberosTest(TestCaseInTempDir): fast_error = None fx_fast = None pac_options = None + pw_salt = None for pa in rep_padata: patype = self.getElementValue(pa, 'padata-type') pavalue = self.getElementValue(pa, 'padata-value') @@ -2380,6 +2381,11 @@ class RawKerberosTest(TestCaseInTempDir): pac_options = pavalue self.assertIsNotNone(pac_options) continue + if patype == PADATA_PW_SALT: + self.assertIsNone(pw_salt) + pw_salt = pavalue + self.assertIsNotNone(pw_salt) + continue if fast_cookie is not None: kdc_exchange_dict['fast_cookie'] = fast_cookie @@ -2395,6 +2401,14 @@ class RawKerberosTest(TestCaseInTempDir): if pac_options is not None: self.check_pac_options_claims_support(pac_options) + if pw_salt is not None: + self.assertEqual(12, len(pw_salt)) + + status = int.from_bytes(pw_salt[:4], 'little') + flags = int.from_bytes(pw_salt[8:], 'little') + + self.assertEqual(3, flags) + if enc_challenge is not None: if not sent_enc_challenge: self.assertEqual(len(enc_challenge), 0) -- 2.25.1 From d1bbed03239aec05cb0a0540ebe56dd8afdbe1bb Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 27 Aug 2021 13:02:04 +1200 Subject: [PATCH 103/108] tests/krb5: Add tests for omitting sname in request BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b) --- python/samba/tests/krb5/fast_tests.py | 83 ++++++++++++++++++++++++++- selftest/knownfail_heimdal_kdc | 3 + selftest/knownfail_mit_kdc | 4 ++ 3 files changed, 88 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 559f5dc14c6..2a423402c7a 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -105,6 +105,79 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_simple_no_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': False, + 'sname': None, + 'expected_sname': expected_sname + } + ]) + + def test_simple_tgs_no_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': False, + 'gen_tgt_fn': self.get_user_tgt, + 'sname': None, + 'expected_sname': expected_sname + } + ]) + + def test_fast_no_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'sname': None, + 'expected_sname': expected_sname + } + ]) + + def test_fast_tgs_no_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'sname': None, + 'expected_sname': expected_sname + } + ]) + def test_simple_tgs_wrong_principal(self): mach_creds = self.get_mach_creds() mach_name = mach_creds.get_username() @@ -1137,11 +1210,17 @@ class FAST_Tests(KDCBaseTest): cname = client_cname if rep_type == KRB_AS_REP else None crealm = client_realm + if 'sname' in kdc_dict: + sname = kdc_dict.pop('sname') + else: + if rep_type == KRB_AS_REP: + sname = krbtgt_sname + else: # KRB_TGS_REP + sname = target_sname + if rep_type == KRB_AS_REP: - sname = krbtgt_sname srealm = krbtgt_realm else: # KRB_TGS_REP - sname = target_sname srealm = target_realm expected_cname = kdc_dict.pop('expected_cname', client_cname) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index f430bda9cd8..b336d6fb3e2 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -67,3 +67,6 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 02dbe1aa2fb..41ad93b89c5 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -292,3 +292,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc -- 2.25.1 From 0a663e432a65aafb0fa6a83a5449be84b400a24b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 27 Aug 2021 13:26:45 +1200 Subject: [PATCH 104/108] tests/krb5: Allow specifying parameters specific to the inner FAST request body BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340) --- python/samba/tests/krb5/fast_tests.py | 4 ++++ python/samba/tests/krb5/raw_testcase.py | 13 +++++++++++++ 2 files changed, 17 insertions(+) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 2a423402c7a..fb5c0fc28f8 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -1340,7 +1340,9 @@ class FAST_Tests(KDCBaseTest): auth_data = None if not use_fast: + self.assertNotIn('inner_req', kdc_dict) self.assertNotIn('outer_req', kdc_dict) + inner_req = kdc_dict.pop('inner_req', None) outer_req = kdc_dict.pop('outer_req', None) if rep_type == KRB_AS_REP: @@ -1370,6 +1372,7 @@ class FAST_Tests(KDCBaseTest): armor_tgt=armor_tgt, armor_subkey=armor_subkey, kdc_options=kdc_options, + inner_req=inner_req, outer_req=outer_req) else: # KRB_TGS_REP kdc_exchange_dict = self.tgs_exchange_dict( @@ -1398,6 +1401,7 @@ class FAST_Tests(KDCBaseTest): auth_data=auth_data, body_checksum_type=None, kdc_options=kdc_options, + inner_req=inner_req, outer_req=outer_req) repeat = kdc_dict.pop('repeat', 1) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 4e7891ae89a..15873d69fa6 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1553,6 +1553,9 @@ class RawKerberosTest(TestCaseInTempDir): expected_error_mode = kdc_exchange_dict['expected_error_mode'] kdc_options = kdc_exchange_dict['kdc_options'] + # Parameters specific to the inner request body + inner_req = kdc_exchange_dict['inner_req'] + # Parameters specific to the outer request body outer_req = kdc_exchange_dict['outer_req'] @@ -1582,6 +1585,12 @@ class RawKerberosTest(TestCaseInTempDir): EncAuthorizationData_usage=EncAuthorizationData_usage) inner_req_body = dict(req_body) + if inner_req is not None: + for key, value in inner_req.items(): + if value is not None: + inner_req_body[key] = value + else: + del inner_req_body[key] if outer_req is not None: for key, value in outer_req.items(): if value is not None: @@ -1734,6 +1743,7 @@ class RawKerberosTest(TestCaseInTempDir): armor_subkey=None, auth_data=None, kdc_options='', + inner_req=None, outer_req=None): kdc_exchange_dict = { 'req_msg_type': KRB_AS_REQ, @@ -1765,6 +1775,7 @@ class RawKerberosTest(TestCaseInTempDir): 'armor_subkey': armor_subkey, 'auth_data': auth_data, 'kdc_options': kdc_options, + 'inner_req': inner_req, 'outer_req': outer_req } if expected_cname_private is not None: @@ -1802,6 +1813,7 @@ class RawKerberosTest(TestCaseInTempDir): auth_data=None, body_checksum_type=None, kdc_options='', + inner_req=None, outer_req=None): kdc_exchange_dict = { 'req_msg_type': KRB_TGS_REQ, @@ -1833,6 +1845,7 @@ class RawKerberosTest(TestCaseInTempDir): 'auth_data': auth_data, 'authenticator_subkey': authenticator_subkey, 'kdc_options': kdc_options, + 'inner_req': inner_req, 'outer_req': outer_req } if expected_cname_private is not None: -- 2.25.1 From ef6edbc8ba1afd35fc9f20f77b02c65a3e55323d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 27 Aug 2021 13:37:16 +1200 Subject: [PATCH 105/108] tests/krb5: Add tests for omitting sname in inner request Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC. This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49 and was given CVE-2021-37750 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit 24914ae17d49f634fafc1bdeb88859293da05f79) --- python/samba/tests/krb5/fast_tests.py | 28 +++++++++++++++++++++++++++ selftest/knownfail_heimdal_kdc | 2 ++ selftest/knownfail_mit_kdc | 2 ++ 3 files changed, 32 insertions(+) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index fb5c0fc28f8..cee91fa2a93 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -178,6 +178,34 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_inner_no_sname(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'inner_req': { + 'sname': None # should be ignored + } + } + ]) + + def test_fast_tgs_inner_no_sname(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'inner_req': { + 'sname': None # should be ignored + } + } + ]) + def test_simple_tgs_wrong_principal(self): mach_creds = self.get_mach_creds() mach_name = mach_creds.get_username() diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index b336d6fb3e2..a55357b7537 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -70,3 +70,5 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 41ad93b89c5..8366bce67eb 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -296,3 +296,5 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc -- 2.25.1 From e170775d1c4a60a7bdd8347ee0c78fda7a38b11e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 31 Aug 2021 19:42:33 +1200 Subject: [PATCH 106/108] tests/krb5: Allow expected_error_mode to be a container type This allows a range of possible error codes to be checked against, for cases when the particular error code returned is not so important. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider (cherry picked from commit ebd673e976aea5dd481a75f180fd526995c4fda0) --- python/samba/tests/krb5/raw_testcase.py | 56 +++++++++++++++---------- 1 file changed, 35 insertions(+), 21 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 15873d69fa6..6db17f2a118 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -1702,11 +1702,12 @@ class RawKerberosTest(TestCaseInTempDir): if check_error_fn is not None: expected_msg_type = KRB_ERROR self.assertIsNone(check_rep_fn) - self.assertNotEqual(0, expected_error_mode) + self.assertNotEqual(0, len(expected_error_mode)) + self.assertNotIn(0, expected_error_mode) if check_rep_fn is not None: expected_msg_type = rep_msg_type self.assertIsNone(check_error_fn) - self.assertEqual(0, expected_error_mode) + self.assertEqual(0, len(expected_error_mode)) self.assertIsNotNone(expected_msg_type) self.assertEqual(msg_type, expected_msg_type) @@ -1745,6 +1746,11 @@ class RawKerberosTest(TestCaseInTempDir): kdc_options='', inner_req=None, outer_req=None): + if expected_error_mode == 0: + expected_error_mode = () + elif not isinstance(expected_error_mode, collections.abc.Container): + expected_error_mode = (expected_error_mode,) + kdc_exchange_dict = { 'req_msg_type': KRB_AS_REQ, 'req_asn1Spec': krb5_asn1.AS_REQ, @@ -1815,6 +1821,11 @@ class RawKerberosTest(TestCaseInTempDir): kdc_options='', inner_req=None, outer_req=None): + if expected_error_mode == 0: + expected_error_mode = () + elif not isinstance(expected_error_mode, collections.abc.Container): + expected_error_mode = (expected_error_mode,) + kdc_exchange_dict = { 'req_msg_type': KRB_TGS_REQ, 'req_asn1Spec': krb5_asn1.TGS_REQ, @@ -1942,7 +1953,8 @@ class RawKerberosTest(TestCaseInTempDir): self.check_rep_padata(kdc_exchange_dict, callback_dict, rep, - fast_response['padata']) + fast_response['padata'], + error_code=0) ticket_private = None self.assertIsNotNone(ticket_decryption_key) @@ -2181,7 +2193,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementEqual(rep, 'pvno', 5) self.assertElementEqual(rep, 'msg-type', KRB_ERROR) - self.assertElementEqual(rep, 'error-code', expected_error_mode) + error_code = self.getElementValue(rep, 'error-code') + self.assertIn(error_code, expected_error_mode) if self.strict_checking: self.assertElementMissing(rep, 'ctime') self.assertElementMissing(rep, 'cusec') @@ -2195,13 +2208,13 @@ class RawKerberosTest(TestCaseInTempDir): else: self.assertElementMissing(rep, 'cname') self.assertElementEqualUTF8(rep, 'realm', expected_srealm) - if sent_fast and expected_error_mode == KDC_ERR_GENERIC: + if sent_fast and error_code == KDC_ERR_GENERIC: self.assertElementEqualPrincipal(rep, 'sname', self.get_krbtgt_sname()) else: self.assertElementEqualPrincipal(rep, 'sname', expected_sname) self.assertElementMissing(rep, 'e-text') - if (expected_error_mode == KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS + if (error_code == KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS or (rep_msg_type == KRB_TGS_REP and not sent_fast) or (sent_fast and fast_armor_type is not None @@ -2211,7 +2224,7 @@ class RawKerberosTest(TestCaseInTempDir): return rep edata = self.getElementValue(rep, 'e-data') if self.strict_checking: - if expected_error_mode != KDC_ERR_GENERIC: + if error_code != KDC_ERR_GENERIC: # Predicting whether an ERR_GENERIC error contains e-data is # more complicated. self.assertIsNotNone(edata) @@ -2242,7 +2255,8 @@ class RawKerberosTest(TestCaseInTempDir): etype_info2 = self.check_rep_padata(kdc_exchange_dict, callback_dict, rep, - rep_padata) + rep_padata, + error_code) kdc_exchange_dict['preauth_etype_info2'] = etype_info2 @@ -2252,10 +2266,10 @@ class RawKerberosTest(TestCaseInTempDir): kdc_exchange_dict, callback_dict, rep, - rep_padata): + rep_padata, + error_code): rep_msg_type = kdc_exchange_dict['rep_msg_type'] - expected_error_mode = kdc_exchange_dict['expected_error_mode'] req_body = kdc_exchange_dict['req_body'] proposed_etypes = req_body['etype'] client_as_etypes = kdc_exchange_dict.get('client_as_etypes', []) @@ -2281,7 +2295,7 @@ class RawKerberosTest(TestCaseInTempDir): if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): if etype > expected_aes_type: expected_aes_type = etype - if etype in (kcrypto.Enctype.RC4,) and expected_error_mode != 0: + if etype in (kcrypto.Enctype.RC4,) and error_code != 0: unexpect_etype_info = False if etype > expected_rc4_type: expected_rc4_type = etype @@ -2292,25 +2306,25 @@ class RawKerberosTest(TestCaseInTempDir): expect_etype_info2 += (expected_rc4_type,) expected_patypes = () - if sent_fast and expected_error_mode != 0: + if sent_fast and error_code != 0: expected_patypes += (PADATA_FX_ERROR,) expected_patypes += (PADATA_FX_COOKIE,) if rep_msg_type == KRB_TGS_REP: - if not sent_fast and expected_error_mode != 0: + if not sent_fast and error_code != 0: expected_patypes += (PADATA_PW_SALT,) else: sent_claims = self.sent_claims(kdc_exchange_dict) - if sent_claims and expected_error_mode not in (0, KDC_ERR_GENERIC): + if sent_claims and error_code not in (0, KDC_ERR_GENERIC): expected_patypes += (PADATA_PAC_OPTIONS,) - elif expected_error_mode != KDC_ERR_GENERIC: + elif error_code != KDC_ERR_GENERIC: if expect_etype_info: self.assertGreater(len(expect_etype_info2), 0) expected_patypes += (PADATA_ETYPE_INFO,) if len(expect_etype_info2) != 0: expected_patypes += (PADATA_ETYPE_INFO2,) - if expected_error_mode != KDC_ERR_PREAUTH_FAILED: + if error_code != KDC_ERR_PREAUTH_FAILED: if sent_fast: expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) else: @@ -2493,7 +2507,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNone(pk_as_rep19) return None - if expected_error_mode != KDC_ERR_GENERIC: + if error_code != KDC_ERR_GENERIC: if self.strict_checking: self.assertIsNotNone(etype_info2) else: @@ -2506,7 +2520,7 @@ class RawKerberosTest(TestCaseInTempDir): if unexpect_etype_info: self.assertIsNone(etype_info) - if expected_error_mode != KDC_ERR_GENERIC and self.strict_checking: + if error_code != KDC_ERR_GENERIC and self.strict_checking: self.assertGreaterEqual(len(etype_info2), 1) self.assertEqual(len(etype_info2), len(expect_etype_info2)) for i in range(0, len(etype_info2)): @@ -2533,8 +2547,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(salt) self.assertEqual(len(salt), 0) - if expected_error_mode not in (KDC_ERR_PREAUTH_FAILED, - KDC_ERR_GENERIC): + if error_code not in (KDC_ERR_PREAUTH_FAILED, + KDC_ERR_GENERIC): if sent_fast: self.assertIsNotNone(enc_challenge) if self.strict_checking: @@ -2799,7 +2813,7 @@ class RawKerberosTest(TestCaseInTempDir): as_rep_usage = KU_AS_REP_ENC_PART return preauth_key, as_rep_usage - if expected_error_mode == 0: + if not expected_error_mode: check_error_fn = None check_rep_fn = self.generic_check_kdc_rep else: -- 2.25.1 From eed1248847479339cf65d0e48fb3cc89d5f9a35e Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Tue, 31 Aug 2021 17:38:16 +1200 Subject: [PATCH 107/108] kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour. [abartlet@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd and knownfail added] BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit b0f4455e524cbbfb13202220e7095f466b083a2f) --- selftest/knownfail_heimdal_kdc | 1 + source4/heimdal/kdc/kerberos5.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index a55357b7537..2c63707fff3 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -72,3 +72,4 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc \ No newline at end of file diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 27d38ad84b7..0fa336e871c 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -996,7 +996,7 @@ _kdc_as_rep(krb5_context context, flags |= HDB_F_CANON; if(b->sname == NULL){ - ret = KRB5KRB_ERR_GENERIC; + ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; e_text = "No server in request"; } else{ ret = _krb5_principalname2krb5_principal (context, @@ -1012,7 +1012,7 @@ _kdc_as_rep(krb5_context context, goto out; } if(b->cname == NULL){ - ret = KRB5KRB_ERR_GENERIC; + ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; e_text = "No client in request"; } else { ret = _krb5_principalname2krb5_principal (context, -- 2.25.1 From ed6639d8c5a08b1330799cfc1e97e249e0d81b1c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 31 Aug 2021 22:38:01 +1200 Subject: [PATCH 108/108] tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname This allows our code to still pass with the error code that MIT and Heimdal have chosen BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184 (cherry picked from commit 10baaf08523200e47451aa1862430977b0365b59) --- python/samba/tests/krb5/fast_tests.py | 23 +++++++++++++------- python/samba/tests/krb5/kdc_base_test.py | 6 ++++- python/samba/tests/krb5/rfc4120_constants.py | 1 + selftest/knownfail_heimdal_kdc | 3 --- 4 files changed, 21 insertions(+), 12 deletions(-) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index cee91fa2a93..392d19f59b3 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -20,6 +20,7 @@ import functools import os import sys +import collections import ldb @@ -37,6 +38,7 @@ from samba.tests.krb5.rfc4120_constants import ( FX_FAST_ARMOR_AP_REQUEST, KDC_ERR_ETYPE_NOSUPP, KDC_ERR_GENERIC, + KDC_ERR_S_PRINCIPAL_UNKNOWN, KDC_ERR_NOT_US, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED, @@ -115,7 +117,7 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_AS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), 'use_fast': False, 'sname': None, 'expected_sname': expected_sname @@ -132,7 +134,7 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), 'use_fast': False, 'gen_tgt_fn': self.get_user_tgt, 'sname': None, @@ -169,7 +171,7 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), 'use_fast': True, 'gen_tgt_fn': self.get_user_tgt, 'fast_armor': None, @@ -1190,7 +1192,12 @@ class FAST_Tests(KDCBaseTest): self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP)) expected_error_mode = kdc_dict.pop('expected_error_mode') - self.assertIn(expected_error_mode, range(240)) + if expected_error_mode == 0: + expected_error_mode = () + elif not isinstance(expected_error_mode, collections.abc.Container): + expected_error_mode = (expected_error_mode,) + for error in expected_error_mode: + self.assertIn(error, range(240)) use_fast = kdc_dict.pop('use_fast') self.assertIs(type(use_fast), bool) @@ -1201,7 +1208,7 @@ class FAST_Tests(KDCBaseTest): if fast_armor_type is not None: self.assertIn('gen_armor_tgt_fn', kdc_dict) - elif expected_error_mode != KDC_ERR_GENERIC: + elif KDC_ERR_GENERIC not in expected_error_mode: self.assertNotIn('gen_armor_tgt_fn', kdc_dict) gen_armor_tgt_fn = kdc_dict.pop('gen_armor_tgt_fn', None) @@ -1225,7 +1232,7 @@ class FAST_Tests(KDCBaseTest): self.assertNotIn('gen_tgt_fn', kdc_dict) tgt = None - if expected_error_mode != 0: + if len(expected_error_mode) != 0: check_error_fn = self.generic_check_kdc_error check_rep_fn = None else: @@ -1439,7 +1446,7 @@ class FAST_Tests(KDCBaseTest): realm=crealm, sname=sname, etypes=etypes) - if expected_error_mode == 0: + if len(expected_error_mode) == 0: self.check_reply(rep, rep_type) fast_cookie = None @@ -1453,7 +1460,7 @@ class FAST_Tests(KDCBaseTest): else: fast_cookie = None - if expected_error_mode == KDC_ERR_PREAUTH_REQUIRED: + if KDC_ERR_PREAUTH_REQUIRED in expected_error_mode: preauth_etype_info2 = ( kdc_exchange_dict['preauth_etype_info2']) else: diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index b148fa01f65..f5c1eba9151 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -21,6 +21,7 @@ import os from datetime import datetime, timezone import tempfile import binascii +import collections from collections import namedtuple import ldb @@ -598,7 +599,10 @@ class KDCBaseTest(RawKerberosTest): """ self.assertIsNotNone(rep) self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep) - self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) + if isinstance(expected, collections.abc.Container): + self.assertIn(rep['error-code'], expected, "rep = {%s}" % rep) + else: + self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) def tgs_req(self, cname, sname, realm, ticket, key, etypes): '''Send a TGS-REQ, returns the response and the decrypted and diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index c70ce309b95..ac2bac4d91e 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -67,6 +67,7 @@ PADATA_SUPPORTED_ETYPES = int( # Error codes KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 +KDC_ERR_S_PRINCIPAL_UNKNOWN = 7 KDC_ERR_POLICY = 12 KDC_ERR_ETYPE_NOSUPP = 14 KDC_ERR_PREAUTH_FAILED = 24 diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 2c63707fff3..767bfe90943 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -68,8 +68,5 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc -^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc \ No newline at end of file -- 2.25.1