diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-07-27 14:36:56 +1200 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2021-09-08 12:32:11 +0000 |
| commit | 18b587ad53b4b9162f787f08578a40257794b86c (patch) | |
| tree | d8b2f0fc58068dceec357e8d144f0892e78004ef | |
| parent | 904df7418b8a45a31e92e96426cbe0d3af537c17 (diff) | |
| download | samba-18b587ad53b4b9162f787f08578a40257794b86c.tar.gz | |
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd)
| -rw-r--r-- | python/samba/tests/krb5/raw_testcase.py | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 529d4d925e6..ca967c1ac13 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -53,6 +53,7 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_TGS_REQ, KU_AP_REQ_AUTH, KU_AS_REP_ENC_PART, + KU_ENC_CHALLENGE_KDC, KU_FAST_ENC, KU_FAST_FINISHED, KU_FAST_REP, @@ -2283,6 +2284,7 @@ class RawKerberosTest(TestCaseInTempDir): etype_info2 = None etype_info = None enc_timestamp = None + enc_challenge = None pk_as_req = None pk_as_rep19 = None for pa in rep_padata: @@ -2303,6 +2305,10 @@ class RawKerberosTest(TestCaseInTempDir): enc_timestamp = pavalue self.assertEqual(len(enc_timestamp), 0) continue + if patype == PADATA_ENCRYPTED_CHALLENGE: + self.assertIsNone(enc_challenge) + enc_challenge = pavalue + continue if patype == PADATA_PK_AS_REQ: self.assertIsNone(pk_as_req) pk_as_req = pavalue @@ -2314,6 +2320,54 @@ class RawKerberosTest(TestCaseInTempDir): self.assertEqual(len(pk_as_rep19), 0) continue + if enc_challenge is not None: + if not sent_enc_challenge: + self.assertEqual(len(enc_challenge), 0) + else: + armor_key = kdc_exchange_dict['armor_key'] + self.assertIsNotNone(armor_key) + + check_padata_fn = kdc_exchange_dict['check_padata_fn'] + padata = self.getElementValue(rep, 'padata') + self.assertIsNotNone(check_padata_fn) + preauth_key, _ = check_padata_fn(kdc_exchange_dict, + callback_dict, + rep, + padata) + + kdc_challenge_key = self.generate_kdc_challenge_key( + armor_key, preauth_key) + + # Ensure that the encrypted challenge FAST factor is supported + # (RFC6113 5.4.6). + if self.strict_checking: + self.assertNotEqual(len(enc_challenge), 0) + if len(enc_challenge) != 0: + encrypted_challenge = self.der_decode( + enc_challenge, + asn1Spec=krb5_asn1.EncryptedData()) + self.assertEqual(encrypted_challenge['etype'], + kdc_challenge_key.etype) + + challenge = kdc_challenge_key.decrypt( + KU_ENC_CHALLENGE_KDC, + encrypted_challenge['cipher']) + challenge = self.der_decode( + challenge, + asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + # Retrieve the returned timestamp. + rep_patime = challenge['patimestamp'] + self.assertIn('pausec', challenge) + + # Ensure the returned time is within five minutes of the + # current time. + rep_time = self.get_EpochFromKerberosTime(rep_patime) + current_time = time.time() + + self.assertLess(current_time - 300, rep_time) + self.assertLess(rep_time, current_time) + if all(etype not in client_as_etypes or etype not in proposed_etypes for etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128, |