diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-07-29 10:33:24 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2021-09-08 12:32:11 +0000 |
commit | 889593908e632848916eeecfddb19e58c5a7a442 (patch) | |
tree | 3e1fd0f8d2babd9a26b15282593a209e7cf0e9e5 /python/samba | |
parent | dbf3f3bab68759d42084e55aa865416d983c0fdc (diff) | |
download | samba-889593908e632848916eeecfddb19e58c5a7a442.tar.gz |
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0df385fc49cc2693c195209936a29e31216df16d)
Diffstat (limited to 'python/samba')
-rw-r--r-- | python/samba/tests/krb5/raw_testcase.py | 95 |
1 files changed, 88 insertions, 7 deletions
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 29ea41ec92b..151dc0355a3 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -42,6 +42,7 @@ from samba.tests import TestCaseInTempDir import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( + FX_FAST_ARMOR_AP_REQUEST, KDC_ERR_GENERIC, KRB_AP_REQ, KRB_AS_REP, @@ -51,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_TGS_REQ, KU_AP_REQ_AUTH, KU_AS_REP_ENC_PART, + KU_FAST_REQ_CHKSUM, KU_NON_KERB_CKSUM_SALT, KU_TGS_REP_ENC_PART_SESSION, KU_TGS_REP_ENC_PART_SUB_KEY, @@ -1522,6 +1524,9 @@ class RawKerberosTest(TestCaseInTempDir): check_error_fn = kdc_exchange_dict['check_error_fn'] check_rep_fn = kdc_exchange_dict['check_rep_fn'] + generate_fast_fn = kdc_exchange_dict['generate_fast_fn'] + generate_fast_armor_fn = kdc_exchange_dict['generate_fast_armor_fn'] + generate_fast_padata_fn = kdc_exchange_dict['generate_fast_padata_fn'] generate_padata_fn = kdc_exchange_dict['generate_padata_fn'] callback_dict = kdc_exchange_dict['callback_dict'] req_msg_type = kdc_exchange_dict['req_msg_type'] @@ -1568,25 +1573,81 @@ class RawKerberosTest(TestCaseInTempDir): armor=False) tgs_req_padata = self.PA_DATA_create(PADATA_KDC_REQ, tgs_req) + if generate_fast_padata_fn is not None: + self.assertIsNotNone(generate_fast_fn) + # This can alter req_body... + fast_padata, req_body = generate_fast_padata_fn(kdc_exchange_dict, + callback_dict, + req_body) + else: + fast_padata = [] + + if generate_fast_armor_fn is not None: + self.assertIsNotNone(generate_fast_fn) + fast_ap_req = generate_fast_armor_fn(kdc_exchange_dict, + callback_dict, + req_body, + armor=True) + + fast_armor_type = kdc_exchange_dict['fast_armor_type'] + fast_armor = self.KRB_FAST_ARMOR_create(fast_armor_type, + fast_ap_req) + else: + fast_armor = None + if generate_padata_fn is not None: # This can alter req_body... - padata, req_body = generate_padata_fn(kdc_exchange_dict, - callback_dict, - req_body) - self.assertIsNotNone(padata) + outer_padata, req_body = generate_padata_fn(kdc_exchange_dict, + callback_dict, + req_body) + self.assertIsNotNone(outer_padata) self.assertNotIn(PADATA_KDC_REQ, - [pa['padata-type'] for pa in padata], + [pa['padata-type'] for pa in outer_padata], 'Don\'t create TGS-REQ manually') else: - padata = [] + outer_padata = None + + if generate_fast_fn is not None: + armor_key = kdc_exchange_dict['armor_key'] + self.assertIsNotNone(armor_key) + + if req_msg_type == KRB_AS_REQ: + checksum_blob = self.der_encode( + req_body, + asn1Spec=krb5_asn1.KDC_REQ_BODY()) + else: + self.assertEqual(KRB_TGS_REQ, req_msg_type) + checksum_blob = tgs_req + + checksum = self.Checksum_create(armor_key, + KU_FAST_REQ_CHKSUM, + checksum_blob) + + fast = generate_fast_fn(kdc_exchange_dict, + callback_dict, + req_body, + fast_padata, + fast_armor, + checksum) + else: + fast = None + + padata = [] if tgs_req_padata is not None: - padata.insert(0, tgs_req_padata) + padata.append(tgs_req_padata) + + if fast is not None: + padata.append(fast) + + if outer_padata is not None: + padata += outer_padata if not padata: padata = None kdc_exchange_dict['req_padata'] = padata + kdc_exchange_dict['fast_padata'] = fast_padata kdc_exchange_dict['req_body'] = req_body req_obj, req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, @@ -1625,6 +1686,10 @@ class RawKerberosTest(TestCaseInTempDir): expected_srealm=None, expected_sname=None, ticket_decryption_key=None, + generate_fast_fn=None, + generate_fast_armor_fn=None, + generate_fast_padata_fn=None, + fast_armor_type=FX_FAST_ARMOR_AP_REQUEST, generate_padata_fn=None, check_error_fn=None, check_rep_fn=None, @@ -1635,6 +1700,7 @@ class RawKerberosTest(TestCaseInTempDir): client_as_etypes=None, expected_salt=None, authenticator_subkey=None, + armor_key=None, armor_tgt=None, armor_subkey=None, kdc_options=''): @@ -1649,6 +1715,10 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_srealm': expected_srealm, 'expected_sname': expected_sname, 'ticket_decryption_key': ticket_decryption_key, + 'generate_fast_fn': generate_fast_fn, + 'generate_fast_armor_fn': generate_fast_armor_fn, + 'generate_fast_padata_fn': generate_fast_padata_fn, + 'fast_armor_type': fast_armor_type, 'generate_padata_fn': generate_padata_fn, 'check_error_fn': check_error_fn, 'check_rep_fn': check_rep_fn, @@ -1659,6 +1729,7 @@ class RawKerberosTest(TestCaseInTempDir): 'client_as_etypes': client_as_etypes, 'expected_salt': expected_salt, 'authenticator_subkey': authenticator_subkey, + 'armor_key': armor_key, 'armor_tgt': armor_tgt, 'armor_subkey': armor_subkey, 'kdc_options': kdc_options, @@ -1674,6 +1745,10 @@ class RawKerberosTest(TestCaseInTempDir): expected_srealm=None, expected_sname=None, ticket_decryption_key=None, + generate_fast_fn=None, + generate_fast_armor_fn=None, + generate_fast_padata_fn=None, + fast_armor_type=FX_FAST_ARMOR_AP_REQUEST, generate_padata_fn=None, check_error_fn=None, check_rep_fn=None, @@ -1681,6 +1756,7 @@ class RawKerberosTest(TestCaseInTempDir): check_kdc_private_fn=None, callback_dict=None, tgt=None, + armor_key=None, armor_tgt=None, armor_subkey=None, authenticator_subkey=None, @@ -1697,6 +1773,10 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_srealm': expected_srealm, 'expected_sname': expected_sname, 'ticket_decryption_key': ticket_decryption_key, + 'generate_fast_fn': generate_fast_fn, + 'generate_fast_armor_fn': generate_fast_armor_fn, + 'generate_fast_padata_fn': generate_fast_padata_fn, + 'fast_armor_type': fast_armor_type, 'generate_padata_fn': generate_padata_fn, 'check_error_fn': check_error_fn, 'check_rep_fn': check_rep_fn, @@ -1705,6 +1785,7 @@ class RawKerberosTest(TestCaseInTempDir): 'callback_dict': callback_dict, 'tgt': tgt, 'body_checksum_type': body_checksum_type, + 'armor_key': armor_key, 'armor_tgt': armor_tgt, 'armor_subkey': armor_subkey, 'authenticator_subkey': authenticator_subkey, |