The branch, master has been updated via 10baaf08523 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname via b0f4455e524 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field via ebd673e976a tests/krb5: Allow expected_error_mode to be a container type via 24914ae17d4 tests/krb5: Add tests for omitting sname in inner request via c6d7e19ecfb tests/krb5: Allow specifying parameters specific to the inner FAST request body via bbbb13caf7b tests/krb5: Add tests for omitting sname in request via 1e4d757394a tests/krb5: Check PADATA-PW-SALT element in e-data via e373c6461a8 tests/krb5: Check e-data element for TGS-REP errors without FAST via 3330eaf39c6 tests/krb5: Remove harmful and a-typical return in as_req testcase via b8e2515552f CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request via 0cb4b939f19 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ via 15f9f040fe5 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST via 36798f5b651 tests/krb5: Make cname checking less strict via 79dda329f2a tests/krb5: Make e-data checking less strict via d9edad89f3b Update common on currently supported Fedora versions via 5805a7c49aa bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml via e9c8ac4adbc bootstrap: Update to get newer krb5 on Fedora 34 from 40b65fcb583 script/autobuild.py: Restore MIT ADDC tests against fl2008*
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 10baaf08523200e47451aa1862430977b0365b59 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 31 22:38:01 2021 +1200 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname This allows our code to still pass with the error code that MIT and Heimdal have chosen BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184 commit b0f4455e524cbbfb13202220e7095f466b083a2f Author: Luke Howard <lu...@padl.com> Date: Tue Aug 31 17:38:16 2021 +1200 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour. [abart...@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd and knownfail added] BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ebd673e976aea5dd481a75f180fd526995c4fda0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Aug 31 19:42:33 2021 +1200 tests/krb5: Allow expected_error_mode to be a container type This allows a range of possible error codes to be checked against, for cases when the particular error code returned is not so important. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 24914ae17d49f634fafc1bdeb88859293da05f79 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:37:16 2021 +1200 tests/krb5: Add tests for omitting sname in inner request Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC. This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49 and was given CVE-2021-37750 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:26:45 2021 +1200 tests/krb5: Allow specifying parameters specific to the inner FAST request body BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:02:04 2021 +1200 tests/krb5: Add tests for omitting sname in request BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1e4d757394a0bbda587d5ff91801f88539b712b1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:00:37 2021 +1200 tests/krb5: Check PADATA-PW-SALT element in e-data BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:00:21 2021 +1200 tests/krb5: Check e-data element for TGS-REP errors without FAST BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 1 10:43:06 2021 +1200 tests/krb5: Remove harmful and a-typical return in as_req testcase A test in a TestCase class should not return a value, the test is determined by the assertions raised. Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2] to not always be filled, so we need to remove this rudundent code. This also fixes a *lot* of tests against the MIT KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b8e2515552ffa158fab1e86a39004de4cc419da5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 12:25:06 2021 +1200 CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would crash the Heimdal KDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 0cb4b939f192376bf5e33637863a91a20f74c5a5 Author: Luke Howard <lu...@padl.com> Date: Fri Aug 27 11:42:48 2021 +1000 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ In tgs_build_reply(), validate the server name in the TGS-REQ is present before dereferencing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 [abart...@samba.org backported from from Heimdal commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference to an earlier patch by Joseph Sutton] RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ Reviewed-by: Andreas Schneider <a...@samba.org> commit 15f9f040fe537ebd30419a4751aa0f13b20f242b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 16:52:29 2021 +1200 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST Note: This test crashed the MIT KDC prior to MIT commit fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given CVE-2021-36222. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 36798f5b651a02b74b6844c024101f7a026f1f68 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Sep 1 14:43:53 2021 +1200 tests/krb5: Make cname checking less strict Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 79dda329f2a8382f1e46b50f4b9692e78d687826 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:35:59 2021 +1200 tests/krb5: Make e-data checking less strict Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC, instead failing when obtaining a TGT for the user or machine. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit d9edad89f3b268c6da8f988a42f8cf2a3b697fe7 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 1 20:53:45 2021 +1200 Update common on currently supported Fedora versions Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5805a7c49aa13b578a717cbbc46460741d325c65 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 1 20:55:40 2021 +1200 bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit e9c8ac4adbca2f8cb45470ccb45a45039188a285 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 1 20:45:03 2021 +1200 bootstrap: Update to get newer krb5 on Fedora 34 We need the update FEDORA-2021-20b495cb94 (krb5) to get a fix for CVE-2021-37750 (explicit NULL deref on KDC) so our CI will pass as we have a test for this. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: .gitlab-ci-main.yml | 2 +- bootstrap/README.md | 4 +- bootstrap/config.py | 3 + bootstrap/sha1sum.txt | 2 +- python/samba/tests/krb5/as_req_tests.py | 14 +- python/samba/tests/krb5/fast_tests.py | 186 ++++++++++++- python/samba/tests/krb5/kdc_base_test.py | 6 +- python/samba/tests/krb5/raw_testcase.py | 125 ++++++--- python/samba/tests/krb5/rfc4120_constants.py | 3 + selftest/knownfail_heimdal_kdc | 6 + selftest/knownfail_mit_kdc | 398 +-------------------------- source4/heimdal/kdc/kerberos5.c | 4 +- source4/heimdal/kdc/krb5tgs.c | 4 + 13 files changed, 310 insertions(+), 447 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index ce80561ba0f..4b2f17938c8 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: b5333a93306e20ba549f5fac3c6c74e0b103c1d6 + SAMBA_CI_CONTAINER_TAG: 733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/README.md b/bootstrap/README.md index 47ef1c67836..44a354de545 100644 --- a/bootstrap/README.md +++ b/bootstrap/README.md @@ -13,7 +13,7 @@ A pure python3 module with CLI to bootstrap Samba envs for multiple distribution ## Supported Distributions deb: Debian 10, Ubuntu 1604|1804|2004 -rpm: CentOS 7|8, Fedora 32|33, openSUSE Leap 15.1|15.2 +rpm: CentOS 7|8, Fedora 33|34, openSUSE Leap 15.1|15.2 Easy to add more. @@ -32,7 +32,7 @@ Just calculate the sha1sum for consistency checks: bootstrap/template.py --sha1sum The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in -the toplevel .gitlab-ci.yml file. +the toplevel .gitlab-ci-main.yml file. ## User Stories diff --git a/bootstrap/config.py b/bootstrap/config.py index 821ce3d5cc2..ba4304bb9f8 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -20,6 +20,9 @@ Manage dependencies and bootstrap environments for Samba. Config file for packages and templates. +Update the lists in this file to require new packages in the +container images used in GitLab CI + Author: Joe Guo <j...@catalyst.net.nz> """ import os diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index e7de92cc504..e433f698b68 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -b5333a93306e20ba549f5fac3c6c74e0b103c1d6 +733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0 diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index fd258e8164a..82ff3f4845c 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -106,13 +106,11 @@ class AsReqKerberosTests(KDCBaseTest): expected_salt=expected_salt, kdc_options=str(initial_kdc_options)) - rep = self._generic_kdc_exchange(kdc_exchange_dict, - cname=cname, - realm=realm, - sname=sname, - etypes=initial_etypes) - - return kdc_exchange_dict['preauth_etype_info2'] + self._generic_kdc_exchange(kdc_exchange_dict, + cname=cname, + realm=realm, + sname=sname, + etypes=initial_etypes) def _test_as_req_no_preauth_with_args(self, etype_idx, pac): name, etypes = self.etype_test_permutation_by_idx(etype_idx) @@ -121,7 +119,7 @@ class AsReqKerberosTests(KDCBaseTest): else: pa_pac = self.KERB_PA_PAC_REQUEST_create(pac) padata = [pa_pac] - return self._test_as_req_nopreauth( + self._test_as_req_nopreauth( initial_padata=padata, initial_etypes=etypes, initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index e38b2e0a6e1..392d19f59b3 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -20,6 +20,7 @@ import functools import os import sys +import collections import ldb @@ -37,6 +38,7 @@ from samba.tests.krb5.rfc4120_constants import ( FX_FAST_ARMOR_AP_REQUEST, KDC_ERR_ETYPE_NOSUPP, KDC_ERR_GENERIC, + KDC_ERR_S_PRINCIPAL_UNKNOWN, KDC_ERR_NOT_US, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED, @@ -105,6 +107,107 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_simple_no_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), + 'use_fast': False, + 'sname': None, + 'expected_sname': expected_sname + } + ]) + + def test_simple_tgs_no_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), + 'use_fast': False, + 'gen_tgt_fn': self.get_user_tgt, + 'sname': None, + 'expected_sname': expected_sname + } + ]) + + def test_fast_no_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'sname': None, + 'expected_sname': expected_sname + } + ]) + + def test_fast_tgs_no_sname(self): + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_username = krbtgt_creds.get_username() + krbtgt_realm = krbtgt_creds.get_realm() + expected_sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) + + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'sname': None, + 'expected_sname': expected_sname + } + ]) + + def test_fast_inner_no_sname(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'inner_req': { + 'sname': None # should be ignored + } + } + ]) + + def test_fast_tgs_inner_no_sname(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_GENERIC, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'inner_req': { + 'sname': None # should be ignored + } + } + ]) + def test_simple_tgs_wrong_principal(self): mach_creds = self.get_mach_creds() mach_name = mach_creds.get_username() @@ -405,6 +508,21 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_encrypted_challenge_no_fast(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key + } + ]) + def test_fast_encrypted_challenge_clock_skew(self): # The KDC is supposed to confirm that the timestamp is within its # current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113 @@ -655,6 +773,45 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_outer_no_sname(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'sname': None # should be ignored + } + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'outer_req': { + 'sname': None # should be ignored + } + } + ]) + + def test_fast_tgs_outer_no_sname(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'outer_req': { + 'sname': None # should be ignored + } + } + ]) + def test_fast_outer_wrong_till(self): self._run_test_sequence([ { @@ -1035,7 +1192,12 @@ class FAST_Tests(KDCBaseTest): self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP)) expected_error_mode = kdc_dict.pop('expected_error_mode') - self.assertIn(expected_error_mode, range(240)) + if expected_error_mode == 0: + expected_error_mode = () + elif not isinstance(expected_error_mode, collections.abc.Container): + expected_error_mode = (expected_error_mode,) + for error in expected_error_mode: + self.assertIn(error, range(240)) use_fast = kdc_dict.pop('use_fast') self.assertIs(type(use_fast), bool) @@ -1046,7 +1208,7 @@ class FAST_Tests(KDCBaseTest): if fast_armor_type is not None: self.assertIn('gen_armor_tgt_fn', kdc_dict) - elif expected_error_mode != KDC_ERR_GENERIC: + elif KDC_ERR_GENERIC not in expected_error_mode: self.assertNotIn('gen_armor_tgt_fn', kdc_dict) gen_armor_tgt_fn = kdc_dict.pop('gen_armor_tgt_fn', None) @@ -1070,7 +1232,7 @@ class FAST_Tests(KDCBaseTest): self.assertNotIn('gen_tgt_fn', kdc_dict) tgt = None - if expected_error_mode != 0: + if len(expected_error_mode) != 0: check_error_fn = self.generic_check_kdc_error check_rep_fn = None else: @@ -1083,11 +1245,17 @@ class FAST_Tests(KDCBaseTest): cname = client_cname if rep_type == KRB_AS_REP else None crealm = client_realm + if 'sname' in kdc_dict: + sname = kdc_dict.pop('sname') + else: + if rep_type == KRB_AS_REP: + sname = krbtgt_sname + else: # KRB_TGS_REP + sname = target_sname + if rep_type == KRB_AS_REP: - sname = krbtgt_sname srealm = krbtgt_realm else: # KRB_TGS_REP - sname = target_sname srealm = target_realm expected_cname = kdc_dict.pop('expected_cname', client_cname) @@ -1207,7 +1375,9 @@ class FAST_Tests(KDCBaseTest): auth_data = None if not use_fast: + self.assertNotIn('inner_req', kdc_dict) self.assertNotIn('outer_req', kdc_dict) + inner_req = kdc_dict.pop('inner_req', None) outer_req = kdc_dict.pop('outer_req', None) if rep_type == KRB_AS_REP: @@ -1237,6 +1407,7 @@ class FAST_Tests(KDCBaseTest): armor_tgt=armor_tgt, armor_subkey=armor_subkey, kdc_options=kdc_options, + inner_req=inner_req, outer_req=outer_req) else: # KRB_TGS_REP kdc_exchange_dict = self.tgs_exchange_dict( @@ -1265,6 +1436,7 @@ class FAST_Tests(KDCBaseTest): auth_data=auth_data, body_checksum_type=None, kdc_options=kdc_options, + inner_req=inner_req, outer_req=outer_req) repeat = kdc_dict.pop('repeat', 1) @@ -1274,7 +1446,7 @@ class FAST_Tests(KDCBaseTest): realm=crealm, sname=sname, etypes=etypes) - if expected_error_mode == 0: + if len(expected_error_mode) == 0: self.check_reply(rep, rep_type) fast_cookie = None @@ -1288,7 +1460,7 @@ class FAST_Tests(KDCBaseTest): else: fast_cookie = None - if expected_error_mode == KDC_ERR_PREAUTH_REQUIRED: + if KDC_ERR_PREAUTH_REQUIRED in expected_error_mode: preauth_etype_info2 = ( kdc_exchange_dict['preauth_etype_info2']) else: diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index b148fa01f65..f5c1eba9151 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -21,6 +21,7 @@ import os from datetime import datetime, timezone import tempfile import binascii +import collections from collections import namedtuple import ldb @@ -598,7 +599,10 @@ class KDCBaseTest(RawKerberosTest): """ self.assertIsNotNone(rep) self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep) - self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) + if isinstance(expected, collections.abc.Container): + self.assertIn(rep['error-code'], expected, "rep = {%s}" % rep) + else: + self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) def tgs_req(self, cname, sname, realm, ticket, key, etypes): '''Send a TGS-REQ, returns the response and the decrypted and diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 17ef8df5daa..6db17f2a118 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -82,6 +82,7 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_PAC_REQUEST, PADATA_PK_AS_REQ, PADATA_PK_AS_REP_19, + PADATA_PW_SALT, PADATA_SUPPORTED_ETYPES ) import samba.tests.krb5.kcrypto as kcrypto @@ -1552,6 +1553,9 @@ class RawKerberosTest(TestCaseInTempDir): expected_error_mode = kdc_exchange_dict['expected_error_mode'] kdc_options = kdc_exchange_dict['kdc_options'] + # Parameters specific to the inner request body + inner_req = kdc_exchange_dict['inner_req'] + # Parameters specific to the outer request body outer_req = kdc_exchange_dict['outer_req'] @@ -1581,6 +1585,12 @@ class RawKerberosTest(TestCaseInTempDir): EncAuthorizationData_usage=EncAuthorizationData_usage) inner_req_body = dict(req_body) + if inner_req is not None: + for key, value in inner_req.items(): + if value is not None: + inner_req_body[key] = value + else: + del inner_req_body[key] if outer_req is not None: for key, value in outer_req.items(): if value is not None: @@ -1692,11 +1702,12 @@ class RawKerberosTest(TestCaseInTempDir): if check_error_fn is not None: expected_msg_type = KRB_ERROR self.assertIsNone(check_rep_fn) - self.assertNotEqual(0, expected_error_mode) + self.assertNotEqual(0, len(expected_error_mode)) + self.assertNotIn(0, expected_error_mode) if check_rep_fn is not None: expected_msg_type = rep_msg_type self.assertIsNone(check_error_fn) - self.assertEqual(0, expected_error_mode) + self.assertEqual(0, len(expected_error_mode)) self.assertIsNotNone(expected_msg_type) self.assertEqual(msg_type, expected_msg_type) @@ -1733,7 +1744,13 @@ class RawKerberosTest(TestCaseInTempDir): armor_subkey=None, auth_data=None, kdc_options='', + inner_req=None, outer_req=None): + if expected_error_mode == 0: + expected_error_mode = () + elif not isinstance(expected_error_mode, collections.abc.Container): + expected_error_mode = (expected_error_mode,) + kdc_exchange_dict = { 'req_msg_type': KRB_AS_REQ, 'req_asn1Spec': krb5_asn1.AS_REQ, @@ -1764,6 +1781,7 @@ class RawKerberosTest(TestCaseInTempDir): 'armor_subkey': armor_subkey, 'auth_data': auth_data, 'kdc_options': kdc_options, + 'inner_req': inner_req, 'outer_req': outer_req } if expected_cname_private is not None: @@ -1801,7 +1819,13 @@ class RawKerberosTest(TestCaseInTempDir): auth_data=None, body_checksum_type=None, kdc_options='', + inner_req=None, outer_req=None): + if expected_error_mode == 0: + expected_error_mode = () + elif not isinstance(expected_error_mode, collections.abc.Container): + expected_error_mode = (expected_error_mode,) + kdc_exchange_dict = { 'req_msg_type': KRB_TGS_REQ, 'req_asn1Spec': krb5_asn1.TGS_REQ, @@ -1832,6 +1856,7 @@ class RawKerberosTest(TestCaseInTempDir): 'auth_data': auth_data, 'authenticator_subkey': authenticator_subkey, 'kdc_options': kdc_options, + 'inner_req': inner_req, 'outer_req': outer_req } if expected_cname_private is not None: @@ -1928,7 +1953,8 @@ class RawKerberosTest(TestCaseInTempDir): self.check_rep_padata(kdc_exchange_dict, -- Samba Shared Repository