[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri May 15 12:26:05 UTC 2020
The branch, master has been updated
via 8b5e7644130 selftest: add python S4U2Self tests including unkeyed checksums
via 19875a37318 Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum"
via b5adc112771 Revert "selftest: mitm-s4u2self: use zlib for CRC32_checksum calc"
via ce65e8979dd Revert "selftest: allow any kdc error in mitm-s4u2self test"
from ddd8ae51f8c smb2_server: do async shutdown for pending multi-channel requests
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8b5e7644130146bcc4e5a0dd05da6458a6025dd8
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon May 4 18:09:53 2020 +0200
selftest: add python S4U2Self tests including unkeyed checksums
To test the CRC32 I reverted the unkeyed-checksum fix (43958af1)
and the weak-crypto fix (389d1b97). Note that the unkeyed-md5
still worked even with weak-crypto disabled, and that the
unkeyed-sha1 never worked but I left it anyway.
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184
commit 19875a37318a7cd5585572616cf12a775591193f
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu May 7 17:17:12 2020 +0200
Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum"
This reverts commit 5639e973c1f6f1b28b122741763f1d05b47bc2d8.
This is no longer needed as the next commit includes a Python
test for this, without the complexity of being inside krb5.kdc.canon.
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b5adc112771f22c2d7c4319063c3e89074c4f4ab
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu May 7 17:17:00 2020 +0200
Revert "selftest: mitm-s4u2self: use zlib for CRC32_checksum calc"
This reverts commit 151f8c0f31d3d17b9418db3793ec14ba7dbf2143.
This allows a clean revert (and so removal) of the test.
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ce65e8979dda9774b170db7a9fa7ba458af4cee9
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu May 7 17:16:53 2020 +0200
Revert "selftest: allow any kdc error in mitm-s4u2self test"
This reverts commit a53fa8ffe3e36f7921baf5d31a1052747f90aa7d.
This allows a clean revert (and so removal) of the test.
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/kcrypto.py | 85 +++++++++++++++
python/samba/tests/krb5/raw_testcase.py | 23 ++++
python/samba/tests/krb5/rfc4120.asn1 | 8 ++
python/samba/tests/krb5/rfc4120_pyasn1.py | 14 ++-
.../tests/krb5/{simple_tests.py => s4u_tests.py} | 58 ++++++++---
python/samba/tests/usage.py | 1 +
selftest/knownfail | 2 +
selftest/skip_mit_kdc | 1 +
selftest/target/Samba4.pm | 23 ++++
source4/selftest/tests.py | 4 +
source4/torture/krb5/kdc-canon-heimdal.c | 116 ++-------------------
11 files changed, 209 insertions(+), 126 deletions(-)
copy python/samba/tests/krb5/{simple_tests.py => s4u_tests.py} (73%)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py
index ed3c84fa186..2572fa5bab3 100755
--- a/python/samba/tests/krb5/kcrypto.py
+++ b/python/samba/tests/krb5/kcrypto.py
@@ -51,6 +51,7 @@ os.environ["PYTHONUNBUFFERED"] = "1"
from math import gcd
from functools import reduce
from struct import pack, unpack
+from binascii import crc32
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import hmac
from cryptography.hazmat.primitives.ciphers import algorithms as ciphers
@@ -533,6 +534,21 @@ class _MD5(_ChecksumProfile):
return SIMPLE_HASH(text, hashes.MD5)
+class _SHA1(_ChecksumProfile):
+ @classmethod
+ def checksum(cls, key, keyusage, text):
+ # This is unkeyed!
+ return SIMPLE_HASH(text, hashes.SHA1)
+
+
+class _CRC32(_ChecksumProfile):
+ @classmethod
+ def checksum(cls, key, keyusage, text):
+ # This is unkeyed!
+ cksum = (~crc32(text, 0xffffffff)) & 0xffffffff
+ return pack('<I', cksum)
+
+
_enctype_table = {
Enctype.DES3: _DES3CBC,
Enctype.AES128: _AES128CTS,
@@ -547,6 +563,8 @@ _checksum_table = {
Cksumtype.SHA1_AES256: _SHA1AES256,
Cksumtype.HMAC_MD5: _HMACMD5,
Cksumtype.MD5: _MD5,
+ Cksumtype.SHA1: _SHA1,
+ Cksumtype.CRC32: _CRC32,
}
@@ -835,6 +853,73 @@ class KcrytoTest(TestCase):
def test_md5_unkeyed_checksum_aes256_usage_50(self):
return self._test_md5_unkeyed_checksum(Enctype.AES256, 50)
+ def _test_sha1_unkeyed_checksum(self, etype, usage):
+ # SHA1 unkeyed checksum
+ pw = b'password'
+ salt = b'salt'
+ key = string_to_key(etype, pw, salt)
+ plain = b'twenty nineteen eighteen seventeen'
+ cksum = h('381c870d8875d1913555de19af5c885fd27b7da9')
+ verify_checksum(Cksumtype.SHA1, key, usage, plain, cksum)
+
+ def test_sha1_unkeyed_checksum_des3_usage_40(self):
+ return self._test_sha1_unkeyed_checksum(Enctype.DES3, 40)
+
+ def test_sha1_unkeyed_checksum_des3_usage_50(self):
+ return self._test_sha1_unkeyed_checksum(Enctype.DES3, 50)
+
+ def test_sha1_unkeyed_checksum_rc4_usage_40(self):
+ return self._test_sha1_unkeyed_checksum(Enctype.RC4, 40)
+
+ def test_sha1_unkeyed_checksum_rc4_usage_50(self):
+ return self._test_sha1_unkeyed_checksum(Enctype.RC4, 50)
+
+ def test_sha1_unkeyed_checksum_aes128_usage_40(self):
+ return self._test_sha1_unkeyed_checksum(Enctype.AES128, 40)
+
+ def test_sha1_unkeyed_checksum_aes128_usage_50(self):
+ return self._test_sha1_unkeyed_checksum(Enctype.AES128, 50)
+
+ def test_sha1_unkeyed_checksum_aes256_usage_40(self):
+ return self._test_sha1_unkeyed_checksum(Enctype.AES256, 40)
+
+ def test_sha1_unkeyed_checksum_aes256_usage_50(self):
+ return self._test_sha1_unkeyed_checksum(Enctype.AES256, 50)
+
+ def _test_crc32_unkeyed_checksum(self, etype, usage):
+ # CRC32 unkeyed checksum
+ pw = b'password'
+ salt = b'salt'
+ key = string_to_key(etype, pw, salt)
+ plain = b'africa america asia australia europe'
+ cksum = h('ce595a53')
+ verify_checksum(Cksumtype.CRC32, key, usage, plain, cksum)
+
+ def test_crc32_unkeyed_checksum_des3_usage_40(self):
+ return self._test_crc32_unkeyed_checksum(Enctype.DES3, 40)
+
+ def test_crc32_unkeyed_checksum_des3_usage_50(self):
+ return self._test_crc32_unkeyed_checksum(Enctype.DES3, 50)
+
+ def test_crc32_unkeyed_checksum_rc4_usage_40(self):
+ return self._test_crc32_unkeyed_checksum(Enctype.RC4, 40)
+
+ def test_crc32_unkeyed_checksum_rc4_usage_50(self):
+ return self._test_crc32_unkeyed_checksum(Enctype.RC4, 50)
+
+ def test_crc32_unkeyed_checksum_aes128_usage_40(self):
+ return self._test_crc32_unkeyed_checksum(Enctype.AES128, 40)
+
+ def test_crc32_unkeyed_checksum_aes128_usage_50(self):
+ return self._test_crc32_unkeyed_checksum(Enctype.AES128, 50)
+
+ def test_crc32_unkeyed_checksum_aes256_usage_40(self):
+ return self._test_crc32_unkeyed_checksum(Enctype.AES256, 40)
+
+ def test_crc32_unkeyed_checksum_aes256_usage_50(self):
+ return self._test_crc32_unkeyed_checksum(Enctype.AES256, 50)
+
+
if __name__ == "__main__":
import unittest
unittest.main()
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 6c7bcd418a0..f43ce9cbc3c 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -867,3 +867,26 @@ class RawKerberosTest(TestCase):
if native_decoded_only:
return decoded
return decoded, obj
+
+ def PA_S4U2Self_create(self, name, realm, tgt_session_key, ctype=None):
+ # PA-S4U2Self ::= SEQUENCE {
+ # name [0] PrincipalName,
+ # realm [1] Realm,
+ # cksum [2] Checksum,
+ # auth [3] GeneralString
+ # }
+ cksum_data = name['name-type'].to_bytes(4, byteorder='little')
+ for n in name['name-string']:
+ cksum_data += n.encode()
+ cksum_data += realm.encode()
+ cksum_data += "Kerberos".encode()
+ cksum = self.Checksum_create(tgt_session_key, 17, cksum_data, ctype)
+
+ PA_S4U2Self_obj = {
+ 'name': name,
+ 'realm': realm,
+ 'cksum': cksum,
+ 'auth': "Kerberos",
+ }
+ pa_s4u2self = self.der_encode(PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self())
+ return self.PA_DATA_create(129, pa_s4u2self)
diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1
index 05b43106034..98ba887729d 100644
--- a/python/samba/tests/krb5/rfc4120.asn1
+++ b/python/samba/tests/krb5/rfc4120.asn1
@@ -415,6 +415,14 @@ AD-AND-OR ::= SEQUENCE {
AD-MANDATORY-FOR-KDC ::= AuthorizationData
+-- S4U
+
+PA-S4U2Self ::= SEQUENCE {
+ name [0] PrincipalName,
+ realm [1] Realm,
+ cksum [2] Checksum,
+ auth [3] KerberosString
+}
diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py
index b2627aa3dcb..05304a8a099 100644
--- a/python/samba/tests/krb5/rfc4120_pyasn1.py
+++ b/python/samba/tests/krb5/rfc4120_pyasn1.py
@@ -1,5 +1,5 @@
# Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1
-# (last modified on 2020-03-26 10:28:24.346775)
+# (last modified on 2020-05-06 17:51:00.323318)
# KerberosV5Spec2
from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful
@@ -780,6 +780,18 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes(
)
+class PA_S4U2Self(univ.Sequence):
+ pass
+
+
+PA_S4U2Self.componentType = namedtype.NamedTypes(
+ namedtype.NamedType('name', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))),
+ namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+ namedtype.NamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))),
+ namedtype.NamedType('auth', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)))
+)
+
+
class PADataTypeValues(univ.Integer):
pass
diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/s4u_tests.py
similarity index 73%
copy from python/samba/tests/krb5/simple_tests.py
copy to python/samba/tests/krb5/s4u_tests.py
index c9998c4d2db..ae38635c53b 100755
--- a/python/samba/tests/krb5/simple_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -22,25 +22,27 @@ import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
+from samba.tests import env_get_var_value
+from samba.tests.krb5.kcrypto import Cksumtype
from samba.tests.krb5.raw_testcase import RawKerberosTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
global_asn1_print = False
global_hexdump = False
-class SimpleKerberosTests(RawKerberosTest):
+class S4UKerberosTests(RawKerberosTest):
def setUp(self):
- super(SimpleKerberosTests, self).setUp()
+ super(S4UKerberosTests, self).setUp()
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
- def test_simple(self):
- user_creds = self.get_user_creds()
- user = user_creds.get_username()
- realm = user_creds.get_realm()
+ def _test_s4u2self(self, pa_s4u2self_ctype=None):
+ service_creds = self.get_service_creds()
+ service = service_creds.get_username()
+ realm = service_creds.get_realm()
- cname = self.PrincipalName_create(name_type=1, names=[user])
+ cname = self.PrincipalName_create(name_type=1, names=[service])
sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm])
till = self.get_KerberosTime(offset=36000)
@@ -78,7 +80,7 @@ class SimpleKerberosTests(RawKerberosTest):
etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2())
- key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0])
+ key = self.PasswordKey_from_etype_info2(service_creds, etype_info2[0])
(patime, pausec) = self.get_KerberosTimeWithUsec()
pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec)
@@ -117,16 +119,20 @@ class SimpleKerberosTests(RawKerberosTest):
enc_part2 = key.decrypt(usage, rep['enc-part']['cipher'])
enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
- # TGS Request
- service_creds = self.get_service_creds(allow_missing_password=True)
- service_name = service_creds.get_username()
+ # S4U2Self Request
+ sname = cname
+
+ for_user_name = env_get_var_value('FOR_USER')
+ uname = self.PrincipalName_create(name_type=1, names=[for_user_name])
- sname = self.PrincipalName_create(name_type=2, names=["host", service_name])
kdc_options = krb5_asn1.KDCOptions('forwardable')
till = self.get_KerberosTime(offset=36000)
ticket = rep['ticket']
ticket_session_key = self.EncryptionKey_import(enc_part2['key'])
- padata = []
+ pa_s4u = self.PA_S4U2Self_create(name=uname, realm=realm,
+ tgt_session_key=ticket_session_key,
+ ctype=pa_s4u2self_ctype)
+ padata = [pa_s4u]
subkey = self.RandomKey(ticket_session_key.etype)
subkey_usage = 9
@@ -156,13 +162,33 @@ class SimpleKerberosTests(RawKerberosTest):
self.assertIsNotNone(rep)
msg_type = rep['msg-type']
+ if msg_type == 13:
+ enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher'])
+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
+
+ return msg_type
+
+ # Using the checksum type from the tgt_session_key happens to work everywhere
+ def test_s4u2self(self):
+ msg_type = self._test_s4u2self()
+ self.assertEqual(msg_type, 13)
+
+ # Per spec, the checksum of PA-FOR-USER is HMAC_MD5, see [MS-SFU] 2.2.1
+ def test_s4u2self_hmac_md5_checksum(self):
+ msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.HMAC_MD5)
self.assertEqual(msg_type, 13)
- enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher'])
- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
+ def test_s4u2self_md5_unkeyed_checksum(self):
+ msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.MD5)
+ self.assertEqual(msg_type, 30)
- return
+ def test_s4u2self_sha1_unkeyed_checksum(self):
+ msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.SHA1)
+ self.assertEqual(msg_type, 30)
+ def test_s4u2self_crc32_unkeyed_checksum(self):
+ msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.CRC32)
+ self.assertEqual(msg_type, 30)
if __name__ == "__main__":
global_asn1_print = True
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index 18e9fad232f..58053474e03 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -87,6 +87,7 @@ EXCLUDE_USAGE = {
'python/samba/tests/dcerpc/raw_protocol.py',
'python/samba/tests/krb5/kcrypto.py',
'python/samba/tests/krb5/simple_tests.py',
+ 'python/samba/tests/krb5/s4u_tests.py',
}
EXCLUDE_HELP = {
diff --git a/selftest/knownfail b/selftest/knownfail
index 57a4d93a37d..38e8597deda 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -393,3 +393,5 @@
^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
+# Fixed upstream heimdal in PR #439
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum
diff --git a/selftest/skip_mit_kdc b/selftest/skip_mit_kdc
index 4a51c98ea0b..ea644638c9f 100644
--- a/selftest/skip_mit_kdc
+++ b/selftest/skip_mit_kdc
@@ -3,3 +3,4 @@
.*RODC
^samba4.ntvfs.cifs.ntlm.base.unlink
^samba4.ntvfs.cifs.krb5.base.unlink
+^samba.tests.krb5.s4u_tests
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 2046af3b984..34dd0ee798d 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -934,6 +934,29 @@ sub provision_raw_step2($$$)
return undef;
}
+ my $srv_account = "srv_account";
+ $samba_tool_cmd = "";
+ $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user create --configfile=$ctx->{smb_conf} $srv_account $ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add $srv_account user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ $samba_tool_cmd = "";
+ $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " spn add HOST/$srv_account --configfile=$ctx->{smb_conf} $srv_account";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add spn for $srv_account: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
my $ldbmodify = "";
$ldbmodify .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
$ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 15af32a0415..480ea22987f 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -758,6 +758,10 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$U
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests",
environ={'SERVICE_USERNAME':'$SERVER'})
+planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
+ environ={'SERVICE_USERNAME':'srv_account',
+ 'SERVICE_PASSWORD':'$PASSWORD',
+ 'FOR_USER':'$USERNAME'})
for env in ["ad_dc", smbv1_disabled_testenv]:
planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'])
diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
index 700e1c2b37e..9e0808b134c 100644
--- a/source4/torture/krb5/kdc-canon-heimdal.c
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
@@ -33,7 +33,6 @@
#include "auth/auth_sam_reply.h"
#include "auth/gensec/gensec.h"
#include "param/param.h"
-#include "zlib.h"
#define TEST_CANONICALIZE 0x0000001
#define TEST_ENTERPRISE 0x0000002
@@ -45,8 +44,7 @@
#define TEST_S4U2SELF 0x0000080
#define TEST_REMOVEDOLLAR 0x0000100
#define TEST_AS_REQ_SPN 0x0000200
-#define TEST_MITM_S4U2SELF 0x0000400
-#define TEST_ALL 0x00007FF
+#define TEST_ALL 0x00003FF
struct test_data {
const char *test_name;
@@ -64,7 +62,6 @@ struct test_data {
bool upn;
bool other_upn_suffix;
bool s4u2self;
- bool mitm_s4u2self;
bool removedollar;
bool as_req_spn;
bool spn_is_upn;
@@ -215,73 +212,6 @@ static bool test_accept_ticket(struct torture_context *tctx,
return true;
}
-static void
-zCRC32_checksum(const void *data,
- size_t len,
- Checksum *C)
-{
- uint32_t *crc = C->checksum.data;
- *crc = ~(crc32(0xffffffff, data, len));
- C->checksum.length = 4;
- C->cksumtype = 1;
-}
-
-krb5_error_code
-_krb5_s4u2self_to_checksumdata(krb5_context context,
- const PA_S4U2Self *self,
- krb5_data *data);
-
-/* Helper function to modify the principal in PA_FOR_USER padata */
-static bool change_for_user_principal(struct torture_krb5_context *test_context,
- krb5_data *modified_send_buf)
-{
- PA_DATA *for_user;
- int i = 0;
- size_t used;
- krb5_error_code ret;
- PA_S4U2Self self, mod_self;
- krb5_data cksum_data;
- krb5_principal admin;
- heim_octet_string orig_padata_value;
- krb5_context k5_ctx = test_context->smb_krb5_context->krb5_context;
-
- for_user = krb5_find_padata(test_context->tgs_req.padata->val,
- test_context->tgs_req.padata->len, KRB5_PADATA_FOR_USER, &i);
- torture_assert(test_context->tctx, for_user != NULL, "No PA_FOR_USER in s4u2self request");
- orig_padata_value = for_user->padata_value;
-
- torture_assert_int_equal(test_context->tctx,
- krb5_make_principal(k5_ctx, &admin, test_context->test_data->realm,
- "Administrator", NULL),
- 0, "krb5_make_principal() failed");
- torture_assert_int_equal(test_context->tctx,
- decode_PA_S4U2Self(for_user->padata_value.data,
- for_user->padata_value.length, &self, NULL),
- 0, "decode_PA_S4U2Self() failed");
- mod_self = self;
- mod_self.name = admin->name;
-
- torture_assert_int_equal(test_context->tctx,
- _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data),
- 0, "_krb5_s4u2self_to_checksumdata() failed");
- zCRC32_checksum(cksum_data.data, cksum_data.length, &mod_self.cksum);
-
- ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length,
- &mod_self, &used, ret);
- torture_assert(test_context->tctx, ret == 0, "Failed to encode PA_S4U2Self ASN1 struct");
- ASN1_MALLOC_ENCODE(TGS_REQ, modified_send_buf->data, modified_send_buf->length,
- &test_context->tgs_req, &used, ret);
- torture_assert(test_context->tctx, ret == 0, "Failed to encode TGS_REQ ASN1 struct");
-
- free(for_user->padata_value.data);
- for_user->padata_value = orig_padata_value;
-
- free_PA_S4U2Self(&self);
- krb5_data_free(&cksum_data);
-
- return true;
-}
-
/*
* TEST_AS_REQ and TEST_AS_REQ_SELF - SEND
*
@@ -701,12 +631,7 @@ static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context
}
- if (test_context->test_data->mitm_s4u2self) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list