[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Sep 2 14:29:01 UTC 2021
The branch, master has been updated
via 10baaf08523 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
via b0f4455e524 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
via ebd673e976a tests/krb5: Allow expected_error_mode to be a container type
via 24914ae17d4 tests/krb5: Add tests for omitting sname in inner request
via c6d7e19ecfb tests/krb5: Allow specifying parameters specific to the inner FAST request body
via bbbb13caf7b tests/krb5: Add tests for omitting sname in request
via 1e4d757394a tests/krb5: Check PADATA-PW-SALT element in e-data
via e373c6461a8 tests/krb5: Check e-data element for TGS-REP errors without FAST
via 3330eaf39c6 tests/krb5: Remove harmful and a-typical return in as_req testcase
via b8e2515552f CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
via 0cb4b939f19 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via 15f9f040fe5 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
via 36798f5b651 tests/krb5: Make cname checking less strict
via 79dda329f2a tests/krb5: Make e-data checking less strict
via d9edad89f3b Update common on currently supported Fedora versions
via 5805a7c49aa bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
via e9c8ac4adbc bootstrap: Update to get newer krb5 on Fedora 34
from 40b65fcb583 script/autobuild.py: Restore MIT ADDC tests against fl2008*
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 10baaf08523200e47451aa1862430977b0365b59
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 31 22:38:01 2021 +1200
tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
This allows our code to still pass with the error code that
MIT and Heimdal have chosen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184
commit b0f4455e524cbbfb13202220e7095f466b083a2f
Author: Luke Howard <lukeh at padl.com>
Date: Tue Aug 31 17:38:16 2021 +1200
kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.
[abartlet at samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd
and knownfail added]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ebd673e976aea5dd481a75f180fd526995c4fda0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 31 19:42:33 2021 +1200
tests/krb5: Allow expected_error_mode to be a container type
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 24914ae17d49f634fafc1bdeb88859293da05f79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:37:16 2021 +1200
tests/krb5: Add tests for omitting sname in inner request
Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC.
This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49
and was given CVE-2021-37750
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:26:45 2021 +1200
tests/krb5: Allow specifying parameters specific to the inner FAST request body
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:02:04 2021 +1200
tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1e4d757394a0bbda587d5ff91801f88539b712b1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:37 2021 +1200
tests/krb5: Check PADATA-PW-SALT element in e-data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:21 2021 +1200
tests/krb5: Check e-data element for TGS-REP errors without FAST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 10:43:06 2021 +1200
tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.
Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.
This also fixes a *lot* of tests against the MIT KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b8e2515552ffa158fab1e86a39004de4cc419da5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 12:25:06 2021 +1200
CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0cb4b939f192376bf5e33637863a91a20f74c5a5
Author: Luke Howard <lukeh at padl.com>
Date: Fri Aug 27 11:42:48 2021 +1000
CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
[abartlet at samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]
RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 15f9f040fe537ebd30419a4751aa0f13b20f242b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 16:52:29 2021 +1200
tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
Note: This test crashed the MIT KDC prior to MIT commit
fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given
CVE-2021-36222.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 36798f5b651a02b74b6844c024101f7a026f1f68
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 14:43:53 2021 +1200
tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 79dda329f2a8382f1e46b50f4b9692e78d687826
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:35:59 2021 +1200
tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d9edad89f3b268c6da8f988a42f8cf2a3b697fe7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:53:45 2021 +1200
Update common on currently supported Fedora versions
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5805a7c49aa13b578a717cbbc46460741d325c65
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:55:40 2021 +1200
bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e9c8ac4adbca2f8cb45470ccb45a45039188a285
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:45:03 2021 +1200
bootstrap: Update to get newer krb5 on Fedora 34
We need the update FEDORA-2021-20b495cb94 (krb5) to
get a fix for CVE-2021-37750 (explicit NULL deref on KDC)
so our CI will pass as we have a test for this.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 2 +-
bootstrap/README.md | 4 +-
bootstrap/config.py | 3 +
bootstrap/sha1sum.txt | 2 +-
python/samba/tests/krb5/as_req_tests.py | 14 +-
python/samba/tests/krb5/fast_tests.py | 186 ++++++++++++-
python/samba/tests/krb5/kdc_base_test.py | 6 +-
python/samba/tests/krb5/raw_testcase.py | 125 ++++++---
python/samba/tests/krb5/rfc4120_constants.py | 3 +
selftest/knownfail_heimdal_kdc | 6 +
selftest/knownfail_mit_kdc | 398 +--------------------------
source4/heimdal/kdc/kerberos5.c | 4 +-
source4/heimdal/kdc/krb5tgs.c | 4 +
13 files changed, 310 insertions(+), 447 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index ce80561ba0f..4b2f17938c8 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: b5333a93306e20ba549f5fac3c6c74e0b103c1d6
+ SAMBA_CI_CONTAINER_TAG: 733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
diff --git a/bootstrap/README.md b/bootstrap/README.md
index 47ef1c67836..44a354de545 100644
--- a/bootstrap/README.md
+++ b/bootstrap/README.md
@@ -13,7 +13,7 @@ A pure python3 module with CLI to bootstrap Samba envs for multiple distribution
## Supported Distributions
deb: Debian 10, Ubuntu 1604|1804|2004
-rpm: CentOS 7|8, Fedora 32|33, openSUSE Leap 15.1|15.2
+rpm: CentOS 7|8, Fedora 33|34, openSUSE Leap 15.1|15.2
Easy to add more.
@@ -32,7 +32,7 @@ Just calculate the sha1sum for consistency checks:
bootstrap/template.py --sha1sum
The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in
-the toplevel .gitlab-ci.yml file.
+the toplevel .gitlab-ci-main.yml file.
## User Stories
diff --git a/bootstrap/config.py b/bootstrap/config.py
index 821ce3d5cc2..ba4304bb9f8 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -20,6 +20,9 @@ Manage dependencies and bootstrap environments for Samba.
Config file for packages and templates.
+Update the lists in this file to require new packages in the
+container images used in GitLab CI
+
Author: Joe Guo <joeg at catalyst.net.nz>
"""
import os
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index e7de92cc504..e433f698b68 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-b5333a93306e20ba549f5fac3c6c74e0b103c1d6
+733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index fd258e8164a..82ff3f4845c 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -106,13 +106,11 @@ class AsReqKerberosTests(KDCBaseTest):
expected_salt=expected_salt,
kdc_options=str(initial_kdc_options))
- rep = self._generic_kdc_exchange(kdc_exchange_dict,
- cname=cname,
- realm=realm,
- sname=sname,
- etypes=initial_etypes)
-
- return kdc_exchange_dict['preauth_etype_info2']
+ self._generic_kdc_exchange(kdc_exchange_dict,
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ etypes=initial_etypes)
def _test_as_req_no_preauth_with_args(self, etype_idx, pac):
name, etypes = self.etype_test_permutation_by_idx(etype_idx)
@@ -121,7 +119,7 @@ class AsReqKerberosTests(KDCBaseTest):
else:
pa_pac = self.KERB_PA_PAC_REQUEST_create(pac)
padata = [pa_pac]
- return self._test_as_req_nopreauth(
+ self._test_as_req_nopreauth(
initial_padata=padata,
initial_etypes=etypes,
initial_kdc_options=krb5_asn1.KDCOptions('forwardable'))
diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index e38b2e0a6e1..392d19f59b3 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -20,6 +20,7 @@
import functools
import os
import sys
+import collections
import ldb
@@ -37,6 +38,7 @@ from samba.tests.krb5.rfc4120_constants import (
FX_FAST_ARMOR_AP_REQUEST,
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_GENERIC,
+ KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_NOT_US,
KDC_ERR_PREAUTH_FAILED,
KDC_ERR_PREAUTH_REQUIRED,
@@ -105,6 +107,107 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_simple_no_sname(self):
+ krbtgt_creds = self.get_krbtgt_creds()
+ krbtgt_username = krbtgt_creds.get_username()
+ krbtgt_realm = krbtgt_creds.get_realm()
+ expected_sname = self.PrincipalName_create(
+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
+
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN),
+ 'use_fast': False,
+ 'sname': None,
+ 'expected_sname': expected_sname
+ }
+ ])
+
+ def test_simple_tgs_no_sname(self):
+ krbtgt_creds = self.get_krbtgt_creds()
+ krbtgt_username = krbtgt_creds.get_username()
+ krbtgt_realm = krbtgt_creds.get_realm()
+ expected_sname = self.PrincipalName_create(
+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
+
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN),
+ 'use_fast': False,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'sname': None,
+ 'expected_sname': expected_sname
+ }
+ ])
+
+ def test_fast_no_sname(self):
+ krbtgt_creds = self.get_krbtgt_creds()
+ krbtgt_username = krbtgt_creds.get_username()
+ krbtgt_realm = krbtgt_creds.get_realm()
+ expected_sname = self.PrincipalName_create(
+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
+
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_GENERIC,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'sname': None,
+ 'expected_sname': expected_sname
+ }
+ ])
+
+ def test_fast_tgs_no_sname(self):
+ krbtgt_creds = self.get_krbtgt_creds()
+ krbtgt_username = krbtgt_creds.get_username()
+ krbtgt_realm = krbtgt_creds.get_realm()
+ expected_sname = self.PrincipalName_create(
+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
+
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN),
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None,
+ 'sname': None,
+ 'expected_sname': expected_sname
+ }
+ ])
+
+ def test_fast_inner_no_sname(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_GENERIC,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'inner_req': {
+ 'sname': None # should be ignored
+ }
+ }
+ ])
+
+ def test_fast_tgs_inner_no_sname(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': KDC_ERR_GENERIC,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None,
+ 'inner_req': {
+ 'sname': None # should be ignored
+ }
+ }
+ ])
+
def test_simple_tgs_wrong_principal(self):
mach_creds = self.get_mach_creds()
mach_name = mach_creds.get_username()
@@ -405,6 +508,21 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_fast_encrypted_challenge_no_fast(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': False
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_FAILED,
+ 'use_fast': False,
+ 'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key
+ }
+ ])
+
def test_fast_encrypted_challenge_clock_skew(self):
# The KDC is supposed to confirm that the timestamp is within its
# current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113
@@ -655,6 +773,45 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_fast_outer_no_sname(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'outer_req': {
+ 'sname': None # should be ignored
+ }
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_padata_fn': self.generate_enc_challenge_padata,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'outer_req': {
+ 'sname': None # should be ignored
+ }
+ }
+ ])
+
+ def test_fast_tgs_outer_no_sname(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None,
+ 'outer_req': {
+ 'sname': None # should be ignored
+ }
+ }
+ ])
+
def test_fast_outer_wrong_till(self):
self._run_test_sequence([
{
@@ -1035,7 +1192,12 @@ class FAST_Tests(KDCBaseTest):
self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP))
expected_error_mode = kdc_dict.pop('expected_error_mode')
- self.assertIn(expected_error_mode, range(240))
+ if expected_error_mode == 0:
+ expected_error_mode = ()
+ elif not isinstance(expected_error_mode, collections.abc.Container):
+ expected_error_mode = (expected_error_mode,)
+ for error in expected_error_mode:
+ self.assertIn(error, range(240))
use_fast = kdc_dict.pop('use_fast')
self.assertIs(type(use_fast), bool)
@@ -1046,7 +1208,7 @@ class FAST_Tests(KDCBaseTest):
if fast_armor_type is not None:
self.assertIn('gen_armor_tgt_fn', kdc_dict)
- elif expected_error_mode != KDC_ERR_GENERIC:
+ elif KDC_ERR_GENERIC not in expected_error_mode:
self.assertNotIn('gen_armor_tgt_fn', kdc_dict)
gen_armor_tgt_fn = kdc_dict.pop('gen_armor_tgt_fn', None)
@@ -1070,7 +1232,7 @@ class FAST_Tests(KDCBaseTest):
self.assertNotIn('gen_tgt_fn', kdc_dict)
tgt = None
- if expected_error_mode != 0:
+ if len(expected_error_mode) != 0:
check_error_fn = self.generic_check_kdc_error
check_rep_fn = None
else:
@@ -1083,11 +1245,17 @@ class FAST_Tests(KDCBaseTest):
cname = client_cname if rep_type == KRB_AS_REP else None
crealm = client_realm
+ if 'sname' in kdc_dict:
+ sname = kdc_dict.pop('sname')
+ else:
+ if rep_type == KRB_AS_REP:
+ sname = krbtgt_sname
+ else: # KRB_TGS_REP
+ sname = target_sname
+
if rep_type == KRB_AS_REP:
- sname = krbtgt_sname
srealm = krbtgt_realm
else: # KRB_TGS_REP
- sname = target_sname
srealm = target_realm
expected_cname = kdc_dict.pop('expected_cname', client_cname)
@@ -1207,7 +1375,9 @@ class FAST_Tests(KDCBaseTest):
auth_data = None
if not use_fast:
+ self.assertNotIn('inner_req', kdc_dict)
self.assertNotIn('outer_req', kdc_dict)
+ inner_req = kdc_dict.pop('inner_req', None)
outer_req = kdc_dict.pop('outer_req', None)
if rep_type == KRB_AS_REP:
@@ -1237,6 +1407,7 @@ class FAST_Tests(KDCBaseTest):
armor_tgt=armor_tgt,
armor_subkey=armor_subkey,
kdc_options=kdc_options,
+ inner_req=inner_req,
outer_req=outer_req)
else: # KRB_TGS_REP
kdc_exchange_dict = self.tgs_exchange_dict(
@@ -1265,6 +1436,7 @@ class FAST_Tests(KDCBaseTest):
auth_data=auth_data,
body_checksum_type=None,
kdc_options=kdc_options,
+ inner_req=inner_req,
outer_req=outer_req)
repeat = kdc_dict.pop('repeat', 1)
@@ -1274,7 +1446,7 @@ class FAST_Tests(KDCBaseTest):
realm=crealm,
sname=sname,
etypes=etypes)
- if expected_error_mode == 0:
+ if len(expected_error_mode) == 0:
self.check_reply(rep, rep_type)
fast_cookie = None
@@ -1288,7 +1460,7 @@ class FAST_Tests(KDCBaseTest):
else:
fast_cookie = None
- if expected_error_mode == KDC_ERR_PREAUTH_REQUIRED:
+ if KDC_ERR_PREAUTH_REQUIRED in expected_error_mode:
preauth_etype_info2 = (
kdc_exchange_dict['preauth_etype_info2'])
else:
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index b148fa01f65..f5c1eba9151 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -21,6 +21,7 @@ import os
from datetime import datetime, timezone
import tempfile
import binascii
+import collections
from collections import namedtuple
import ldb
@@ -598,7 +599,10 @@ class KDCBaseTest(RawKerberosTest):
"""
self.assertIsNotNone(rep)
self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep)
- self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep)
+ if isinstance(expected, collections.abc.Container):
+ self.assertIn(rep['error-code'], expected, "rep = {%s}" % rep)
+ else:
+ self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep)
def tgs_req(self, cname, sname, realm, ticket, key, etypes):
'''Send a TGS-REQ, returns the response and the decrypted and
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 17ef8df5daa..6db17f2a118 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -82,6 +82,7 @@ from samba.tests.krb5.rfc4120_constants import (
PADATA_PAC_REQUEST,
PADATA_PK_AS_REQ,
PADATA_PK_AS_REP_19,
+ PADATA_PW_SALT,
PADATA_SUPPORTED_ETYPES
)
import samba.tests.krb5.kcrypto as kcrypto
@@ -1552,6 +1553,9 @@ class RawKerberosTest(TestCaseInTempDir):
expected_error_mode = kdc_exchange_dict['expected_error_mode']
kdc_options = kdc_exchange_dict['kdc_options']
+ # Parameters specific to the inner request body
+ inner_req = kdc_exchange_dict['inner_req']
+
# Parameters specific to the outer request body
outer_req = kdc_exchange_dict['outer_req']
@@ -1581,6 +1585,12 @@ class RawKerberosTest(TestCaseInTempDir):
EncAuthorizationData_usage=EncAuthorizationData_usage)
inner_req_body = dict(req_body)
+ if inner_req is not None:
+ for key, value in inner_req.items():
+ if value is not None:
+ inner_req_body[key] = value
+ else:
+ del inner_req_body[key]
if outer_req is not None:
for key, value in outer_req.items():
if value is not None:
@@ -1692,11 +1702,12 @@ class RawKerberosTest(TestCaseInTempDir):
if check_error_fn is not None:
expected_msg_type = KRB_ERROR
self.assertIsNone(check_rep_fn)
- self.assertNotEqual(0, expected_error_mode)
+ self.assertNotEqual(0, len(expected_error_mode))
+ self.assertNotIn(0, expected_error_mode)
if check_rep_fn is not None:
expected_msg_type = rep_msg_type
self.assertIsNone(check_error_fn)
- self.assertEqual(0, expected_error_mode)
+ self.assertEqual(0, len(expected_error_mode))
self.assertIsNotNone(expected_msg_type)
self.assertEqual(msg_type, expected_msg_type)
@@ -1733,7 +1744,13 @@ class RawKerberosTest(TestCaseInTempDir):
armor_subkey=None,
auth_data=None,
kdc_options='',
+ inner_req=None,
outer_req=None):
+ if expected_error_mode == 0:
+ expected_error_mode = ()
+ elif not isinstance(expected_error_mode, collections.abc.Container):
+ expected_error_mode = (expected_error_mode,)
+
kdc_exchange_dict = {
'req_msg_type': KRB_AS_REQ,
'req_asn1Spec': krb5_asn1.AS_REQ,
@@ -1764,6 +1781,7 @@ class RawKerberosTest(TestCaseInTempDir):
'armor_subkey': armor_subkey,
'auth_data': auth_data,
'kdc_options': kdc_options,
+ 'inner_req': inner_req,
'outer_req': outer_req
}
if expected_cname_private is not None:
@@ -1801,7 +1819,13 @@ class RawKerberosTest(TestCaseInTempDir):
auth_data=None,
body_checksum_type=None,
kdc_options='',
+ inner_req=None,
outer_req=None):
+ if expected_error_mode == 0:
+ expected_error_mode = ()
+ elif not isinstance(expected_error_mode, collections.abc.Container):
+ expected_error_mode = (expected_error_mode,)
+
kdc_exchange_dict = {
'req_msg_type': KRB_TGS_REQ,
'req_asn1Spec': krb5_asn1.TGS_REQ,
@@ -1832,6 +1856,7 @@ class RawKerberosTest(TestCaseInTempDir):
'auth_data': auth_data,
'authenticator_subkey': authenticator_subkey,
'kdc_options': kdc_options,
+ 'inner_req': inner_req,
'outer_req': outer_req
}
if expected_cname_private is not None:
@@ -1928,7 +1953,8 @@ class RawKerberosTest(TestCaseInTempDir):
self.check_rep_padata(kdc_exchange_dict,
--
Samba Shared Repository
More information about the samba-cvs
mailing list