diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-07-27 14:42:57 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2021-08-18 22:28:34 +0000 |
| commit | d878bd6404d26c8be45bb2016ec206ed79d4ef6e (patch) | |
| tree | 92e34c9a6b8e76f021db3e5c3c8fe908917cce8e /python | |
| parent | 4ca05402b36ba13a987b07b2402906764d3cd49b (diff) | |
| download | samba-d878bd6404d26c8be45bb2016ec206ed79d4ef6e.tar.gz samba-d878bd6404d26c8be45bb2016ec206ed79d4ef6e.tar.bz2 samba-d878bd6404d26c8be45bb2016ec206ed79d4ef6e.zip | |
tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'python')
| -rw-r--r-- | python/samba/tests/krb5/raw_testcase.py | 41 |
1 files changed, 39 insertions, 2 deletions
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index da38a9dfa62..ab1f711cde1 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -67,6 +67,7 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_ETYPE_INFO, PADATA_ETYPE_INFO2, PADATA_FOR_USER, + PADATA_FX_FAST, PADATA_KDC_REQ, PADATA_PAC_REQUEST, PADATA_PK_AS_REQ, @@ -1827,6 +1828,7 @@ class RawKerberosTest(TestCaseInTempDir): check_kdc_private_fn = kdc_exchange_dict['check_kdc_private_fn'] rep_encpart_asn1Spec = kdc_exchange_dict['rep_encpart_asn1Spec'] msg_type = kdc_exchange_dict['rep_msg_type'] + armor_key = kdc_exchange_dict['armor_key'] self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP padata = self.getElementValue(rep, 'padata') @@ -1862,6 +1864,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(encpart, 'cipher') encpart_cipher = self.getElementValue(encpart, 'cipher') + ticket_checksum = None + encpart_decryption_key = None self.assertIsNotNone(check_padata_fn) if check_padata_fn is not None: @@ -1870,6 +1874,33 @@ class RawKerberosTest(TestCaseInTempDir): check_padata_fn(kdc_exchange_dict, callback_dict, rep, padata)) + if armor_key is not None: + pa_dict = self.get_pa_dict(padata) + + if PADATA_FX_FAST in pa_dict: + fx_fast_data = pa_dict[PADATA_FX_FAST] + fast_response = self.check_fx_fast_data(kdc_exchange_dict, + fx_fast_data, + armor_key, + finished=True) + + if 'strengthen-key' in fast_response: + strengthen_key = self.EncryptionKey_import( + fast_response['strengthen-key']) + encpart_decryption_key = ( + self.generate_strengthen_reply_key( + strengthen_key, + encpart_decryption_key)) + + fast_finished = fast_response.get('finished', None) + if fast_finished is not None: + ticket_checksum = fast_finished['ticket-checksum'] + + self.check_rep_padata(kdc_exchange_dict, + callback_dict, + rep, + fast_response['padata']) + ticket_private = None self.assertIsNotNone(ticket_decryption_key) if ticket_decryption_key is not None: @@ -1908,7 +1939,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(check_kdc_private_fn) if check_kdc_private_fn is not None: check_kdc_private_fn(kdc_exchange_dict, callback_dict, - rep, ticket_private, encpart_private) + rep, ticket_private, encpart_private, + ticket_checksum) return rep @@ -1947,7 +1979,8 @@ class RawKerberosTest(TestCaseInTempDir): callback_dict, rep, ticket_private, - encpart_private): + encpart_private, + ticket_checksum): expected_crealm = kdc_exchange_dict['expected_crealm'] expected_cname = kdc_exchange_dict['expected_cname'] @@ -1957,6 +1990,10 @@ class RawKerberosTest(TestCaseInTempDir): ticket = self.getElementValue(rep, 'ticket') + if ticket_checksum is not None: + armor_key = kdc_exchange_dict['armor_key'] + self.verify_ticket_checksum(ticket, ticket_checksum, armor_key) + ticket_session_key = None if ticket_private is not None: self.assertElementPresent(ticket_private, 'flags') |