tests/krb5: Add tests for FAST with use-session-key flag and armor ticket

This flag should be ignored and the FAST armor key used instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

2 files changed, 55 insertions, 2 deletions

diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index a27955e0d35..ee9d932e38a 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -640,6 +640,42 @@ class FAST_Tests(KDCBaseTest):
             }
         ])
 
+    def test_fast_session_key(self):
+        # Ensure that specified APOptions are ignored.
+        self._run_test_sequence([
+            {
+                'rep_type': KRB_AS_REP,
+                'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+                'use_fast': True,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'gen_armor_tgt_fn': self.get_mach_tgt,
+                'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+            },
+            {
+                'rep_type': KRB_AS_REP,
+                'expected_error_mode': 0,
+                'use_fast': True,
+                'gen_padata_fn': self.generate_enc_challenge_padata,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'gen_armor_tgt_fn': self.get_mach_tgt,
+                'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+            }
+        ])
+
+    def test_fast_tgs_armor_session_key(self):
+        # Ensure that specified APOptions are ignored.
+        self._run_test_sequence([
+            {
+                'rep_type': KRB_TGS_REP,
+                'expected_error_mode': 0,
+                'use_fast': True,
+                'gen_tgt_fn': self.get_user_tgt,
+                'gen_armor_tgt_fn': self.get_mach_tgt,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+            }
+        ])
+
     def test_fast_outer_wrong_realm(self):
         self._run_test_sequence([
             {
@@ -1420,6 +1456,8 @@ class FAST_Tests(KDCBaseTest):
             if unexpected_flags is not None:
                 unexpected_flags = krb5_asn1.TicketFlags(unexpected_flags)
 
+            fast_ap_options = kdc_dict.pop('fast_ap_options', None)
+
             if rep_type == KRB_AS_REP:
                 kdc_exchange_dict = self.as_exchange_dict(
                     expected_crealm=expected_crealm,
@@ -1454,6 +1492,7 @@ class FAST_Tests(KDCBaseTest):
                     outer_req=outer_req,
                     pac_request=True,
                     pac_options=pac_options,
+                    fast_ap_options=fast_ap_options,
                     expect_edata=expect_edata)
             else:  # KRB_TGS_REP
                 kdc_exchange_dict = self.tgs_exchange_dict(
@@ -1488,6 +1527,7 @@ class FAST_Tests(KDCBaseTest):
                     outer_req=outer_req,
                     pac_request=None,
                     pac_options=pac_options,
+                    fast_ap_options=fast_ap_options,
                     expect_edata=expect_edata)
 
             repeat = kdc_dict.pop('repeat', 1)
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 78d79d2f320..4171ead34d4 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2039,6 +2039,8 @@ class RawKerberosTest(TestCaseInTempDir):
                          outer_req=None,
                          pac_request=None,
                          pac_options=None,
+                         ap_options=None,
+                         fast_ap_options=None,
                          expect_edata=None,
                          expect_pac=True,
                          expect_claims=True,
@@ -2095,6 +2097,8 @@ class RawKerberosTest(TestCaseInTempDir):
             'outer_req': outer_req,
             'pac_request': pac_request,
             'pac_options': pac_options,
+            'ap_options': ap_options,
+            'fast_ap_options': fast_ap_options,
             'expect_edata': expect_edata,
             'expect_pac': expect_pac,
             'expect_claims': expect_claims,
@@ -2146,6 +2150,8 @@ class RawKerberosTest(TestCaseInTempDir):
                           outer_req=None,
                           pac_request=None,
                           pac_options=None,
+                          ap_options=None,
+                          fast_ap_options=None,
                           expect_edata=None,
                           expect_pac=True,
                           expect_claims=True,
@@ -2203,6 +2209,8 @@ class RawKerberosTest(TestCaseInTempDir):
             'outer_req': outer_req,
             'pac_request': pac_request,
             'pac_options': pac_options,
+            'ap_options': ap_options,
+            'fast_ap_options': fast_ap_options,
             'expect_edata': expect_edata,
             'expect_pac': expect_pac,
             'expect_claims': expect_claims,
@@ -3151,8 +3159,13 @@ class RawKerberosTest(TestCaseInTempDir):
                                                   usage,
                                                   authenticator_blob)
 
-        ap_options = krb5_asn1.APOptions('0')
-        ap_req_obj = self.AP_REQ_create(ap_options=str(ap_options),
+        if armor:
+            ap_options = kdc_exchange_dict['fast_ap_options']
+        else:
+            ap_options = kdc_exchange_dict['ap_options']
+        if ap_options is None:
+            ap_options = str(krb5_asn1.APOptions('0'))
+        ap_req_obj = self.AP_REQ_create(ap_options=ap_options,
                                         ticket=tgt.ticket,
                                         authenticator=authenticator)
         ap_req = self.der_encode(ap_req_obj, asn1Spec=krb5_asn1.AP_REQ())