From 53caae00b824e1fe67a67978a5ad604964f10c7a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 12 Jun 2023 13:06:21 +1200 Subject: [PATCH] tests/krb5: Test that FX-COOKIE matches cookie returned by Windows The cookie produced by Windows differs depending on whether FAST was used. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- python/samba/tests/krb5/fast_tests.py | 87 +++++++++++++++++++++++++++++++++++ selftest/knownfail_heimdal_kdc | 3 ++ selftest/knownfail_mit_kdc | 3 ++ 3 files changed, 93 insertions(+) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index e57ea5e1c4b..1c4b5256cef 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -1418,6 +1418,86 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fx_cookie_fast(self): + """Test that the FAST cookie is present and that its value is as + expected when FAST is used.""" + kdc_exchange_dict = self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, + ]) + + cookie = kdc_exchange_dict.get('fast_cookie') + self.assertEqual(b'Microsoft', cookie) + + def test_fx_cookie_no_fast(self): + """Test that the FAST cookie is present and that its value is as + expected when FAST is not used.""" + kdc_exchange_dict = self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False + }, + ]) + + cookie = kdc_exchange_dict.get('fast_cookie') + self.assertEqual(b'Microsof\x00', cookie) + + def test_unsolicited_fx_cookie_preauth(self): + """Test sending an unsolicited FX-COOKIE in an AS-REQ without + pre-authentication data.""" + + # Include a FAST cookie. + fast_cookie = self.create_fast_cookie('Samba-Test') + + kdc_exchange_dict = self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_cookie': fast_cookie, + }, + ]) + + got_cookie = kdc_exchange_dict.get('fast_cookie') + self.assertEqual(b'Microsoft', got_cookie) + + def test_unsolicited_fx_cookie_fast(self): + """Test sending an unsolicited FX-COOKIE in an AS-REQ with + pre-authentication data.""" + + # Include a FAST cookie. + fast_cookie = self.create_fast_cookie('Samba-Test') + + kdc_exchange_dict = self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_cookie': fast_cookie, + } + ]) + + got_cookie = kdc_exchange_dict.get('fast_cookie') + self.assertIsNone(got_cookie) + def generate_enc_timestamp_padata(self, kdc_exchange_dict, callback_dict, @@ -1697,6 +1777,11 @@ class FAST_Tests(KDCBaseTest): preauth_key = None if use_fast: + try: + fast_cookie = kdc_dict.pop('fast_cookie') + except KeyError: + pass + generate_fast_padata_fn = gen_padata_fn generate_padata_fn = (functools.partial(_generate_padata_copy, padata=[fast_cookie]) @@ -1869,6 +1954,8 @@ class FAST_Tests(KDCBaseTest): # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) + return kdc_exchange_dict + def generate_enc_pa_rep_padata(self, kdc_exchange_dict, callback_dict, diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 4dcd20107ba..7fb46ae05d8 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -17,7 +17,10 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fx_cookie_fast.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fx_cookie_no_fast.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unsolicited_fx_cookie_preauth.ad_dc # # S4U tests # diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 6b6482f3295..9c5b76cac5a 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -262,10 +262,13 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_rodc_issued_armor.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fx_cookie_fast.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fx_cookie_no_fast.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_no_auth_data.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unsolicited_fx_cookie_preauth.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc # -- 2.11.4.GIT