a {a,@s&ddlZddlZddlZddlZddlZddlmZddlmZddl m Z ddl m Z m Z mZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZddlm m!m"Z#ddl$m m!m%Z%ej&'dddej(d<d Z)d Z*Gd d d e Z+e,d kr"d Z)d Z*ddl-Z-e-.dS) N)security)Krb5EncryptionKey) KDCBaseTest)AD_FX_FAST_ARMORAD_FX_FAST_USEDAES256_CTS_HMAC_SHA1_96ARCFOUR_HMAC_MD5FX_FAST_ARMOR_AP_REQUESTKDC_ERR_ETYPE_NOSUPPKDC_ERR_GENERICKDC_ERR_S_PRINCIPAL_UNKNOWNKDC_ERR_NOT_USKDC_ERR_PREAUTH_FAILEDKDC_ERR_PREAUTH_REQUIRED%KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS KRB_AS_REP KRB_TGS_REP NT_PRINCIPAL NT_SRV_HST NT_SRV_INSTPADATA_FX_COOKIEPADATA_FX_FASTz bin/python1ZPYTHONUNBUFFEREDFcsxeZdZefddZfddZddZddZd d Zd d Z d dZ ddZ ddZ ddZ ddZddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Z d;d<Z!d=d>Z"d?d@Z#dAdBZ$dCdDZ%dEdFZ&dGdHZ'dIdJZ(dKdLZ)dMdNZ*dOdPZ+dQdRZ,dSdTZ-dUdVZ.dWdXZ/dYdZZ0d[d\Z1d]d^Z2d_d`Z3dadbZ4dcddZ5dedfZ6dgdhZ7didjZ8dkdlZ9dmdnZ:dodpZ;dqdrZdwdxZ?ddzd{Z@d|d}ZAd~dZBddZCdddZDddZEddZFddZGddZHddZIddZJddZKddZLddZMddZNZOS) FAST_Testscs&td|_d|_d|_d|_dSN)super setUpClassuser_tgtuser_service_ticketmach_tgtmach_service_ticket)cls __class__=/usr/lib/python3/dist-packages/samba/tests/krb5/fast_tests.pyr>s  zFAST_Tests.setUpClasscstt|_t|_dSr)rsetUpglobal_asn1_printZ do_asn1_printglobal_hexdumpZ do_hexdumpselfr"r$r%r&Hs zFAST_Tests.setUpcCs&|ttddtdd|jdgdS)NF)rep_typeexpected_error_modeuse_fastr)r+r,r- gen_padata_fn)_run_test_sequencerrgenerate_enc_timestamp_padatar)r$r$r% test_simpleMszFAST_Tests.test_simplecCs|tdd|jdgdSNrFr+r,r- gen_tgt_fnr/r get_user_tgtr)r$r$r%test_simple_tgs\szFAST_Tests.test_simple_tgsc Cs*|}|tttfdd|ddgdS)NF)r+r,r-snameexpected_sname expect_edata)get_krbtgt_snamer/rr r r*r9r$r$r%test_simple_no_snamefszFAST_Tests.test_simple_no_snamec Cs.|}|tttfd|jd|ddgdS)NF)r+r,r-r4r8r9r:r;r/rr r r6r<r$r$r%test_simple_tgs_no_snametsz#FAST_Tests.test_simple_tgs_no_snamec Cs*|}|ttdt|jd|dgdS)NT)r+r,r- fast_armorgen_armor_tgt_fnr8r9)r;r/rr r get_mach_tgtr<r$r$r%test_fast_no_snameszFAST_Tests.test_fast_no_snamec Cs.|}|tttfd|jdd|dgdS)NT)r+r,r-r4r@r8r9r>r<r$r$r%test_fast_tgs_no_snamesz!FAST_Tests.test_fast_tgs_no_snamecCs|tdd|jdgdSr2)r/rrBr)r$r$r%test_simple_tgs_wrong_principalsz*FAST_Tests.test_simple_tgs_wrong_principalcCs|ttd|jddgdSNF)r+r,r-r4r:r/rr get_user_service_ticketr)r$r$r%test_simple_tgs_service_ticketsz)FAST_Tests.test_simple_tgs_service_ticketcCs|ttd|jddgdSrFr/rr get_mach_service_ticketr)r$r$r%#test_simple_tgs_service_ticket_machsz.FAST_Tests.test_simple_tgs_service_ticket_machc Cs6|ttdt|jddtdd|jt|jddgdS)NT0)r+r,r-r@rA pac_optionsr)r+r,r-r.r@rArNr/rrr rBgenerate_enc_challenge_padatar)r$r$r%test_fast_no_claimss" zFAST_Tests.test_fast_no_claimsc Cs |tdd|jdddgdS)NrTrM)r+r,r-r4r@rNr5r)r$r$r%test_fast_tgs_no_claimssz"FAST_Tests.test_fast_tgs_no_claimsc Cs:|ttdt|jdddtdd|jt|jdddgdS)NTrM)r+r,r-r@rArN kdc_optionsr)r+r,r-r.r@rArNrSrOr)r$r$r%test_fast_no_claims_or_canons& z'FAST_Tests.test_fast_no_claims_or_canonc Cs"|tdd|jddddgdS)NrTrM)r+r,r-r4r@rNrSr5r)r$r$r% test_fast_tgs_no_claims_or_canonsz+FAST_Tests.test_fast_tgs_no_claims_or_canonc Cs6|ttdt|jddtdd|jt|jddgdS)NTrM)r+r,r-r@rArSr)r+r,r-r.r@rArSrOr)r$r$r%test_fast_no_canons" zFAST_Tests.test_fast_no_canonc Cs |tdd|jdddgdS)NrTrM)r+r,r-r4r@rSr5r)r$r$r%test_fast_tgs_no_canonsz!FAST_Tests.test_fast_tgs_no_canonc Cs |ttd|jdddgdS)NFr$)r+r,r-r4etypesr:r/rr rBr)r$r$r%test_simple_tgs_no_etypes'sz$FAST_Tests.test_simple_tgs_no_etypesc Cs |ttd|jdddgdS)NTr$)r+r,r-r4r@rXrYr)r$r$r%test_fast_tgs_no_etypes3sz"FAST_Tests.test_fast_tgs_no_etypescCs|ttdddgdS)NFr$)r+r,r-rX)r/rr r)r$r$r%test_simple_no_etypes?sz FAST_Tests.test_simple_no_etypesc Cs |ttdt|jddgdS)NTr$)r+r,r-r@rArX)r/rr r rBr)r$r$r%test_simple_fast_no_etypesIsz%FAST_Tests.test_simple_fast_no_etypesc Cs$|ttd|jd|jddgdS)NTF)r+r,r- gen_fast_fnr@rAr:)r/rr generate_empty_fastrBr)r$r$r%test_empty_fastUszFAST_Tests.test_empty_fastc Cs |ttddt|jdgdS)NTZ001)r+r,r- fast_optionsr@rA)r/rrr rBr)r$r$r%!test_fast_unknown_critical_optiondsz,FAST_Tests.test_fast_unknown_critical_optionc Cs |ttdd|jddgdS)NTF)r+r,r-r@rAr:)r/rr rBr)r$r$r%test_unarmored_as_reqpsz FAST_Tests.test_unarmored_as_reqcCs|ttdd|jdgdS)NTrr+r,r-r@rAr/rrrBr)r$r$r%test_fast_invalid_armor_type|sz'FAST_Tests.test_fast_invalid_armor_typecCs|ttdd|jdgdS)NTrdrer)r$r$r%test_fast_invalid_armor_type2sz(FAST_Tests.test_fast_invalid_armor_type2c Cs2|ttdt|jdtdd|jt|jdgdSNTrdrr+r,r-r.r@rArOr)r$r$r%test_fast_encrypted_challengesz(FAST_Tests.test_fast_encrypted_challengec Cs2|ttdt|jdttd|jt|jdgdSNTrdrj)r/rrr rBr'generate_enc_challenge_padata_wrong_keyr)r$r$r%'test_fast_encrypted_challenge_wrong_keysz2FAST_Tests.test_fast_encrypted_challenge_wrong_keyc Cs2|ttdt|jdttd|jt|jdgdSrl)r/rrr rBr+generate_enc_challenge_padata_wrong_key_kdcr)r$r$r%+test_fast_encrypted_challenge_wrong_key_kdcsz6FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdcc Cs<|ttdt|jdtddtj|jddt|jdgdS)NTrdri'skewrj)r/rrr rB functoolspartialrPr)r$r$r%(test_fast_encrypted_challenge_clock_skews$z3FAST_Tests.test_fast_encrypted_challenge_clock_skewc Cs2|ttdt|jdtdd|jt|jdgdSri)r/rrr rHrPr)r$r$r%test_fast_invalid_tgtsz FAST_Tests.test_fast_invalid_tgtc Cs2|ttdt|jdtdd|jt|jdgdSri)r/rrr rKrPr)r$r$r%test_fast_invalid_tgt_machsz%FAST_Tests.test_fast_invalid_tgt_machc Cs2|ttdt|jdttd|jt|jdgdSrl)r/rrr rBr0r)r$r$r%test_fast_enc_timestampsz"FAST_Tests.test_fast_enc_timestampc Cs2|ttdt|jdtdd|jt|jdgdSrirOr)r$r$r% test_fast'szFAST_Tests.test_fastcCs|tdd|jddgdS)NrTr+r,r-r4r@r5r)r$r$r% test_fast_tgs:szFAST_Tests.test_fast_tgsc Cs"|tdd|j|jtdgdS)NrT)r+r,r-r4rAr@)r/rr6rBr r)r$r$r%test_fast_tgs_armorEszFAST_Tests.test_fast_tgs_armorc Cs>|ttdt|jddidtdd|jt|jddidgdS)NTrealmTESTr+r,r-r@rA outer_reqrr+r,r-r.r@rArrOr)r$r$r%test_fast_outer_wrong_realmQs& z&FAST_Tests.test_fast_outer_wrong_realmc Cs$|tdd|jdddidgdS)NrTr}r~r+r,r-r4r@rr5r)r$r$r%test_fast_tgs_outer_wrong_realmjsz*FAST_Tests.test_fast_tgs_outer_wrong_realmc Cs>|ttdt|jddidtdd|jt|jddidgdS)NTnonce123rrrrOr)r$r$r%test_fast_outer_wrong_noncexs& z&FAST_Tests.test_fast_outer_wrong_noncec Cs$|tdd|jdddidgdS)NrTrrrr5r)r$r$r%test_fast_tgs_outer_wrong_noncesz*FAST_Tests.test_fast_tgs_outer_wrong_noncec Cs>|ttdt|jddidtdd|jt|jddidgdS)NT kdc-options11111111111111111rrrrOr)r$r$r%test_fast_outer_wrong_flagss& z&FAST_Tests.test_fast_outer_wrong_flagsc Cs$|tdd|jdddidgdS)NrTrrrr5r)r$r$r%test_fast_tgs_outer_wrong_flagssz*FAST_Tests.test_fast_tgs_outer_wrong_flagsc Cs>|ttdt|jddidtdd|jt|jddidgdS)NTr8rrrrOr)r$r$r%test_fast_outer_no_snames& z#FAST_Tests.test_fast_outer_no_snamec Cs$|tdd|jdddidgdS)NrTr8rr5r)r$r$r%test_fast_tgs_outer_no_snamesz'FAST_Tests.test_fast_tgs_outer_no_snamec Cs>|ttdt|jddidtdd|jt|jddidgdS)NTtill15000101000000ZrrrrOr)r$r$r%test_fast_outer_wrong_tills& z%FAST_Tests.test_fast_outer_wrong_tillc Cs$|tdd|jdddidgdS)NrTrrrr5r)r$r$r%test_fast_tgs_outer_wrong_tillsz)FAST_Tests.test_fast_tgs_outer_wrong_tillc Cs"|tdd|j|jddgdS)NrT)r+r,r-gen_authdata_fnr4r@)r/rgenerate_fast_used_auth_datar6r)r$r$r%test_fast_authdata_fast_usedsz'FAST_Tests.test_fast_authdata_fast_usedc Cs0|tdd|jdttd|j|jddgdS)NrFr3)r+r,r-rr4r:)r/rr6r rr)r$r$r% test_fast_authdata_fast_not_used sz+FAST_Tests.test_fast_authdata_fast_not_usedc Cs>|}|tdd|jddttd|j|jd|ddgdS)NrTrzF)r+r,r-rr4r@r9r:)r;r/rr6r generate_fast_armor_auth_datar<r$r$r%test_fast_ad_fx_fast_armor9s$ z%FAST_Tests.test_fast_ad_fx_fast_armorc Cs6|ttdt|jdtdd|j|jt|jdgdS)NTrdr)r+r,r-r.rr@rA)r/rrr rBrPrr)r$r$r%test_fast_ad_fx_fast_armor2Us z&FAST_Tests.test_fast_ad_fx_fast_armor2c Cs:|}|tdd|jddttd|jd|ddgdS)NrTrzF)r+r,r-r4r@r9r:)r;r/rr6r gen_tgt_fast_armor_auth_datar<r$r$r%!test_fast_ad_fx_fast_armor_ticketls" z,FAST_Tests.test_fast_ad_fx_fast_armor_ticketc Cs2|ttdt|jdtdd|jt|jdgdSri)r/rrr rBrPrr)r$r$r%"test_fast_ad_fx_fast_armor_ticket2sz-FAST_Tests.test_fast_ad_fx_fast_armor_ticket2cCs|ttd|jddgdSNTrzrGr)r$r$r%test_fast_tgs_service_ticketsz'FAST_Tests.test_fast_tgs_service_ticketcCs|ttd|jddgdSrrJr)r$r$r%!test_fast_tgs_service_ticket_machsz,FAST_Tests.test_fast_tgs_service_ticket_machcCs|tdd|jddgdS)NrF)r+r,r-r4include_subkeyr5r)r$r$r%test_simple_tgs_no_subkeysz$FAST_Tests.test_simple_tgs_no_subkeyc Cs,|}|ttd|jdd|ddgdS)NTF)r+r,r-r4r@rr9r:)r;r/rr r6r<r$r$r%test_fast_tgs_no_subkeysz"FAST_Tests.test_fast_tgs_no_subkeyc Cs:|ttdt|jdddtdd|jt|jdddgdS)NT01)r+r,r-r@rAra expected_anonr)r+r,r-r.r@rArarrOr)r$r$r%test_fast_hide_client_namess& z&FAST_Tests.test_fast_hide_client_namesc Cs"|tdd|jddddgdS)NrTr)r+r,r-r4r@rarr5r)r$r$r%test_fast_tgs_hide_client_namessz*FAST_Tests.test_fast_tgs_hide_client_namesc Cs4|ttdt|jdtdd|jt|jddgdS)NTrdrrg)r+r,r-r.r@rArepeat)r/rrr rB$generate_enc_challenge_padata_replayr)r$r$r%$test_fast_encrypted_challenge_replays z/FAST_Tests.test_fast_encrypted_challenge_replaycCs|d}||}|g|fSN preauth_key)Z"get_enc_timestamp_pa_data_from_keyr*kdc_exchange_dict callback_dictreq_bodykeypadatar$r$r%r0s z(FAST_Tests.generate_enc_timestamp_padatarc Cs4|d}|d}|||}|j||d}|g|fS)N armor_keyrrq)generate_client_challenge_keyget_challenge_pa_data) r*rrrrrrrclient_challenge_keyrr$r$r%rPs  z(FAST_Tests.generate_enc_challenge_padatacCs0|d}|d}|||}||}|g|fS)Nrr)Zgenerate_kdc_challenge_keyr)r*rrrrrZkdc_challenge_keyrr$r$r%ro$s   z6FAST_Tests.generate_enc_challenge_padata_wrong_key_kdccCs|d}||}|g|fSr)rrr$r$r%rm0s z2FAST_Tests.generate_enc_challenge_padata_wrong_keycCsJ|d}|dur@|d}|d}|||}||}||d<|g|fS)NZ replay_padatarr)getrr)r*rrrrrrrr$r$r%r9s   z/FAST_Tests.generate_enc_challenge_padata_replayc Cs|td}|SN)PA_DATA_creater) r*_kdc_exchange_dict_callback_dictZ _req_bodyZ _fast_padataZ _fast_armorZ _checksumZ _fast_optionsZ fast_padatar$r$r%r_Js zFAST_Tests.generate_empty_fastcG$Cs|jr|ttd}|}|}|}|}| }|j t |gd}|} | } |j t | | gd} | |} |j} |dd}| }d}|j t||gd}| |}|j}d}d}|D]}|d}||ttf|d}|dkr d}nt|tjjs |f}|D]}||td q$|d }|t|t|r|d ||d }|dur|d |nt|vr|d ||d d}|dur|}nd}|d d}nd}d}|d |d}|tkr|d}|} n|d|d} t|dkr.|j}!d}"n d}!|j }"|dt!t"f}#|tkrV|nd}$|}%d|vrt|d}&n|tkr| }&n|}&|tkr| }'n|}'|tkr| j#}(n|}(|dd})|)dur|$||d|(}*|dd}+|d|},|d|&}-|d|'}.|%}/|&t'j(j)}0|tkrR|rH|*|0|j+}1|0}2nd}1|0}2nX|dur|&t'j(j)}2|*|2|j+}3t',|3j-|0j-dd}1t.|1d}1n|*|0| j+}1|0}2|ddsd}0|r|dd}4|4durt/j0|j1|d}4nd}4|dur|j2nd}5dd }6|d!d"}7|d#|}8|d$d}9|tkrd|9durd|3||4||d|5}:nd}:|r|9};|durt/j0|6|gd%nd}nd}>|s|d'||d(||d'd}?|d(d}@|d)d}A|Adurt6|A}A|d*d}B|Bdur4t6|B}B|tkr|j7|,|*|+|.|-| |A|B| |4|5|;||<|!|"|j8i||#|/|0|:|>|1||2|8|?|@d|7|)d+!}CnL|j9|,|*|+|.|-||A|B||4|5|;||<|!|"|j8|i| |1||2|0|>d|8|?|@d|7|)d, }C|d-d.}Dt|DD]}E|j:|C|$|%|&|#d/}Ft|dkr*|;|F|d}d}nB|<|F|d0|CvrP|=|Cd0}nd}t>|vrh|Cd1}nd}q|?i|qdS)2Nz/forwardable,renewable,canonicalize,renewable-ok)Z name_typenamesZhostr+r,rr$r-r@rArarr4rXr8r:expected_cnamerFexpected_crealmr9expected_srealms explicitarmorstgsarmorrTr^)racSs t||fSr)list)rrrrr$r$r%_generate_padata_copysz._generate_padata_copyrNrrSr.)rr inner_reqrexpected_flagsunexpected_flags)!rrrrr9expected_supported_etypesrrticket_decryption_keygenerate_fast_fngenerate_fast_armor_fngenerate_fast_padata_fnfast_armor_typegenerate_padata_fncheck_error_fn check_rep_fncheck_kdc_private_fnrr,Zclient_as_etypes expected_saltauthenticator_subkeyr auth_datar armor_tgt armor_subkeyrSrr pac_requestrNr:) rrrrr9rrrrrrrrrrrrr,rtgtrrrrrZbody_checksum_typerSrrrrNr:r)cnamer}r8rX fast_cookiepreauth_etype_info2)@strict_checkingcheck_kdc_fast_supportstr krb5_asn1Z KDCOptionsget_client_credsget_service_credsZget_krbtgt_credsZ get_usernameZ get_realmZPrincipalName_createrrZTicketDecryptionKey_from_credsZtgs_supported_enctypesrpopZassertInrr isinstance collectionsabc ContainerrangeZassertIstypeboolr Z assertNotInlenZgeneric_check_kdc_errorZgeneric_check_kdc_reprrr assertTrueZget_saltZ RandomKeykcryptoZEnctypeZAES256Zgenerate_armor_keyZ session_keyZcf2rrrsrtZgenerate_simple_fastZgenerate_ap_reqassertIsNotNoneZPasswordKey_from_etype_info2Zget_kvnoZ TicketFlagsZas_exchange_dictZgeneric_check_kdc_privateZtgs_exchange_dictZ_generic_kdc_exchangeZ check_replyZcheck_error_repcreate_fast_cookierZ assertEqual)Gr*Z test_sequenceZkdc_options_defaultZ client_credsZ target_credsZ krbtgt_credsZclient_usernameZ client_realmZ client_cnameZkrbtgt_usernameZ krbtgt_realmZ krbtgt_snameZkrbtgt_decryption_key krbtgt_etypesZtarget_usernameZ target_realmZtarget_serviceZ target_snameZtarget_decryption_keyZ target_etypesrrZkdc_dictr+r,errorr-rrArrar4rrrrXrZcrealmr8ZsrealmZ tgt_cnamer:rrrr9rrrrrZexplicit_armor_keyrrrrNrSr.rrrrrrrrrrr_Zrepr$r$r%r/Vs                                                     #"      zFAST_Tests._run_test_sequencecCs|td}|Sr)AuthorizationData_createrr*rr$r$r%rs z(FAST_Tests.generate_fast_armor_auth_datacCs|td}|Sr)rrrr$r$r%rs z'FAST_Tests.generate_fast_used_auth_datacs4|}|fdd}|}|j|||dS)Ncs|d|S)Nzauthorization-data)append)Zenc_partrr$r% modify_fnsz:FAST_Tests.gen_tgt_fast_armor_auth_data..modify_fn)r checksum_keys)r6rZget_krbtgt_checksum_keyZmodified_ticket)r*rrrr$rr%rs z'FAST_Tests.gen_tgt_fast_armor_auth_datacCs,|||jr |dt||t|S)Nr)rrZassertNotEqualrrr)r*Zcookier$r$r%rs zFAST_Tests.create_fast_cookiecCs~|}tj}d||f}|jd|tjdgd}t|ddd}|tj |@|tj |@|tj |@dS)Nz%s-%dzzmsDS-SupportedEncryptionTypes)baseZscopeattrsr) Z get_samdbrZDOMAIN_RID_KRBTGTZget_domain_sidsearchldbZ SCOPE_BASEintrZKERB_ENCTYPE_FAST_SUPPORTEDZ(KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTEDZKERB_ENCTYPE_CLAIMS_SUPPORTED)r*ZsamdbZ krbtgt_ridZ krbtgt_sidresrr$r$r%rs" z!FAST_Tests.check_kdc_fast_supportcCs(|jdur"|}||t|_|jSr)rZget_mach_credsget_tgtr)r*Z mach_credsr$r$r%rBs zFAST_Tests.get_mach_tgtcCs(|jdur"|}||t|_|jSr)rrrr)r*Z user_credsr$r$r%r6s zFAST_Tests.get_user_tgtcCs2|jdur,|}|}|||t|_|jSr)rr6rget_service_ticketr)r*r service_credsr$r$r%rHs   z"FAST_Tests.get_user_service_ticketcCs2|jdur,|}|}|||t|_|jSr)r rBrrr)r*rrr$r$r%rKs   z"FAST_Tests.get_mach_service_ticket)r)r)P__name__ __module__ __qualname__ classmethodrr&r1r7r=r?rCrDrErIrLrQrRrTrUrVrWrZr[r\r]r`rbrcrfrhrkrnrprurvrwrxryr{r|rrrrrrrrrrrrrrrrrrrrrrrr0rPrormrr_r/rrrrrrBr6rHrK __classcell__r$r$r"r%r=s                           A r__main__)/rsossysrrZ samba.dcerpcrZsamba.tests.krb5.raw_testcaserZsamba.tests.krb5.kdc_base_testrZ"samba.tests.krb5.rfc4120_constantsrrrrr r r r r rrrrrrrrrrZsamba.tests.krb5.rfc4120_pyasn1ZtestsZkrb5Zrfc4120_pyasn1rZsamba.tests.krb5.kcryptorpathinsertenvironr'r(rrZunittestmainr$r$r$r%s>   T ;