1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests/krb5: Add test for FAST with invalid ticket checksum

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-11-17 20:15:12 +13:00 committed by Andrew Bartlett
parent aa38476d89
commit 7d14aedd3d
3 changed files with 40 additions and 2 deletions

View File

@ -24,8 +24,8 @@ import collections
import ldb
from samba.dcerpc import security
from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
from samba.dcerpc import krb5pac, security
from samba.tests.krb5.raw_testcase import Krb5EncryptionKey, ZeroedChecksumKey
from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.tests.krb5.rfc4120_constants import (
AD_FX_FAST_ARMOR,
@ -583,6 +583,21 @@ class FAST_Tests(KDCBaseTest):
}
])
def test_fast_invalid_checksum_tgt(self):
# The armor ticket 'sname' field is required to identify the target
# realm TGS (RFC6113 5.4.1.1). However, this test fails against
# Windows, which will still accept a service ticket identifying a
# different server principal even if the ticket checksum is invalid.
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_POLICY,
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_service_ticket_invalid_checksum
}
])
def test_fast_enc_timestamp(self):
# Provide ENC-TIMESTAMP as FAST padata when we should be providing
# ENCRYPTED-CHALLENGE - ensure that we get PREAUTH_REQUIRED.
@ -1664,6 +1679,27 @@ class FAST_Tests(KDCBaseTest):
return self.mach_service_ticket
def get_service_ticket_invalid_checksum(self):
ticket = self.get_user_service_ticket()
krbtgt_creds = self.get_krbtgt_creds()
krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
zeroed_key = ZeroedChecksumKey(krbtgt_key.key,
krbtgt_key.kvno)
server_key = ticket.decryption_key
checksum_keys = {
krb5pac.PAC_TYPE_SRV_CHECKSUM: server_key,
krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key,
krb5pac.PAC_TYPE_TICKET_CHECKSUM: zeroed_key,
}
return self.modified_ticket(
ticket,
checksum_keys=checksum_keys,
include_checksums={krb5pac.PAC_TYPE_TICKET_CHECKSUM: True})
if __name__ == "__main__":
global_asn1_print = False

View File

@ -30,6 +30,7 @@
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_checksum_tgt.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc

View File

@ -342,6 +342,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_no_fast.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_checksum_tgt.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc