mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
tests/krb5: Add test for FAST with invalid ticket checksum
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
aa38476d89
commit
7d14aedd3d
@ -24,8 +24,8 @@ import collections
|
||||
|
||||
import ldb
|
||||
|
||||
from samba.dcerpc import security
|
||||
from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
|
||||
from samba.dcerpc import krb5pac, security
|
||||
from samba.tests.krb5.raw_testcase import Krb5EncryptionKey, ZeroedChecksumKey
|
||||
from samba.tests.krb5.kdc_base_test import KDCBaseTest
|
||||
from samba.tests.krb5.rfc4120_constants import (
|
||||
AD_FX_FAST_ARMOR,
|
||||
@ -583,6 +583,21 @@ class FAST_Tests(KDCBaseTest):
|
||||
}
|
||||
])
|
||||
|
||||
def test_fast_invalid_checksum_tgt(self):
|
||||
# The armor ticket 'sname' field is required to identify the target
|
||||
# realm TGS (RFC6113 5.4.1.1). However, this test fails against
|
||||
# Windows, which will still accept a service ticket identifying a
|
||||
# different server principal even if the ticket checksum is invalid.
|
||||
self._run_test_sequence([
|
||||
{
|
||||
'rep_type': KRB_AS_REP,
|
||||
'expected_error_mode': KDC_ERR_POLICY,
|
||||
'use_fast': True,
|
||||
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
|
||||
'gen_armor_tgt_fn': self.get_service_ticket_invalid_checksum
|
||||
}
|
||||
])
|
||||
|
||||
def test_fast_enc_timestamp(self):
|
||||
# Provide ENC-TIMESTAMP as FAST padata when we should be providing
|
||||
# ENCRYPTED-CHALLENGE - ensure that we get PREAUTH_REQUIRED.
|
||||
@ -1664,6 +1679,27 @@ class FAST_Tests(KDCBaseTest):
|
||||
|
||||
return self.mach_service_ticket
|
||||
|
||||
def get_service_ticket_invalid_checksum(self):
|
||||
ticket = self.get_user_service_ticket()
|
||||
|
||||
krbtgt_creds = self.get_krbtgt_creds()
|
||||
krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
|
||||
|
||||
zeroed_key = ZeroedChecksumKey(krbtgt_key.key,
|
||||
krbtgt_key.kvno)
|
||||
|
||||
server_key = ticket.decryption_key
|
||||
checksum_keys = {
|
||||
krb5pac.PAC_TYPE_SRV_CHECKSUM: server_key,
|
||||
krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key,
|
||||
krb5pac.PAC_TYPE_TICKET_CHECKSUM: zeroed_key,
|
||||
}
|
||||
|
||||
return self.modified_ticket(
|
||||
ticket,
|
||||
checksum_keys=checksum_keys,
|
||||
include_checksums={krb5pac.PAC_TYPE_TICKET_CHECKSUM: True})
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
global_asn1_print = False
|
||||
|
@ -30,6 +30,7 @@
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_checksum_tgt.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc
|
||||
|
@ -342,6 +342,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_no_fast.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_checksum_tgt.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc
|
||||
|
Loading…
Reference in New Issue
Block a user