sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

tests/krb5: Add compatability tests for ticket checksums

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-10-14 16:43:05 +13:00 committed by Andrew Bartlett
parent ef24fe982d
commit ec4b264bdf
3 changed files with 53 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
python/samba/tests/krb5/compatability_tests.py
View File

@ -23,7 +23,7 @@ import os
sys.path.insert(0, "bin/python") sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1" os.environ["PYTHONUNBUFFERED"] = "1"
from samba.tests.krb5.raw_testcase import RawKerberosTest from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import ( from samba.tests.krb5.rfc4120_constants import (
AES128_CTS_HMAC_SHA1_96, AES128_CTS_HMAC_SHA1_96,
@ -50,7 +50,7 @@ MIT_ENC_AS_REP_PART_TYPE_TAG = 0x7A
ENC_PA_REP_FLAG = 0x00010000 ENC_PA_REP_FLAG = 0x00010000
class SimpleKerberosTests(RawKerberosTest): class SimpleKerberosTests(KDCBaseTest):
def setUp(self): def setUp(self):
super(SimpleKerberosTests, self).setUp() super(SimpleKerberosTests, self).setUp()
@ -120,6 +120,46 @@ class SimpleKerberosTests(RawKerberosTest):
self.fail( self.fail(
"(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption") "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption")
def test_heimdal_ticket_signature(self):
# Ensure that a DC correctly issues tickets signed with its krbtgt key.
user_creds = self.get_client_creds()
target_creds = self.get_service_creds()
krbtgt_creds = self.get_krbtgt_creds()
key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
# Get a TGT from the DC.
tgt = self.get_tgt(user_creds)
# Ensure the PAC contains the expected checksums.
self.verify_ticket(tgt, key)
# Get a service ticket from the DC.
service_ticket = self.get_service_ticket(tgt, target_creds)
# Ensure the PAC contains the expected checksums.
self.verify_ticket(service_ticket, key, expect_ticket_checksum=True)
def test_mit_ticket_signature(self):
# Ensure that a DC does not issue tickets signed with its krbtgt key.
user_creds = self.get_client_creds()
target_creds = self.get_service_creds()
krbtgt_creds = self.get_krbtgt_creds()
key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
# Get a TGT from the DC.
tgt = self.get_tgt(user_creds)
# Ensure the PAC contains the expected checksums.
self.verify_ticket(tgt, key)
# Get a service ticket from the DC.
service_ticket = self.get_service_ticket(tgt, target_creds)
# Ensure the PAC does not contain the expected checksums.
self.verify_ticket(service_ticket, key, expect_ticket_checksum=False)
def as_pre_auth_req(self, creds, etypes): def as_pre_auth_req(self, creds, etypes):
user = creds.get_username() user = creds.get_username()
realm = creds.get_realm() realm = creds.get_realm()

6
selftest/knownfail_heimdal_kdc
View File

@ -1,7 +1,7 @@
# #
# We expect all the MIT specific compatability tests to fail on heimdal # We expect all the MIT specific compatability tests to fail on heimdal
# kerberos # kerberos
^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_ ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_(?!ticket_signature)
# #
# Heimdal currently fails the following MS-KILE client principal lookup # Heimdal currently fails the following MS-KILE client principal lookup
# tests # tests
@ -67,3 +67,7 @@
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc
#
# Heimdal currently does not generate ticket signatures
#
^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_ticket_signature

7
source4/selftest/tests.py
View File

@ -1542,7 +1542,12 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests",
'ADMIN_USERNAME': '$USERNAME', 'ADMIN_USERNAME': '$USERNAME',
'ADMIN_PASSWORD': '$PASSWORD' 'ADMIN_PASSWORD': '$PASSWORD'
}) })
planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests",
environ={
'ADMIN_USERNAME': '$USERNAME',
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
})
planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests")
planpythontestsuite( planpythontestsuite(
"ad_dc", "ad_dc",