From ec4b264bdf9ab64a728212580b344fbf35c3c673 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 14 Oct 2021 16:43:05 +1300
Subject: [PATCH] tests/krb5: Add compatability tests for ticket checksums

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 .../samba/tests/krb5/compatability_tests.py   | 44 ++++++++++++++++++-
 selftest/knownfail_heimdal_kdc                |  6 ++-
 source4/selftest/tests.py                     |  7 ++-
 3 files changed, 53 insertions(+), 4 deletions(-)

diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py
index cd67549212a..0da72796894 100755
--- a/python/samba/tests/krb5/compatability_tests.py
+++ b/python/samba/tests/krb5/compatability_tests.py
@@ -23,7 +23,7 @@ import os
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 
-from samba.tests.krb5.raw_testcase import RawKerberosTest
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 from samba.tests.krb5.rfc4120_constants import (
     AES128_CTS_HMAC_SHA1_96,
@@ -50,7 +50,7 @@ MIT_ENC_AS_REP_PART_TYPE_TAG = 0x7A
 ENC_PA_REP_FLAG = 0x00010000
 
 
-class SimpleKerberosTests(RawKerberosTest):
+class SimpleKerberosTests(KDCBaseTest):
 
     def setUp(self):
         super(SimpleKerberosTests, self).setUp()
@@ -120,6 +120,46 @@ class SimpleKerberosTests(RawKerberosTest):
             self.fail(
                 "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption")
 
+    def test_heimdal_ticket_signature(self):
+        # Ensure that a DC correctly issues tickets signed with its krbtgt key.
+        user_creds = self.get_client_creds()
+        target_creds = self.get_service_creds()
+
+        krbtgt_creds = self.get_krbtgt_creds()
+        key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
+
+        # Get a TGT from the DC.
+        tgt = self.get_tgt(user_creds)
+
+        # Ensure the PAC contains the expected checksums.
+        self.verify_ticket(tgt, key)
+
+        # Get a service ticket from the DC.
+        service_ticket = self.get_service_ticket(tgt, target_creds)
+
+        # Ensure the PAC contains the expected checksums.
+        self.verify_ticket(service_ticket, key, expect_ticket_checksum=True)
+
+    def test_mit_ticket_signature(self):
+        # Ensure that a DC does not issue tickets signed with its krbtgt key.
+        user_creds = self.get_client_creds()
+        target_creds = self.get_service_creds()
+
+        krbtgt_creds = self.get_krbtgt_creds()
+        key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
+
+        # Get a TGT from the DC.
+        tgt = self.get_tgt(user_creds)
+
+        # Ensure the PAC contains the expected checksums.
+        self.verify_ticket(tgt, key)
+
+        # Get a service ticket from the DC.
+        service_ticket = self.get_service_ticket(tgt, target_creds)
+
+        # Ensure the PAC does not contain the expected checksums.
+        self.verify_ticket(service_ticket, key, expect_ticket_checksum=False)
+
     def as_pre_auth_req(self, creds, etypes):
         user = creds.get_username()
         realm = creds.get_realm()
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 8b497160878..f9764a426dc 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -1,7 +1,7 @@
 #
 # We expect all the MIT specific compatability tests to fail on heimdal
 # kerberos
-^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_(?!ticket_signature)
 #
 # Heimdal currently fails the following MS-KILE client principal lookup
 # tests
@@ -67,3 +67,7 @@
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc
+#
+# Heimdal currently does not generate ticket signatures
+#
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_ticket_signature
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 2ed72fda265..68a67c36042 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1542,7 +1542,12 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests",
                            'ADMIN_USERNAME': '$USERNAME',
                            'ADMIN_PASSWORD': '$PASSWORD'
                        })
-planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests")
+planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests",
+                    environ={
+                        'ADMIN_USERNAME': '$USERNAME',
+                        'ADMIN_PASSWORD': '$PASSWORD',
+                        'STRICT_CHECKING': '0',
+                    })
 planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests")
 planpythontestsuite(
     "ad_dc",
-- 
2.47.3