From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 17 Nov 2021 07:15:12 +0000 (+1300)
Subject: tests/krb5: Add test for FAST with invalid ticket checksum
X-Git-Tag: tdb-1.4.6~427
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d14aedd3dc904d4341d06c8b38d6e94e780ea71;p=thirdparty%2Fsamba.git

tests/krb5: Add test for FAST with invalid ticket checksum

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index ceb46e52ea8..ee0a6ef7a49 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -24,8 +24,8 @@ import collections
 
 import ldb
 
-from samba.dcerpc import security
-from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
+from samba.dcerpc import krb5pac, security
+from samba.tests.krb5.raw_testcase import Krb5EncryptionKey, ZeroedChecksumKey
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 from samba.tests.krb5.rfc4120_constants import (
     AD_FX_FAST_ARMOR,
@@ -583,6 +583,21 @@ class FAST_Tests(KDCBaseTest):
             }
         ])
 
+    def test_fast_invalid_checksum_tgt(self):
+        # The armor ticket 'sname' field is required to identify the target
+        # realm TGS (RFC6113 5.4.1.1). However, this test fails against
+        # Windows, which will still accept a service ticket identifying a
+        # different server principal even if the ticket checksum is invalid.
+        self._run_test_sequence([
+            {
+                'rep_type': KRB_AS_REP,
+                'expected_error_mode': KDC_ERR_POLICY,
+                'use_fast': True,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'gen_armor_tgt_fn': self.get_service_ticket_invalid_checksum
+            }
+        ])
+
     def test_fast_enc_timestamp(self):
         # Provide ENC-TIMESTAMP as FAST padata when we should be providing
         # ENCRYPTED-CHALLENGE - ensure that we get PREAUTH_REQUIRED.
@@ -1664,6 +1679,27 @@ class FAST_Tests(KDCBaseTest):
 
         return self.mach_service_ticket
 
+    def get_service_ticket_invalid_checksum(self):
+        ticket = self.get_user_service_ticket()
+
+        krbtgt_creds = self.get_krbtgt_creds()
+        krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
+
+        zeroed_key = ZeroedChecksumKey(krbtgt_key.key,
+                                       krbtgt_key.kvno)
+
+        server_key = ticket.decryption_key
+        checksum_keys = {
+            krb5pac.PAC_TYPE_SRV_CHECKSUM: server_key,
+            krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key,
+            krb5pac.PAC_TYPE_TICKET_CHECKSUM: zeroed_key,
+        }
+
+        return self.modified_ticket(
+            ticket,
+            checksum_keys=checksum_keys,
+            include_checksums={krb5pac.PAC_TYPE_TICKET_CHECKSUM: True})
+
 
 if __name__ == "__main__":
     global_asn1_print = False
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 0bad613726f..a8810abcf8f 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -30,6 +30,7 @@
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_checksum_tgt.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index fbc1d286937..964fcddbf66 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -342,6 +342,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_no_fast.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_checksum_tgt.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc