From: Joseph Sutton Date: Mon, 20 Sep 2021 02:10:07 +0000 (+1200) Subject: tests/krb5: Verify checksums of tickets obtained from the KDC X-Git-Tag: ldb-2.5.0~562 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea7b550a500d9e458498d37688b67dafd3d9509d;p=thirdparty%2Fsamba.git tests/krb5: Verify checksums of tickets obtained from the KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 59882e44173..985792887ca 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2254,6 +2254,13 @@ class RawKerberosTest(TestCaseInTempDir): armor_key = kdc_exchange_dict['armor_key'] self.verify_ticket_checksum(ticket, ticket_checksum, armor_key) + to_rodc = kdc_exchange_dict['to_rodc'] + if to_rodc: + krbtgt_creds = self.get_rodc_krbtgt_creds() + else: + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) + expect_pac = kdc_exchange_dict['expect_pac'] ticket_session_key = None @@ -2386,6 +2393,9 @@ class RawKerberosTest(TestCaseInTempDir): ticket_private=ticket_private, encpart_private=encpart_private) + if ticket_decryption_key is not None: + self.verify_ticket(ticket_creds, krbtgt_key, expect_pac=expect_pac) + kdc_exchange_dict['rep_ticket_creds'] = ticket_creds def check_pac_options_claims_support(self, pac_options): @@ -3061,16 +3071,20 @@ class RawKerberosTest(TestCaseInTempDir): if is_tgt: self.assertNotIn(krb5pac.PAC_TYPE_TICKET_CHECKSUM, checksums) else: - ticket_checksum, ticket_ctype = checksums[ - krb5pac.PAC_TYPE_TICKET_CHECKSUM] - enc_part['authorization-data'] = auth_data - enc_part = self.der_encode(enc_part, - asn1Spec=krb5_asn1.EncTicketPart()) - - krbtgt_key.verify_checksum(KU_NON_KERB_CKSUM_SALT, - enc_part, - ticket_ctype, - ticket_checksum) + ticket_checksum, ticket_ctype = checksums.get( + krb5pac.PAC_TYPE_TICKET_CHECKSUM, + (None, None)) + if self.strict_checking: + self.assertIsNotNone(ticket_checksum) + if ticket_checksum is not None: + enc_part['authorization-data'] = auth_data + enc_part = self.der_encode(enc_part, + asn1Spec=krb5_asn1.EncTicketPart()) + + krbtgt_key.verify_checksum(KU_NON_KERB_CKSUM_SALT, + enc_part, + ticket_ctype, + ticket_checksum) def modified_ticket(self, ticket, *,