From 787405ef59b70cef011f005a6ed98898c5d43adb Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 14 Dec 2021 19:16:00 +1300 Subject: tests/krb5: Correctly determine whether tickets are service tickets Previously we expected tickets to contain a ticket checksum if the sname was not the krbtgt. However, the ticket checksum should not be present if we are performing an AS-REQ to our own account. Now we determine a ticket is a service ticket only if the request is also a TGS-REQ. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 100be7eb8e70ba270a8e92957a5e47466160a901) --- python/samba/tests/krb5/compatability_tests.py | 10 ++++++---- python/samba/tests/krb5/kdc_base_test.py | 2 +- python/samba/tests/krb5/raw_testcase.py | 18 ++++++++++-------- python/samba/tests/krb5/rodc_tests.py | 4 ++-- 4 files changed, 19 insertions(+), 15 deletions(-) diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index ed2dc565b6d..65e9e3788d5 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -132,13 +132,14 @@ class SimpleKerberosTests(KDCBaseTest): tgt = self.get_tgt(user_creds) # Ensure the PAC contains the expected checksums. - self.verify_ticket(tgt, key) + self.verify_ticket(tgt, key, service_ticket=False) # Get a service ticket from the DC. service_ticket = self.get_service_ticket(tgt, target_creds) # Ensure the PAC contains the expected checksums. - self.verify_ticket(service_ticket, key, expect_ticket_checksum=True) + self.verify_ticket(service_ticket, key, service_ticket=True, + expect_ticket_checksum=True) def test_mit_ticket_signature(self): # Ensure that a DC does not issue tickets signed with its krbtgt key. @@ -152,13 +153,14 @@ class SimpleKerberosTests(KDCBaseTest): tgt = self.get_tgt(user_creds) # Ensure the PAC contains the expected checksums. - self.verify_ticket(tgt, key) + self.verify_ticket(tgt, key, service_ticket=False) # Get a service ticket from the DC. service_ticket = self.get_service_ticket(tgt, target_creds) # Ensure the PAC does not contain the expected checksums. - self.verify_ticket(service_ticket, key, expect_ticket_checksum=False) + self.verify_ticket(service_ticket, key, service_ticket=True, + expect_ticket_checksum=False) def as_pre_auth_req(self, creds, etypes): user = creds.get_username() diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 6e96b982167..9506048ee2a 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1395,7 +1395,7 @@ class KDCBaseTest(RawKerberosTest): krbtgt_creds = self.get_krbtgt_creds() krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) self.verify_ticket(service_ticket_creds, krbtgt_key, - expect_pac=expect_pac, + service_ticket=True, expect_pac=expect_pac, expect_ticket_checksum=self.tkt_sig_support) self.tkt_cache[cache_key] = service_ticket_creds diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 14e655313fc..a2241707d44 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2587,7 +2587,11 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(ticket_decryption_key) if ticket_decryption_key is not None: - self.verify_ticket(ticket_creds, krbtgt_keys, expect_pac=expect_pac, + service_ticket = (not self.is_tgs(expected_sname) + and rep_msg_type == KRB_TGS_REP) + self.verify_ticket(ticket_creds, krbtgt_keys, + service_ticket=service_ticket, + expect_pac=expect_pac, expect_ticket_checksum=expect_ticket_checksum or self.tkt_sig_support) @@ -2624,14 +2628,14 @@ class RawKerberosTest(TestCaseInTempDir): expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO) expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO) - if not self.is_tgs(expected_sname): + if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP: expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM) require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO} if not self.tkt_sig_support: require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM) - expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP + expect_extra_pac_buffers = self.is_tgs(expected_sname) expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs'] @@ -3233,11 +3237,9 @@ class RawKerberosTest(TestCaseInTempDir): ticket_blob) self.assertEqual(expected_checksum, checksum) - def verify_ticket(self, ticket, krbtgt_keys, expect_pac=True, + def verify_ticket(self, ticket, krbtgt_keys, service_ticket, + expect_pac=True, expect_ticket_checksum=True): - # Check if the ticket is a TGT. - is_tgt = self.is_tgt(ticket) - # Decrypt the ticket. key = ticket.decryption_key @@ -3336,7 +3338,7 @@ class RawKerberosTest(TestCaseInTempDir): kdc_ctype, kdc_checksum) - if is_tgt: + if not service_ticket: self.assertNotIn(krb5pac.PAC_TYPE_TICKET_CHECKSUM, checksums) else: ticket_checksum, ticket_ctype = checksums.get( diff --git a/python/samba/tests/krb5/rodc_tests.py b/python/samba/tests/krb5/rodc_tests.py index 0e252d90262..83ee35d650a 100755 --- a/python/samba/tests/krb5/rodc_tests.py +++ b/python/samba/tests/krb5/rodc_tests.py @@ -58,14 +58,14 @@ class RodcKerberosTests(KDCBaseTest): tgt = self.get_tgt(user_creds, to_rodc=True) # Ensure the PAC contains the expected checksums. - self.verify_ticket(tgt, rodc_key) + self.verify_ticket(tgt, rodc_key, service_ticket=False) # Get a service ticket from the RODC. service_ticket = self.get_service_ticket(tgt, target_creds, to_rodc=True) # Ensure the PAC contains the expected checksums. - self.verify_ticket(service_ticket, rodc_key) + self.verify_ticket(service_ticket, rodc_key, service_ticket=True) if __name__ == "__main__": -- cgit v1.2.1