From 2015578f80a54a26111991fa474a6da1b1bfb5d2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 4 Oct 2022 12:25:08 +1300 Subject: [PATCH 1/2] tests/krb5: Add test requesting a service ticket expiring post-2038 Windows 11 22H2 performs such requests. The test fails with KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to verify a checksum over the modified request body. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton --- python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index e52f46152fa..a4bc48e587a 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -2099,6 +2099,18 @@ class KdcTgsTests(KDCBaseTest): self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, KDC_ERR_C_PRINCIPAL_UNKNOWN)) + # Test making a TGS request for a ticket expiring post-2038. + def test_tgs_req_future_till(self): + creds = self._get_creds() + tgt = self._get_tgt(creds) + + target_creds = self.get_service_creds() + self._tgs_req( + tgt=tgt, + expected_error=0, + target_creds=target_creds, + till='99990913024805Z') + def _modify_renewable(self, enc_part): # Set the renewable flag. enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True) @@ -2469,6 +2481,7 @@ class KdcTgsTests(KDCBaseTest): sname=None, srealm=None, use_fast=False, + till=None, expect_claims=True, expect_pac=True, expect_pac_attrs=None, @@ -2580,6 +2593,7 @@ class KdcTgsTests(KDCBaseTest): cname=None, realm=srealm, sname=sname, + till_time=till, etypes=etypes, additional_tickets=additional_tickets) if expected_error: -- 2.35.0 From 0f56b38fff223859ea48ef5357f47de53e29de14 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 20 Oct 2022 12:36:44 +1300 Subject: [PATCH 2/2] tests/krb5: Add test requesting a TGT expiring post-2038 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton --- python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 054a49b64aa..aa4bc2370c4 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -42,7 +42,7 @@ global_hexdump = False class AsReqBaseTest(KDCBaseTest): def _run_as_req_enc_timestamp(self, client_creds, sname=None, - expected_error=None): + expected_error=None, till=None): client_account = client_creds.get_username() client_as_etypes = self.get_default_enctypes() client_kvno = client_creds.get_kvno() @@ -62,7 +62,8 @@ class AsReqBaseTest(KDCBaseTest): expected_sname = sname expected_salt = client_creds.get_salt() - till = self.get_KerberosTime(offset=36000) + if till is None: + till = self.get_KerberosTime(offset=36000) initial_etypes = client_as_etypes initial_kdc_options = krb5_asn1.KDCOptions('forwardable') @@ -241,6 +242,14 @@ class AsReqKerberosTests(AsReqBaseTest): sname=wrong_krbtgt_princ, expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) + # Test that we can make a request for a ticket expiring post-2038. + def test_future_till(self): + client_creds = self.get_client_creds() + + self._run_as_req_enc_timestamp( + client_creds, + till='99990913024805Z') + if __name__ == "__main__": global_asn1_print = False -- 2.35.0