sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code

CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-10-26 20:47:24 +13:00 committed by Jule Anger
parent 04ceb10cbb
commit 241d3956af
2 changed files with 56 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
python/samba/tests/krb5/raw_testcase.py
View File

@ -596,6 +596,12 @@ class RawKerberosTest(TestCaseInTempDir):
tkt_sig_support = '0'
cls.tkt_sig_support = bool(int(tkt_sig_support))
expect_pac = samba.tests.env_get_var_value('EXPECT_PAC',
allow_missing=True)
if expect_pac is None:
expect_pac = '1'
cls.expect_pac = bool(int(expect_pac))
def setUp(self):
super().setUp()
self.do_asn1_print = False
@ -2417,6 +2423,9 @@ class RawKerberosTest(TestCaseInTempDir):
etype=kcrypto.Enctype.RC4)
krbtgt_keys.append(krbtgt_key_rc4)
if self.expect_pac and self.is_tgs(expected_sname):
expect_pac = True
else:
expect_pac = kdc_exchange_dict['expect_pac']
ticket_session_key = None
@ -2448,6 +2457,7 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertElementMissing(ticket_private, 'renew-till')
if self.strict_checking:
self.assertElementEqual(ticket_private, 'caddr', [])
if expect_pac is not None:
self.assertElementPresent(ticket_private, 'authorization-data',
expect_empty=not expect_pac)
@ -2554,11 +2564,14 @@ class RawKerberosTest(TestCaseInTempDir):
if ticket_private is not None:
pac_data = self.get_ticket_pac(ticket_creds, expect_pac=expect_pac)
if expect_pac:
self.check_pac_buffers(pac_data, kdc_exchange_dict)
else:
if expect_pac is True:
self.assertIsNotNone(pac_data)
elif expect_pac is False:
self.assertIsNone(pac_data)
if pac_data is not None:
self.check_pac_buffers(pac_data, kdc_exchange_dict)
expect_ticket_checksum = kdc_exchange_dict['expect_ticket_checksum']
if expect_ticket_checksum:
self.assertIsNotNone(ticket_decryption_key)

55
source4/selftest/tests.py
View File

@ -789,28 +789,33 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$U
have_fast_support = int('SAMBA_USES_MITKDC' in config_hash)
tkt_sig_support = int('SAMBA4_USES_HEIMDAL' in config_hash)
expect_pac = 0
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests",
environ={'SERVICE_USERNAME':'$SERVER',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support})
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac})
planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
environ={'ADMIN_USERNAME':'$USERNAME',
'ADMIN_PASSWORD':'$PASSWORD',
'FOR_USER':'$USERNAME',
'STRICT_CHECKING':'0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support})
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac})
planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests",
environ={'ADMIN_USERNAME':'$USERNAME',
'ADMIN_PASSWORD':'$PASSWORD',
'STRICT_CHECKING':'0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support})
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac})
planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests",
environ={'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support})
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac})
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache",
environ={
@ -818,7 +823,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache",
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap",
environ={
@ -826,7 +832,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap",
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
for env in ['ad_dc_default', 'ad_member']:
planoldpythontestsuite(env, "samba.tests.krb5.test_rpc",
@ -835,7 +842,8 @@ for env in ['ad_dc_default', 'ad_member']:
'ADMIN_PASSWORD': '$DC_PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb",
environ={
@ -843,7 +851,8 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb",
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planoldpythontestsuite("ad_member_no_nss_wb:local",
"samba.tests.krb5.test_min_domain_uid",
@ -1419,7 +1428,8 @@ for env in ["fl2008r2dc", "fl2003dc"]:
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planoldpythontestsuite('fl2008r2dc', 'samba.tests.krb5.salt_tests',
@ -1428,7 +1438,8 @@ planoldpythontestsuite('fl2008r2dc', 'samba.tests.krb5.salt_tests',
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]:
@ -1450,7 +1461,8 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests",
'ADMIN_USERNAME': '$USERNAME',
'ADMIN_PASSWORD': '$PASSWORD',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests",
environ={
@ -1458,11 +1470,13 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests",
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests",
environ={'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support})
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac})
planpythontestsuite(
"ad_dc",
"samba.tests.krb5.kdc_tgs_tests",
@ -1471,7 +1485,8 @@ planpythontestsuite(
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planpythontestsuite(
"ad_dc",
@ -1481,7 +1496,8 @@ planpythontestsuite(
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planpythontestsuite(
"ad_dc",
@ -1491,7 +1507,8 @@ planpythontestsuite(
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planpythontestsuite(
"ad_dc",
@ -1501,7 +1518,8 @@ planpythontestsuite(
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
planpythontestsuite(
"ad_dc",
@ -1511,7 +1529,8 @@ planpythontestsuite(
'ADMIN_PASSWORD': '$PASSWORD',
'STRICT_CHECKING': '0',
'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac
})
for env in [