sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code

CVE-2022-2031 tests/krb5: Split out _make_tgs_request()

Browse Source 
This allows us to make use of it in other tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

[jsutton@samba.org Fixed conflicts due to having older version of
 _make_tgs_request()]
This commit is contained in:
Joseph Sutton 2022-05-26 20:52:04 +12:00 committed by Jule Anger
parent f4ea2a80d8
commit 440aa37cc4
2 changed files with 77 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
python/samba/tests/krb5/kdc_base_test.py
View File

@ -67,6 +67,7 @@ from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5, ARCFOUR_HMAC_MD5,
KDC_ERR_PREAUTH_REQUIRED, KDC_ERR_PREAUTH_REQUIRED,
KDC_ERR_TGT_REVOKED,
KRB_AS_REP, KRB_AS_REP,
KRB_TGS_REP, KRB_TGS_REP,
KRB_ERROR, KRB_ERROR,
@ -1538,6 +1539,82 @@ class KDCBaseTest(RawKerberosTest):
return ticket_creds return ticket_creds
def _make_tgs_request(self, client_creds, service_creds, tgt,
pac_request=None, expect_pac=True,
expect_error=False,
expected_account_name=None,
expected_upn_name=None,
expected_sid=None):
client_account = client_creds.get_username()
cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[client_account])
service_account = service_creds.get_username()
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[service_account])
realm = service_creds.get_realm()
expected_crealm = realm
expected_cname = cname
expected_srealm = realm
expected_sname = sname
expected_supported_etypes = service_creds.tgs_supported_enctypes
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
kdc_options = str(krb5_asn1.KDCOptions('canonicalize'))
target_decryption_key = self.TicketDecryptionKey_from_creds(
service_creds)
authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
if expect_error:
expected_error_mode = KDC_ERR_TGT_REVOKED
check_error_fn = self.generic_check_kdc_error
check_rep_fn = None
else:
expected_error_mode = 0
check_error_fn = None
check_rep_fn = self.generic_check_kdc_rep
kdc_exchange_dict = self.tgs_exchange_dict(
expected_crealm=expected_crealm,
expected_cname=expected_cname,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
expected_account_name=expected_account_name,
expected_upn_name=expected_upn_name,
expected_sid=expected_sid,
expected_supported_etypes=expected_supported_etypes,
ticket_decryption_key=target_decryption_key,
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_kdc_private_fn=self.generic_check_kdc_private,
expected_error_mode=expected_error_mode,
tgt=tgt,
authenticator_subkey=authenticator_subkey,
kdc_options=kdc_options,
pac_request=pac_request,
expect_pac=expect_pac,
expect_edata=False)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=cname,
realm=realm,
sname=sname,
etypes=etypes)
if expect_error:
self.check_error_rep(rep, expected_error_mode)
return None
else:
self.check_reply(rep, KRB_TGS_REP)
return kdc_exchange_dict['rep_ticket_creds']
# Named tuple to contain values of interest when the PAC is decoded. # Named tuple to contain values of interest when the PAC is decoded.
PacData = namedtuple( PacData = namedtuple(
"PacData", "PacData",

76
python/samba/tests/krb5/kdc_tgs_tests.py
View File

@ -230,82 +230,6 @@ class KdcTgsTests(KDCBaseTest):
pac_data.account_sid, pac_data.account_sid,
"rep = {%s},%s" % (rep, pac_data)) "rep = {%s},%s" % (rep, pac_data))
def _make_tgs_request(self, client_creds, service_creds, tgt,
pac_request=None, expect_pac=True,
expect_error=False,
expected_account_name=None,
expected_upn_name=None,
expected_sid=None):
client_account = client_creds.get_username()
cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[client_account])
service_account = service_creds.get_username()
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[service_account])
realm = service_creds.get_realm()
expected_crealm = realm
expected_cname = cname
expected_srealm = realm
expected_sname = sname
expected_supported_etypes = service_creds.tgs_supported_enctypes
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
kdc_options = str(krb5_asn1.KDCOptions('canonicalize'))
target_decryption_key = self.TicketDecryptionKey_from_creds(
service_creds)
authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
if expect_error:
expected_error_mode = KDC_ERR_TGT_REVOKED
check_error_fn = self.generic_check_kdc_error
check_rep_fn = None
else:
expected_error_mode = 0
check_error_fn = None
check_rep_fn = self.generic_check_kdc_rep
kdc_exchange_dict = self.tgs_exchange_dict(
expected_crealm=expected_crealm,
expected_cname=expected_cname,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
expected_account_name=expected_account_name,
expected_upn_name=expected_upn_name,
expected_sid=expected_sid,
expected_supported_etypes=expected_supported_etypes,
ticket_decryption_key=target_decryption_key,
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_kdc_private_fn=self.generic_check_kdc_private,
expected_error_mode=expected_error_mode,
tgt=tgt,
authenticator_subkey=authenticator_subkey,
kdc_options=kdc_options,
pac_request=pac_request,
expect_pac=expect_pac,
expect_edata=False)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=cname,
realm=realm,
sname=sname,
etypes=etypes)
if expect_error:
self.check_error_rep(rep, expected_error_mode)
return None
else:
self.check_reply(rep, KRB_TGS_REP)
return kdc_exchange_dict['rep_ticket_creds']
def test_request(self): def test_request(self):
client_creds = self.get_client_creds() client_creds = self.get_client_creds()
service_creds = self.get_service_creds() service_creds = self.get_service_creds()