mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
24be204834
commit
903ab1a027
@ -1358,7 +1358,7 @@ class KDCBaseTest(RawKerberosTest):
|
||||
|
||||
def get_tgt(self, creds, to_rodc=False, kdc_options=None,
|
||||
expected_flags=None, unexpected_flags=None,
|
||||
expected_account_name=None,
|
||||
expected_account_name=None, expected_upn_name=None,
|
||||
expected_sid=None,
|
||||
pac_request=True, expect_pac=True, fresh=False):
|
||||
user_name = creds.get_username()
|
||||
@ -1410,6 +1410,7 @@ class KDCBaseTest(RawKerberosTest):
|
||||
expected_srealm=realm,
|
||||
expected_sname=sname,
|
||||
expected_account_name=expected_account_name,
|
||||
expected_upn_name=expected_upn_name,
|
||||
expected_sid=expected_sid,
|
||||
expected_salt=salt,
|
||||
expected_flags=expected_flags,
|
||||
|
@ -227,7 +227,10 @@ class KdcTgsTests(KDCBaseTest):
|
||||
|
||||
def _make_tgs_request(self, client_creds, service_creds, tgt,
|
||||
pac_request=None, expect_pac=True,
|
||||
expect_error=False):
|
||||
expect_error=False,
|
||||
expected_account_name=None,
|
||||
expected_upn_name=None,
|
||||
expected_sid=None):
|
||||
client_account = client_creds.get_username()
|
||||
cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
|
||||
names=[client_account])
|
||||
@ -268,6 +271,9 @@ class KdcTgsTests(KDCBaseTest):
|
||||
expected_cname=expected_cname,
|
||||
expected_srealm=expected_srealm,
|
||||
expected_sname=expected_sname,
|
||||
expected_account_name=expected_account_name,
|
||||
expected_upn_name=expected_upn_name,
|
||||
expected_sid=expected_sid,
|
||||
expected_supported_etypes=expected_supported_etypes,
|
||||
ticket_decryption_key=target_decryption_key,
|
||||
check_error_fn=check_error_fn,
|
||||
@ -433,6 +439,49 @@ class KdcTgsTests(KDCBaseTest):
|
||||
self._make_tgs_request(client_creds, service_creds, tgt,
|
||||
expect_pac=False, expect_error=True)
|
||||
|
||||
def test_upn_dns_info_ex_user(self):
|
||||
client_creds = self.get_client_creds()
|
||||
self._run_upn_dns_info_ex_test(client_creds)
|
||||
|
||||
def test_upn_dns_info_ex_mac(self):
|
||||
mach_creds = self.get_mach_creds()
|
||||
self._run_upn_dns_info_ex_test(mach_creds)
|
||||
|
||||
def test_upn_dns_info_ex_upn_user(self):
|
||||
client_creds = self.get_cached_creds(
|
||||
account_type=self.AccountType.USER,
|
||||
opts={'upn': 'upn_dns_info_test_upn0@bar'})
|
||||
self._run_upn_dns_info_ex_test(client_creds)
|
||||
|
||||
def test_upn_dns_info_ex_upn_mac(self):
|
||||
mach_creds = self.get_cached_creds(
|
||||
account_type=self.AccountType.COMPUTER,
|
||||
opts={'upn': 'upn_dns_info_test_upn1@bar'})
|
||||
self._run_upn_dns_info_ex_test(mach_creds)
|
||||
|
||||
def _run_upn_dns_info_ex_test(self, client_creds):
|
||||
service_creds = self.get_service_creds()
|
||||
|
||||
samdb = self.get_samdb()
|
||||
dn = client_creds.get_dn()
|
||||
|
||||
account_name = client_creds.get_username()
|
||||
upn_name = client_creds.get_upn()
|
||||
if upn_name is None:
|
||||
realm = client_creds.get_realm().lower()
|
||||
upn_name = f'{account_name}@{realm}'
|
||||
sid = self.get_objectSid(samdb, dn)
|
||||
|
||||
tgt = self.get_tgt(client_creds,
|
||||
expected_account_name=account_name,
|
||||
expected_upn_name=upn_name,
|
||||
expected_sid=sid)
|
||||
|
||||
self._make_tgs_request(client_creds, service_creds, tgt,
|
||||
expected_account_name=account_name,
|
||||
expected_upn_name=upn_name,
|
||||
expected_sid=sid)
|
||||
|
||||
# Test making a TGS request.
|
||||
def test_tgs_req(self):
|
||||
creds = self._get_creds()
|
||||
|
@ -1986,6 +1986,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
expected_srealm=None,
|
||||
expected_sname=None,
|
||||
expected_account_name=None,
|
||||
expected_upn_name=None,
|
||||
expected_sid=None,
|
||||
expected_supported_etypes=None,
|
||||
expected_flags=None,
|
||||
@ -2019,6 +2020,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
expect_edata=None,
|
||||
expect_pac=True,
|
||||
expect_claims=True,
|
||||
expect_upn_dns_info_ex=None,
|
||||
to_rodc=False):
|
||||
if expected_error_mode == 0:
|
||||
expected_error_mode = ()
|
||||
@ -2037,6 +2039,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
'expected_srealm': expected_srealm,
|
||||
'expected_sname': expected_sname,
|
||||
'expected_account_name': expected_account_name,
|
||||
'expected_upn_name': expected_upn_name,
|
||||
'expected_sid': expected_sid,
|
||||
'expected_supported_etypes': expected_supported_etypes,
|
||||
'expected_flags': expected_flags,
|
||||
@ -2070,6 +2073,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
'expect_edata': expect_edata,
|
||||
'expect_pac': expect_pac,
|
||||
'expect_claims': expect_claims,
|
||||
'expect_upn_dns_info_ex': expect_upn_dns_info_ex,
|
||||
'to_rodc': to_rodc
|
||||
}
|
||||
if callback_dict is None:
|
||||
@ -2084,6 +2088,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
expected_srealm=None,
|
||||
expected_sname=None,
|
||||
expected_account_name=None,
|
||||
expected_upn_name=None,
|
||||
expected_sid=None,
|
||||
expected_supported_etypes=None,
|
||||
expected_flags=None,
|
||||
@ -2116,6 +2121,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
expect_edata=None,
|
||||
expect_pac=True,
|
||||
expect_claims=True,
|
||||
expect_upn_dns_info_ex=None,
|
||||
expected_proxy_target=None,
|
||||
expected_transited_services=None,
|
||||
to_rodc=False):
|
||||
@ -2136,6 +2142,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
'expected_srealm': expected_srealm,
|
||||
'expected_sname': expected_sname,
|
||||
'expected_account_name': expected_account_name,
|
||||
'expected_upn_name': expected_upn_name,
|
||||
'expected_sid': expected_sid,
|
||||
'expected_supported_etypes': expected_supported_etypes,
|
||||
'expected_flags': expected_flags,
|
||||
@ -2168,6 +2175,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
'expect_edata': expect_edata,
|
||||
'expect_pac': expect_pac,
|
||||
'expect_claims': expect_claims,
|
||||
'expect_upn_dns_info_ex': expect_upn_dns_info_ex,
|
||||
'expected_proxy_target': expected_proxy_target,
|
||||
'expected_transited_services': expected_transited_services,
|
||||
'to_rodc': to_rodc
|
||||
@ -2584,6 +2592,12 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
expected_account_name = kdc_exchange_dict['expected_account_name']
|
||||
expected_sid = kdc_exchange_dict['expected_sid']
|
||||
|
||||
expect_upn_dns_info_ex = kdc_exchange_dict['expect_upn_dns_info_ex']
|
||||
if expect_upn_dns_info_ex is None and (
|
||||
expected_account_name is not None
|
||||
or expected_sid is not None):
|
||||
expect_upn_dns_info_ex = True
|
||||
|
||||
for pac_buffer in pac.buffers:
|
||||
if pac_buffer.type == krb5pac.PAC_TYPE_CONSTRAINED_DELEGATION:
|
||||
expected_proxy_target = kdc_exchange_dict[
|
||||
@ -2618,6 +2632,31 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
expected_rid = int(expected_sid.rsplit('-', 1)[1])
|
||||
self.assertEqual(expected_rid, logon_info.rid)
|
||||
|
||||
elif pac_buffer.type == krb5pac.PAC_TYPE_UPN_DNS_INFO:
|
||||
upn_dns_info = pac_buffer.info
|
||||
upn_dns_info_ex = upn_dns_info.ex
|
||||
|
||||
expected_realm = kdc_exchange_dict['expected_crealm']
|
||||
self.assertEqual(expected_realm,
|
||||
upn_dns_info.dns_domain_name)
|
||||
|
||||
expected_upn_name = kdc_exchange_dict['expected_upn_name']
|
||||
if expected_upn_name is not None:
|
||||
self.assertEqual(expected_upn_name,
|
||||
upn_dns_info.upn_name)
|
||||
|
||||
if expect_upn_dns_info_ex:
|
||||
self.assertIsNotNone(upn_dns_info_ex)
|
||||
|
||||
if upn_dns_info_ex is not None:
|
||||
if expected_account_name is not None:
|
||||
self.assertEqual(expected_account_name,
|
||||
upn_dns_info_ex.samaccountname)
|
||||
|
||||
if expected_sid is not None:
|
||||
self.assertEqual(expected_sid,
|
||||
str(upn_dns_info_ex.objectsid))
|
||||
|
||||
def generic_check_kdc_error(self,
|
||||
kdc_exchange_dict,
|
||||
callback_dict,
|
||||
@ -3600,6 +3639,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
padata,
|
||||
kdc_options,
|
||||
expected_account_name=None,
|
||||
expected_upn_name=None,
|
||||
expected_sid=None,
|
||||
expected_flags=None,
|
||||
unexpected_flags=None,
|
||||
@ -3634,6 +3674,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
expected_srealm=expected_srealm,
|
||||
expected_sname=expected_sname,
|
||||
expected_account_name=expected_account_name,
|
||||
expected_upn_name=expected_upn_name,
|
||||
expected_sid=expected_sid,
|
||||
expected_supported_etypes=expected_supported_etypes,
|
||||
ticket_decryption_key=ticket_decryption_key,
|
||||
|
@ -309,6 +309,7 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
tgt=service_tgt,
|
||||
authenticator_subkey=authenticator_subkey,
|
||||
kdc_options=str(kdc_options),
|
||||
expect_upn_dns_info_ex=False,
|
||||
expect_claims=False)
|
||||
|
||||
self._generic_kdc_exchange(kdc_exchange_dict,
|
||||
@ -610,6 +611,7 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
kdc_options=kdc_options,
|
||||
pac_options=pac_options,
|
||||
expect_edata=expect_edata,
|
||||
expect_upn_dns_info_ex=False,
|
||||
expected_proxy_target=expected_proxy_target,
|
||||
expected_transited_services=expected_transited_services,
|
||||
expect_pac=expect_pac)
|
||||
|
@ -155,6 +155,10 @@
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_mac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_mac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_user
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_user
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_matching_sname_host
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_matching_sname_no_host
|
||||
|
@ -414,6 +414,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_mac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_mac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_user
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_user
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_matching_sname_no_host
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac
|
||||
|
Loading…
Reference in New Issue
Block a user