1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-10-21 16:46:56 +13:00 committed by Jule Anger
parent 24be204834
commit 903ab1a027
6 changed files with 103 additions and 2 deletions

View File

@ -1358,7 +1358,7 @@ class KDCBaseTest(RawKerberosTest):
def get_tgt(self, creds, to_rodc=False, kdc_options=None,
expected_flags=None, unexpected_flags=None,
expected_account_name=None,
expected_account_name=None, expected_upn_name=None,
expected_sid=None,
pac_request=True, expect_pac=True, fresh=False):
user_name = creds.get_username()
@ -1410,6 +1410,7 @@ class KDCBaseTest(RawKerberosTest):
expected_srealm=realm,
expected_sname=sname,
expected_account_name=expected_account_name,
expected_upn_name=expected_upn_name,
expected_sid=expected_sid,
expected_salt=salt,
expected_flags=expected_flags,

View File

@ -227,7 +227,10 @@ class KdcTgsTests(KDCBaseTest):
def _make_tgs_request(self, client_creds, service_creds, tgt,
pac_request=None, expect_pac=True,
expect_error=False):
expect_error=False,
expected_account_name=None,
expected_upn_name=None,
expected_sid=None):
client_account = client_creds.get_username()
cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[client_account])
@ -268,6 +271,9 @@ class KdcTgsTests(KDCBaseTest):
expected_cname=expected_cname,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
expected_account_name=expected_account_name,
expected_upn_name=expected_upn_name,
expected_sid=expected_sid,
expected_supported_etypes=expected_supported_etypes,
ticket_decryption_key=target_decryption_key,
check_error_fn=check_error_fn,
@ -433,6 +439,49 @@ class KdcTgsTests(KDCBaseTest):
self._make_tgs_request(client_creds, service_creds, tgt,
expect_pac=False, expect_error=True)
def test_upn_dns_info_ex_user(self):
client_creds = self.get_client_creds()
self._run_upn_dns_info_ex_test(client_creds)
def test_upn_dns_info_ex_mac(self):
mach_creds = self.get_mach_creds()
self._run_upn_dns_info_ex_test(mach_creds)
def test_upn_dns_info_ex_upn_user(self):
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
opts={'upn': 'upn_dns_info_test_upn0@bar'})
self._run_upn_dns_info_ex_test(client_creds)
def test_upn_dns_info_ex_upn_mac(self):
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': 'upn_dns_info_test_upn1@bar'})
self._run_upn_dns_info_ex_test(mach_creds)
def _run_upn_dns_info_ex_test(self, client_creds):
service_creds = self.get_service_creds()
samdb = self.get_samdb()
dn = client_creds.get_dn()
account_name = client_creds.get_username()
upn_name = client_creds.get_upn()
if upn_name is None:
realm = client_creds.get_realm().lower()
upn_name = f'{account_name}@{realm}'
sid = self.get_objectSid(samdb, dn)
tgt = self.get_tgt(client_creds,
expected_account_name=account_name,
expected_upn_name=upn_name,
expected_sid=sid)
self._make_tgs_request(client_creds, service_creds, tgt,
expected_account_name=account_name,
expected_upn_name=upn_name,
expected_sid=sid)
# Test making a TGS request.
def test_tgs_req(self):
creds = self._get_creds()

View File

@ -1986,6 +1986,7 @@ class RawKerberosTest(TestCaseInTempDir):
expected_srealm=None,
expected_sname=None,
expected_account_name=None,
expected_upn_name=None,
expected_sid=None,
expected_supported_etypes=None,
expected_flags=None,
@ -2019,6 +2020,7 @@ class RawKerberosTest(TestCaseInTempDir):
expect_edata=None,
expect_pac=True,
expect_claims=True,
expect_upn_dns_info_ex=None,
to_rodc=False):
if expected_error_mode == 0:
expected_error_mode = ()
@ -2037,6 +2039,7 @@ class RawKerberosTest(TestCaseInTempDir):
'expected_srealm': expected_srealm,
'expected_sname': expected_sname,
'expected_account_name': expected_account_name,
'expected_upn_name': expected_upn_name,
'expected_sid': expected_sid,
'expected_supported_etypes': expected_supported_etypes,
'expected_flags': expected_flags,
@ -2070,6 +2073,7 @@ class RawKerberosTest(TestCaseInTempDir):
'expect_edata': expect_edata,
'expect_pac': expect_pac,
'expect_claims': expect_claims,
'expect_upn_dns_info_ex': expect_upn_dns_info_ex,
'to_rodc': to_rodc
}
if callback_dict is None:
@ -2084,6 +2088,7 @@ class RawKerberosTest(TestCaseInTempDir):
expected_srealm=None,
expected_sname=None,
expected_account_name=None,
expected_upn_name=None,
expected_sid=None,
expected_supported_etypes=None,
expected_flags=None,
@ -2116,6 +2121,7 @@ class RawKerberosTest(TestCaseInTempDir):
expect_edata=None,
expect_pac=True,
expect_claims=True,
expect_upn_dns_info_ex=None,
expected_proxy_target=None,
expected_transited_services=None,
to_rodc=False):
@ -2136,6 +2142,7 @@ class RawKerberosTest(TestCaseInTempDir):
'expected_srealm': expected_srealm,
'expected_sname': expected_sname,
'expected_account_name': expected_account_name,
'expected_upn_name': expected_upn_name,
'expected_sid': expected_sid,
'expected_supported_etypes': expected_supported_etypes,
'expected_flags': expected_flags,
@ -2168,6 +2175,7 @@ class RawKerberosTest(TestCaseInTempDir):
'expect_edata': expect_edata,
'expect_pac': expect_pac,
'expect_claims': expect_claims,
'expect_upn_dns_info_ex': expect_upn_dns_info_ex,
'expected_proxy_target': expected_proxy_target,
'expected_transited_services': expected_transited_services,
'to_rodc': to_rodc
@ -2584,6 +2592,12 @@ class RawKerberosTest(TestCaseInTempDir):
expected_account_name = kdc_exchange_dict['expected_account_name']
expected_sid = kdc_exchange_dict['expected_sid']
expect_upn_dns_info_ex = kdc_exchange_dict['expect_upn_dns_info_ex']
if expect_upn_dns_info_ex is None and (
expected_account_name is not None
or expected_sid is not None):
expect_upn_dns_info_ex = True
for pac_buffer in pac.buffers:
if pac_buffer.type == krb5pac.PAC_TYPE_CONSTRAINED_DELEGATION:
expected_proxy_target = kdc_exchange_dict[
@ -2618,6 +2632,31 @@ class RawKerberosTest(TestCaseInTempDir):
expected_rid = int(expected_sid.rsplit('-', 1)[1])
self.assertEqual(expected_rid, logon_info.rid)
elif pac_buffer.type == krb5pac.PAC_TYPE_UPN_DNS_INFO:
upn_dns_info = pac_buffer.info
upn_dns_info_ex = upn_dns_info.ex
expected_realm = kdc_exchange_dict['expected_crealm']
self.assertEqual(expected_realm,
upn_dns_info.dns_domain_name)
expected_upn_name = kdc_exchange_dict['expected_upn_name']
if expected_upn_name is not None:
self.assertEqual(expected_upn_name,
upn_dns_info.upn_name)
if expect_upn_dns_info_ex:
self.assertIsNotNone(upn_dns_info_ex)
if upn_dns_info_ex is not None:
if expected_account_name is not None:
self.assertEqual(expected_account_name,
upn_dns_info_ex.samaccountname)
if expected_sid is not None:
self.assertEqual(expected_sid,
str(upn_dns_info_ex.objectsid))
def generic_check_kdc_error(self,
kdc_exchange_dict,
callback_dict,
@ -3600,6 +3639,7 @@ class RawKerberosTest(TestCaseInTempDir):
padata,
kdc_options,
expected_account_name=None,
expected_upn_name=None,
expected_sid=None,
expected_flags=None,
unexpected_flags=None,
@ -3634,6 +3674,7 @@ class RawKerberosTest(TestCaseInTempDir):
expected_srealm=expected_srealm,
expected_sname=expected_sname,
expected_account_name=expected_account_name,
expected_upn_name=expected_upn_name,
expected_sid=expected_sid,
expected_supported_etypes=expected_supported_etypes,
ticket_decryption_key=ticket_decryption_key,

View File

@ -309,6 +309,7 @@ class S4UKerberosTests(KDCBaseTest):
tgt=service_tgt,
authenticator_subkey=authenticator_subkey,
kdc_options=str(kdc_options),
expect_upn_dns_info_ex=False,
expect_claims=False)
self._generic_kdc_exchange(kdc_exchange_dict,
@ -610,6 +611,7 @@ class S4UKerberosTests(KDCBaseTest):
kdc_options=kdc_options,
pac_options=pac_options,
expect_edata=expect_edata,
expect_upn_dns_info_ex=False,
expected_proxy_target=expected_proxy_target,
expected_transited_services=expected_transited_services,
expect_pac=expect_pac)

View File

@ -155,6 +155,10 @@
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_mac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_mac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_user
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_user
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_matching_sname_host
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_matching_sname_no_host

View File

@ -414,6 +414,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_mac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_mac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_user
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_user
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_matching_sname_no_host
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac