mirror of
https://github.com/samba-team/samba.git
synced 2025-10-10 15:33:19 +03:00
CVE-2021-20251 tests/krb5: Add tests for password lockout race
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton
committed by
Andrew Bartlett
Andrew Bartlett
parent
4bb9d85fed
commit
91e2e5616c
1088
python/samba/tests/krb5/lockout_tests.py
Executable file
1088
python/samba/tests/krb5/lockout_tests.py
Executable file
File diff suppressed because it is too large
Load Diff
@@ -50,6 +50,7 @@ from samba.tests.krb5.rfc4120_constants import (
|
||||
AD_IF_RELEVANT,
|
||||
AD_WIN2K_PAC,
|
||||
FX_FAST_ARMOR_AP_REQUEST,
|
||||
KDC_ERR_CLIENT_REVOKED,
|
||||
KDC_ERR_GENERIC,
|
||||
KDC_ERR_POLICY,
|
||||
KDC_ERR_PREAUTH_FAILED,
|
||||
@@ -641,6 +642,13 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
tkt_sig_support = '0'
|
||||
cls.tkt_sig_support = bool(int(tkt_sig_support))
|
||||
|
||||
gnutls_pbkdf2_support = samba.tests.env_get_var_value(
|
||||
'GNUTLS_PBKDF2_SUPPORT',
|
||||
allow_missing=True)
|
||||
if gnutls_pbkdf2_support is None:
|
||||
gnutls_pbkdf2_support = '1'
|
||||
cls.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support))
|
||||
|
||||
expect_pac = samba.tests.env_get_var_value('EXPECT_PAC',
|
||||
allow_missing=True)
|
||||
if expect_pac is None:
|
||||
@@ -3756,7 +3764,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
expected_patypes += (PADATA_ETYPE_INFO2,)
|
||||
|
||||
if error_code not in (KDC_ERR_PREAUTH_FAILED, KDC_ERR_SKEW,
|
||||
KDC_ERR_POLICY):
|
||||
KDC_ERR_POLICY, KDC_ERR_CLIENT_REVOKED):
|
||||
if sent_fast:
|
||||
expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,)
|
||||
else:
|
||||
|
||||
@@ -88,6 +88,7 @@ KDC_ERR_POLICY = 12
|
||||
KDC_ERR_BADOPTION = 13
|
||||
KDC_ERR_ETYPE_NOSUPP = 14
|
||||
KDC_ERR_SUMTYPE_NOSUPP = 15
|
||||
KDC_ERR_CLIENT_REVOKED = 18
|
||||
KDC_ERR_TGT_REVOKED = 20
|
||||
KDC_ERR_PREAUTH_FAILED = 24
|
||||
KDC_ERR_PREAUTH_REQUIRED = 25
|
||||
|
||||
@@ -114,6 +114,7 @@ EXCLUDE_USAGE = {
|
||||
'python/samba/tests/krb5/nt_hash_tests.py',
|
||||
'python/samba/tests/krb5/kpasswd_tests.py',
|
||||
'python/samba/tests/krb5/claims_tests.py',
|
||||
'python/samba/tests/krb5/lockout_tests.py',
|
||||
}
|
||||
|
||||
EXCLUDE_HELP = {
|
||||
|
||||
5
selftest/flapping.d/ldap-pwd-change-race
Normal file
5
selftest/flapping.d/ldap-pwd-change-race
Normal file
@@ -0,0 +1,5 @@
|
||||
# This test currently depends on a race. The password_hash dsdb module
|
||||
# relinquishes and immediately reacquires a transaction lock, and another
|
||||
# process may be able to acquire it during the short period of time in which it
|
||||
# is not held.
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_ldap_pw_change.ad_dc:local
|
||||
@@ -142,3 +142,13 @@
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
|
||||
#
|
||||
# Lockout tests
|
||||
#
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_ntlm.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_rename_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_rename_ntlm.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_samr.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_ntlm.ad_dc:local
|
||||
|
||||
@@ -528,3 +528,17 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
|
||||
#
|
||||
# Lockout tests
|
||||
#
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_ntlm.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_rename_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_rename_ntlm.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_samr.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_ntlm.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_bad_pwd_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc.ad_dc:local
|
||||
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_logon_kdc.ad_dc:local
|
||||
|
||||
@@ -1002,6 +1002,8 @@ if ('SAMBA4_USES_HEIMDAL' in config_hash or
|
||||
else:
|
||||
tkt_sig_support = 0
|
||||
|
||||
gnutls_pbkdf2_support = int('HAVE_GNUTLS_PBKDF2' in config_hash)
|
||||
|
||||
if 'HAVE_MIT_KRB5_1_20' in config_hash:
|
||||
kadmin_is_tgs = 1
|
||||
else:
|
||||
@@ -1022,6 +1024,7 @@ krb5_environ = {
|
||||
'CLAIMS_SUPPORT': claims_support,
|
||||
'COMPOUND_ID_SUPPORT': compound_id_support,
|
||||
'TKT_SIG_SUPPORT': tkt_sig_support,
|
||||
'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support,
|
||||
'EXPECT_PAC': expect_pac,
|
||||
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
|
||||
'CHECK_CNAME': check_cname,
|
||||
@@ -1731,6 +1734,10 @@ planoldpythontestsuite(
|
||||
'ad_dc',
|
||||
'samba.tests.krb5.claims_tests',
|
||||
environ=krb5_environ)
|
||||
planoldpythontestsuite(
|
||||
'ad_dc:local',
|
||||
'samba.tests.krb5.lockout_tests',
|
||||
environ=krb5_environ)
|
||||
|
||||
for env in [
|
||||
'vampire_dc',
|
||||
|
||||
Reference in New Issue
Block a user