1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-27 14:04:05 +03:00

CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class

We will use it for testing our handling of encryption types.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e)
[jsutton@samba.org Adapted to 4.17 version of function]
This commit is contained in:
Joseph Sutton 2022-10-26 14:26:01 +13:00 committed by Stefan Metzmacher
parent 2408d405d3
commit cc2bea27a6

View File

@ -58,7 +58,139 @@ global_asn1_print = False
global_hexdump = False
class KdcTgsTests(KDCBaseTest):
class KdcTgsBaseTests(KDCBaseTest):
def _tgs_req(self, tgt, expected_error, target_creds,
armor_tgt=None,
kdc_options='0',
expected_cname=None,
expected_sname=None,
additional_ticket=None,
generate_padata_fn=None,
sname=None,
srealm=None,
use_fast=False,
expect_claims=True,
expect_pac=True,
expect_pac_attrs=None,
expect_pac_attrs_pac_request=None,
expect_requester_sid=None,
expect_edata=False,
expected_sid=None,
expected_status=None):
if srealm is False:
srealm = None
elif srealm is None:
srealm = target_creds.get_realm()
if sname is False:
sname = None
if expected_sname is None:
expected_sname = self.get_krbtgt_sname()
else:
if sname is None:
target_name = target_creds.get_username()
if target_name == 'krbtgt':
sname = self.PrincipalName_create(
name_type=NT_SRV_INST,
names=[target_name, srealm])
else:
if target_name[-1] == '$':
target_name = target_name[:-1]
sname = self.PrincipalName_create(
name_type=NT_PRINCIPAL,
names=['host', target_name])
if expected_sname is None:
expected_sname = sname
if additional_ticket is not None:
additional_tickets = [additional_ticket.ticket]
decryption_key = additional_ticket.session_key
else:
additional_tickets = None
decryption_key = self.TicketDecryptionKey_from_creds(
target_creds)
subkey = self.RandomKey(tgt.session_key.etype)
if armor_tgt is not None:
armor_subkey = self.RandomKey(subkey.etype)
explicit_armor_key = self.generate_armor_key(armor_subkey,
armor_tgt.session_key)
armor_key = kcrypto.cf2(explicit_armor_key.key,
subkey.key,
b'explicitarmor',
b'tgsarmor')
armor_key = Krb5EncryptionKey(armor_key, None)
generate_fast_fn = self.generate_simple_fast
generate_fast_armor_fn = self.generate_ap_req
pac_options = '1' # claims support
else:
armor_subkey = None
armor_key = None
generate_fast_fn = None
generate_fast_armor_fn = None
pac_options = None
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
if expected_error:
check_error_fn = self.generic_check_kdc_error
check_rep_fn = None
else:
check_error_fn = None
check_rep_fn = self.generic_check_kdc_rep
if expected_cname is None:
expected_cname = tgt.cname
kdc_exchange_dict = self.tgs_exchange_dict(
expected_crealm=tgt.crealm,
expected_cname=expected_cname,
expected_srealm=srealm,
expected_sname=expected_sname,
ticket_decryption_key=decryption_key,
generate_padata_fn=generate_padata_fn,
generate_fast_fn=generate_fast_fn,
generate_fast_armor_fn=generate_fast_armor_fn,
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_kdc_private_fn=self.generic_check_kdc_private,
expected_error_mode=expected_error,
expected_status=expected_status,
tgt=tgt,
armor_key=armor_key,
armor_tgt=armor_tgt,
armor_subkey=armor_subkey,
pac_options=pac_options,
authenticator_subkey=subkey,
kdc_options=kdc_options,
expect_edata=expect_edata,
expect_pac=expect_pac,
expect_pac_attrs=expect_pac_attrs,
expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
expect_requester_sid=expect_requester_sid,
expected_sid=expected_sid,
expect_claims=expect_claims)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=None,
realm=srealm,
sname=sname,
etypes=etypes,
additional_tickets=additional_tickets)
if expected_error:
self.check_error_rep(rep, expected_error)
return None
else:
self.check_reply(rep, KRB_TGS_REP)
return kdc_exchange_dict['rep_ticket_creds']
class KdcTgsTests(KdcTgsBaseTests):
def setUp(self):
super().setUp()
@ -2693,136 +2825,6 @@ class KdcTgsTests(KDCBaseTest):
expected_sname=expected_sname,
expect_pac=expect_pac)
def _tgs_req(self, tgt, expected_error, target_creds,
armor_tgt=None,
kdc_options='0',
expected_cname=None,
expected_sname=None,
additional_ticket=None,
generate_padata_fn=None,
sname=None,
srealm=None,
use_fast=False,
expect_claims=True,
expect_pac=True,
expect_pac_attrs=None,
expect_pac_attrs_pac_request=None,
expect_requester_sid=None,
expect_edata=False,
expected_sid=None,
expected_status=None):
if srealm is False:
srealm = None
elif srealm is None:
srealm = target_creds.get_realm()
if sname is False:
sname = None
if expected_sname is None:
expected_sname = self.get_krbtgt_sname()
else:
if sname is None:
target_name = target_creds.get_username()
if target_name == 'krbtgt':
sname = self.PrincipalName_create(
name_type=NT_SRV_INST,
names=[target_name, srealm])
else:
if target_name[-1] == '$':
target_name = target_name[:-1]
sname = self.PrincipalName_create(
name_type=NT_PRINCIPAL,
names=['host', target_name])
if expected_sname is None:
expected_sname = sname
if additional_ticket is not None:
additional_tickets = [additional_ticket.ticket]
decryption_key = additional_ticket.session_key
else:
additional_tickets = None
decryption_key = self.TicketDecryptionKey_from_creds(
target_creds)
subkey = self.RandomKey(tgt.session_key.etype)
if armor_tgt is not None:
armor_subkey = self.RandomKey(subkey.etype)
explicit_armor_key = self.generate_armor_key(armor_subkey,
armor_tgt.session_key)
armor_key = kcrypto.cf2(explicit_armor_key.key,
subkey.key,
b'explicitarmor',
b'tgsarmor')
armor_key = Krb5EncryptionKey(armor_key, None)
generate_fast_fn = self.generate_simple_fast
generate_fast_armor_fn = self.generate_ap_req
pac_options = '1' # claims support
else:
armor_subkey = None
armor_key = None
generate_fast_fn = None
generate_fast_armor_fn = None
pac_options = None
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
if expected_error:
check_error_fn = self.generic_check_kdc_error
check_rep_fn = None
else:
check_error_fn = None
check_rep_fn = self.generic_check_kdc_rep
if expected_cname is None:
expected_cname = tgt.cname
kdc_exchange_dict = self.tgs_exchange_dict(
expected_crealm=tgt.crealm,
expected_cname=expected_cname,
expected_srealm=srealm,
expected_sname=expected_sname,
ticket_decryption_key=decryption_key,
generate_padata_fn=generate_padata_fn,
generate_fast_fn=generate_fast_fn,
generate_fast_armor_fn=generate_fast_armor_fn,
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_kdc_private_fn=self.generic_check_kdc_private,
expected_error_mode=expected_error,
expected_status=expected_status,
tgt=tgt,
armor_key=armor_key,
armor_tgt=armor_tgt,
armor_subkey=armor_subkey,
pac_options=pac_options,
authenticator_subkey=subkey,
kdc_options=kdc_options,
expect_edata=expect_edata,
expect_pac=expect_pac,
expect_pac_attrs=expect_pac_attrs,
expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
expect_requester_sid=expect_requester_sid,
expected_sid=expected_sid,
expect_claims=expect_claims)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=None,
realm=srealm,
sname=sname,
etypes=etypes,
additional_tickets=additional_tickets)
if expected_error:
self.check_error_rep(rep, expected_error)
return None
else:
self.check_reply(rep, KRB_TGS_REP)
return kdc_exchange_dict['rep_ticket_creds']
if __name__ == "__main__":
global_asn1_print = False