mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
We will use it for testing our handling of encryption types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 50e075d2db
)
[jsutton@samba.org Adapted to 4.17 version of function]
This commit is contained in:
parent
2408d405d3
commit
cc2bea27a6
@ -58,7 +58,139 @@ global_asn1_print = False
|
||||
global_hexdump = False
|
||||
|
||||
|
||||
class KdcTgsTests(KDCBaseTest):
|
||||
class KdcTgsBaseTests(KDCBaseTest):
|
||||
def _tgs_req(self, tgt, expected_error, target_creds,
|
||||
armor_tgt=None,
|
||||
kdc_options='0',
|
||||
expected_cname=None,
|
||||
expected_sname=None,
|
||||
additional_ticket=None,
|
||||
generate_padata_fn=None,
|
||||
sname=None,
|
||||
srealm=None,
|
||||
use_fast=False,
|
||||
expect_claims=True,
|
||||
expect_pac=True,
|
||||
expect_pac_attrs=None,
|
||||
expect_pac_attrs_pac_request=None,
|
||||
expect_requester_sid=None,
|
||||
expect_edata=False,
|
||||
expected_sid=None,
|
||||
expected_status=None):
|
||||
if srealm is False:
|
||||
srealm = None
|
||||
elif srealm is None:
|
||||
srealm = target_creds.get_realm()
|
||||
|
||||
if sname is False:
|
||||
sname = None
|
||||
if expected_sname is None:
|
||||
expected_sname = self.get_krbtgt_sname()
|
||||
else:
|
||||
if sname is None:
|
||||
target_name = target_creds.get_username()
|
||||
if target_name == 'krbtgt':
|
||||
sname = self.PrincipalName_create(
|
||||
name_type=NT_SRV_INST,
|
||||
names=[target_name, srealm])
|
||||
else:
|
||||
if target_name[-1] == '$':
|
||||
target_name = target_name[:-1]
|
||||
sname = self.PrincipalName_create(
|
||||
name_type=NT_PRINCIPAL,
|
||||
names=['host', target_name])
|
||||
|
||||
if expected_sname is None:
|
||||
expected_sname = sname
|
||||
|
||||
if additional_ticket is not None:
|
||||
additional_tickets = [additional_ticket.ticket]
|
||||
decryption_key = additional_ticket.session_key
|
||||
else:
|
||||
additional_tickets = None
|
||||
decryption_key = self.TicketDecryptionKey_from_creds(
|
||||
target_creds)
|
||||
|
||||
subkey = self.RandomKey(tgt.session_key.etype)
|
||||
|
||||
if armor_tgt is not None:
|
||||
armor_subkey = self.RandomKey(subkey.etype)
|
||||
explicit_armor_key = self.generate_armor_key(armor_subkey,
|
||||
armor_tgt.session_key)
|
||||
armor_key = kcrypto.cf2(explicit_armor_key.key,
|
||||
subkey.key,
|
||||
b'explicitarmor',
|
||||
b'tgsarmor')
|
||||
armor_key = Krb5EncryptionKey(armor_key, None)
|
||||
|
||||
generate_fast_fn = self.generate_simple_fast
|
||||
generate_fast_armor_fn = self.generate_ap_req
|
||||
|
||||
pac_options = '1' # claims support
|
||||
else:
|
||||
armor_subkey = None
|
||||
armor_key = None
|
||||
generate_fast_fn = None
|
||||
generate_fast_armor_fn = None
|
||||
|
||||
pac_options = None
|
||||
|
||||
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
|
||||
|
||||
if expected_error:
|
||||
check_error_fn = self.generic_check_kdc_error
|
||||
check_rep_fn = None
|
||||
else:
|
||||
check_error_fn = None
|
||||
check_rep_fn = self.generic_check_kdc_rep
|
||||
|
||||
if expected_cname is None:
|
||||
expected_cname = tgt.cname
|
||||
|
||||
kdc_exchange_dict = self.tgs_exchange_dict(
|
||||
expected_crealm=tgt.crealm,
|
||||
expected_cname=expected_cname,
|
||||
expected_srealm=srealm,
|
||||
expected_sname=expected_sname,
|
||||
ticket_decryption_key=decryption_key,
|
||||
generate_padata_fn=generate_padata_fn,
|
||||
generate_fast_fn=generate_fast_fn,
|
||||
generate_fast_armor_fn=generate_fast_armor_fn,
|
||||
check_error_fn=check_error_fn,
|
||||
check_rep_fn=check_rep_fn,
|
||||
check_kdc_private_fn=self.generic_check_kdc_private,
|
||||
expected_error_mode=expected_error,
|
||||
expected_status=expected_status,
|
||||
tgt=tgt,
|
||||
armor_key=armor_key,
|
||||
armor_tgt=armor_tgt,
|
||||
armor_subkey=armor_subkey,
|
||||
pac_options=pac_options,
|
||||
authenticator_subkey=subkey,
|
||||
kdc_options=kdc_options,
|
||||
expect_edata=expect_edata,
|
||||
expect_pac=expect_pac,
|
||||
expect_pac_attrs=expect_pac_attrs,
|
||||
expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
|
||||
expect_requester_sid=expect_requester_sid,
|
||||
expected_sid=expected_sid,
|
||||
expect_claims=expect_claims)
|
||||
|
||||
rep = self._generic_kdc_exchange(kdc_exchange_dict,
|
||||
cname=None,
|
||||
realm=srealm,
|
||||
sname=sname,
|
||||
etypes=etypes,
|
||||
additional_tickets=additional_tickets)
|
||||
if expected_error:
|
||||
self.check_error_rep(rep, expected_error)
|
||||
return None
|
||||
else:
|
||||
self.check_reply(rep, KRB_TGS_REP)
|
||||
return kdc_exchange_dict['rep_ticket_creds']
|
||||
|
||||
|
||||
class KdcTgsTests(KdcTgsBaseTests):
|
||||
|
||||
def setUp(self):
|
||||
super().setUp()
|
||||
@ -2693,136 +2825,6 @@ class KdcTgsTests(KDCBaseTest):
|
||||
expected_sname=expected_sname,
|
||||
expect_pac=expect_pac)
|
||||
|
||||
def _tgs_req(self, tgt, expected_error, target_creds,
|
||||
armor_tgt=None,
|
||||
kdc_options='0',
|
||||
expected_cname=None,
|
||||
expected_sname=None,
|
||||
additional_ticket=None,
|
||||
generate_padata_fn=None,
|
||||
sname=None,
|
||||
srealm=None,
|
||||
use_fast=False,
|
||||
expect_claims=True,
|
||||
expect_pac=True,
|
||||
expect_pac_attrs=None,
|
||||
expect_pac_attrs_pac_request=None,
|
||||
expect_requester_sid=None,
|
||||
expect_edata=False,
|
||||
expected_sid=None,
|
||||
expected_status=None):
|
||||
if srealm is False:
|
||||
srealm = None
|
||||
elif srealm is None:
|
||||
srealm = target_creds.get_realm()
|
||||
|
||||
if sname is False:
|
||||
sname = None
|
||||
if expected_sname is None:
|
||||
expected_sname = self.get_krbtgt_sname()
|
||||
else:
|
||||
if sname is None:
|
||||
target_name = target_creds.get_username()
|
||||
if target_name == 'krbtgt':
|
||||
sname = self.PrincipalName_create(
|
||||
name_type=NT_SRV_INST,
|
||||
names=[target_name, srealm])
|
||||
else:
|
||||
if target_name[-1] == '$':
|
||||
target_name = target_name[:-1]
|
||||
sname = self.PrincipalName_create(
|
||||
name_type=NT_PRINCIPAL,
|
||||
names=['host', target_name])
|
||||
|
||||
if expected_sname is None:
|
||||
expected_sname = sname
|
||||
|
||||
if additional_ticket is not None:
|
||||
additional_tickets = [additional_ticket.ticket]
|
||||
decryption_key = additional_ticket.session_key
|
||||
else:
|
||||
additional_tickets = None
|
||||
decryption_key = self.TicketDecryptionKey_from_creds(
|
||||
target_creds)
|
||||
|
||||
subkey = self.RandomKey(tgt.session_key.etype)
|
||||
|
||||
if armor_tgt is not None:
|
||||
armor_subkey = self.RandomKey(subkey.etype)
|
||||
explicit_armor_key = self.generate_armor_key(armor_subkey,
|
||||
armor_tgt.session_key)
|
||||
armor_key = kcrypto.cf2(explicit_armor_key.key,
|
||||
subkey.key,
|
||||
b'explicitarmor',
|
||||
b'tgsarmor')
|
||||
armor_key = Krb5EncryptionKey(armor_key, None)
|
||||
|
||||
generate_fast_fn = self.generate_simple_fast
|
||||
generate_fast_armor_fn = self.generate_ap_req
|
||||
|
||||
pac_options = '1' # claims support
|
||||
else:
|
||||
armor_subkey = None
|
||||
armor_key = None
|
||||
generate_fast_fn = None
|
||||
generate_fast_armor_fn = None
|
||||
|
||||
pac_options = None
|
||||
|
||||
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
|
||||
|
||||
if expected_error:
|
||||
check_error_fn = self.generic_check_kdc_error
|
||||
check_rep_fn = None
|
||||
else:
|
||||
check_error_fn = None
|
||||
check_rep_fn = self.generic_check_kdc_rep
|
||||
|
||||
if expected_cname is None:
|
||||
expected_cname = tgt.cname
|
||||
|
||||
kdc_exchange_dict = self.tgs_exchange_dict(
|
||||
expected_crealm=tgt.crealm,
|
||||
expected_cname=expected_cname,
|
||||
expected_srealm=srealm,
|
||||
expected_sname=expected_sname,
|
||||
ticket_decryption_key=decryption_key,
|
||||
generate_padata_fn=generate_padata_fn,
|
||||
generate_fast_fn=generate_fast_fn,
|
||||
generate_fast_armor_fn=generate_fast_armor_fn,
|
||||
check_error_fn=check_error_fn,
|
||||
check_rep_fn=check_rep_fn,
|
||||
check_kdc_private_fn=self.generic_check_kdc_private,
|
||||
expected_error_mode=expected_error,
|
||||
expected_status=expected_status,
|
||||
tgt=tgt,
|
||||
armor_key=armor_key,
|
||||
armor_tgt=armor_tgt,
|
||||
armor_subkey=armor_subkey,
|
||||
pac_options=pac_options,
|
||||
authenticator_subkey=subkey,
|
||||
kdc_options=kdc_options,
|
||||
expect_edata=expect_edata,
|
||||
expect_pac=expect_pac,
|
||||
expect_pac_attrs=expect_pac_attrs,
|
||||
expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
|
||||
expect_requester_sid=expect_requester_sid,
|
||||
expected_sid=expected_sid,
|
||||
expect_claims=expect_claims)
|
||||
|
||||
rep = self._generic_kdc_exchange(kdc_exchange_dict,
|
||||
cname=None,
|
||||
realm=srealm,
|
||||
sname=sname,
|
||||
etypes=etypes,
|
||||
additional_tickets=additional_tickets)
|
||||
if expected_error:
|
||||
self.check_error_rep(rep, expected_error)
|
||||
return None
|
||||
else:
|
||||
self.check_reply(rep, KRB_TGS_REP)
|
||||
return kdc_exchange_dict['rep_ticket_creds']
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
global_asn1_print = False
|
||||
|
Loading…
Reference in New Issue
Block a user