mirror of
https://github.com/samba-team/samba.git
synced 2025-02-04 17:47:26 +03:00
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5) [jsutton@samba.org Fixed import conflict]
This commit is contained in:
Joseph Sutton
Stefan Metzmacher
parent
f29efb011f
commit
da9da918f7
@ -23,7 +23,7 @@ import functools
|
||||
sys.path.insert(0, "bin/python")
|
||||
os.environ["PYTHONUNBUFFERED"] = "1"
|
||||
|
||||
from samba import ntstatus
|
||||
from samba import dsdb, ntstatus
|
||||
from samba.dcerpc import krb5pac, lsa
|
||||
|
||||
from samba.tests import env_get_var_value
|
||||
@ -691,6 +691,13 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
# Ensure we used all the parameters given to us.
|
||||
self.assertEqual({}, kdc_dict)
|
||||
|
||||
def skip_unless_fl2008(self):
|
||||
samdb = self.get_samdb()
|
||||
functional_level = self.get_domain_functional_level(samdb)
|
||||
|
||||
if functional_level < dsdb.DS_DOMAIN_FUNCTION_2008:
|
||||
self.skipTest('RBCD requires FL2008')
|
||||
|
||||
def test_constrained_delegation(self):
|
||||
# Test constrained delegation.
|
||||
self._run_delegation_test(
|
||||
@ -811,6 +818,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_auth_data_required(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
self._run_delegation_test(
|
||||
{
|
||||
'expected_error_mode': 0,
|
||||
@ -823,6 +832,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_existing_delegation_info(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test constrained delegation with an existing S4U_DELEGATION_INFO
|
||||
# structure in the PAC.
|
||||
|
||||
@ -850,6 +861,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_client_pac_a(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test constrained delegation when the client service ticket does not
|
||||
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
|
||||
self._run_delegation_test(
|
||||
@ -862,6 +875,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_client_pac_b(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test constrained delegation when the client service ticket does not
|
||||
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
|
||||
self._run_delegation_test(
|
||||
@ -877,6 +892,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_service_pac(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test constrained delegation when the service TGT does not contain a
|
||||
# PAC.
|
||||
self._run_delegation_test(
|
||||
@ -889,6 +906,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_client_pac_no_auth_data_required_a(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test constrained delegation when the client service ticket does not
|
||||
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
|
||||
self._run_delegation_test(
|
||||
@ -904,6 +923,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_client_pac_no_auth_data_required_b(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test constrained delegation when the client service ticket does not
|
||||
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
|
||||
self._run_delegation_test(
|
||||
@ -922,6 +943,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_service_pac_no_auth_data_required(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test constrained delegation when the service TGT does not contain a
|
||||
# PAC.
|
||||
self._run_delegation_test(
|
||||
@ -937,6 +960,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_non_forwardable(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test resource-based constrained delegation with a non-forwardable
|
||||
# ticket.
|
||||
self._run_delegation_test(
|
||||
@ -950,6 +975,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_pac_options_a(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test resource-based constrained delegation without the RBCD bit set
|
||||
# in the PAC options, and an empty msDS-AllowedToDelegateTo attribute.
|
||||
self._run_delegation_test(
|
||||
@ -961,6 +988,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_no_pac_options_b(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Test resource-based constrained delegation without the RBCD bit set
|
||||
# in the PAC options, and a non-empty msDS-AllowedToDelegateTo
|
||||
# attribute.
|
||||
@ -990,6 +1019,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_bronze_bit_rbcd_old_checksum(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Attempt to modify the ticket without updating the PAC checksums.
|
||||
self._run_delegation_test(
|
||||
{
|
||||
@ -1039,6 +1070,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_missing_client_checksum(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Present a user ticket without the required checksums.
|
||||
for checksum in self.pac_checksum_types:
|
||||
with self.subTest(checksum=checksum):
|
||||
@ -1059,6 +1092,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_missing_service_checksum(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Present the service's ticket without the required checksums.
|
||||
for checksum in (krb5pac.PAC_TYPE_SRV_CHECKSUM,
|
||||
krb5pac.PAC_TYPE_KDC_CHECKSUM):
|
||||
@ -1110,6 +1145,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_zeroed_client_checksum(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Present a user ticket with invalid checksums.
|
||||
for checksum in self.pac_checksum_types:
|
||||
with self.subTest(checksum=checksum):
|
||||
@ -1125,6 +1162,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_zeroed_service_checksum(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Present the service's ticket with invalid checksums.
|
||||
for checksum in self.pac_checksum_types:
|
||||
with self.subTest(checksum=checksum):
|
||||
@ -1200,6 +1239,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_unkeyed_client_checksum(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Present a user ticket with invalid checksums.
|
||||
for checksum in self.pac_checksum_types:
|
||||
for ctype in self.unkeyed_ctypes:
|
||||
@ -1223,6 +1264,8 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
})
|
||||
|
||||
def test_rbcd_unkeyed_service_checksum(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Present the service's ticket with invalid checksums.
|
||||
for checksum in self.pac_checksum_types:
|
||||
for ctype in self.unkeyed_ctypes:
|
||||
@ -1252,18 +1295,28 @@ class S4UKerberosTests(KDCBaseTest):
|
||||
|
||||
def test_constrained_delegation_rc4_client_checksum(self):
|
||||
# Present a user ticket with RC4 checksums.
|
||||
expected_error_mode = (KDC_ERR_GENERIC,
|
||||
KDC_ERR_INAPP_CKSUM)
|
||||
samdb = self.get_samdb()
|
||||
functional_level = self.get_domain_functional_level(samdb)
|
||||
|
||||
if functional_level >= dsdb.DS_DOMAIN_FUNCTION_2008:
|
||||
expected_error_mode = (KDC_ERR_GENERIC,
|
||||
KDC_ERR_INAPP_CKSUM)
|
||||
expect_edata = False
|
||||
else:
|
||||
expected_error_mode = 0
|
||||
expect_edata = None
|
||||
|
||||
self._run_delegation_test(
|
||||
{
|
||||
'expected_error_mode': expected_error_mode,
|
||||
'allow_delegation': True,
|
||||
'modify_client_tkt_fn': self.rc4_pac_checksums,
|
||||
'expect_edata': False,
|
||||
'expect_edata': expect_edata,
|
||||
})
|
||||
|
||||
def test_rbcd_rc4_client_checksum(self):
|
||||
self.skip_unless_fl2008()
|
||||
|
||||
# Present a user ticket with RC4 checksums.
|
||||
expected_error_mode = (KDC_ERR_GENERIC,
|
||||
KDC_ERR_BADOPTION)
|
||||
|
||||
@ -1166,3 +1166,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
#
|
||||
^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.ad_dc
|
||||
^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.fl2003dc
|
||||
#
|
||||
# S4U tests
|
||||
#
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_authentication_asserted_identity.fl2003dc:local
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.fl2003dc:local
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_service_asserted_identity.fl2003dc:local
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_asserted_identity.fl2003dc:local
|
||||
|
||||
@ -990,8 +990,13 @@ krb5_environ = {
|
||||
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
|
||||
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests",
|
||||
environ=krb5_environ)
|
||||
planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
|
||||
environ=krb5_environ)
|
||||
for env, fast_support in [("ad_dc_default:local", True),
|
||||
("fl2003dc:local", False)]:
|
||||
planoldpythontestsuite(env, "samba.tests.krb5.s4u_tests",
|
||||
environ={
|
||||
**krb5_environ,
|
||||
'FAST_SUPPORT': int(fast_support),
|
||||
})
|
||||
planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests",
|
||||
environ=krb5_environ)
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user