sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-20 16:23:51 +03:00
Code Activity
127,561 Commits 64 Branches 1,180 Tags
23dc0cbd53e16f0450204aa3a0eb971d1215bc5a
Commit Graph

156 Commits

Author SHA1 Message Date
Joseph Sutton
23dc0cbd53 CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
4ac05264a7 MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
4a792ad92d CVE-2020-25719 tests/krb5: Add is_tgt() helper method 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-09 19:45:32 +00:00
Joseph Sutton
c174e9ebe7 tests/krb5: Check account name and SID in PAC for S4U tests 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184
 2021-10-25 09:23:35 +00:00
Joseph Sutton
25bdf4c994 tests/krb5: Fix account salt calculation to match Windows 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2021-10-20 12:02:33 +00:00
Joseph Sutton
889476d175 tests/krb5: Allow specifying the UPN for test accounts 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2021-10-20 12:02:33 +00:00
Joseph Sutton
cc3d27596b tests/krb5: Ensure PAC is not present if expect_pac is false 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2021-10-20 08:31:31 +00:00
Joseph Sutton
288355896a tests/krb5: Add method to get the PAC from a ticket 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-17 22:53:37 +00:00
Joseph Sutton
0dc69c1327 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-17 22:53:37 +00:00
Joseph Sutton
1a08399cd8 tests/krb5: Don't include empty AD-IF-RELEVANT 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
bf63221722 tests/krb5: Require ticket checksums if decryption key is available 
We perform this check conditionally, because MIT doesn't currently add
ticket checksums.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
ae2c57fb03 tests/krb5: Add TKT_SIG_SUPPORT environment variable 
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
5233f00200 tests/krb5: Provide clearer assertion messages for test failures 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
cf3ca6ac45 tests/krb5: Simplify padata checking 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
e7c39cc44f tests/krb5: Check logon name in PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
bd22dcd9cc tests/krb5: Check padata types when STRICT_CHECKING=0 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
238f52bad8 tests/krb5: Add environment variable to specify KDC FAST support 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
72265227e9 tests/krb5: Fix padata checking at functional level 2003 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
ee2b7e2c77 tests/krb5: Clarify checksum type assertion message 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
ef24fe982d tests/krb5: Add parameter to enforce presence of ticket checksums 
This allows existing tests to pass before this functionality is
implemented.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
bb58b4b58c tests/krb5: Save account SPN 
This is useful for testing delegation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
0e232fa1c9 tests/krb5: Check constrained delegation PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
aa2e583fde tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
7cfc225b54 tests/krb5: Add expect_claims parameter to kdc_exchange_dict 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
ab92dc16d2 tests/krb5: Fix checking for presence of error data 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
788b3a29ee tests/krb5: Fix assertElementFlags() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
8f6d369d70 tests/krb5: Make expected_sname checking more explicit 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
012b6fcd19 tests/krb5: Fix status code checking 
The type used to encode the status code is actually KERB-ERROR-DATA,
rather than PA-DATA.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
a4bc712ee0 tests/krb5: Fix handling authdata with missing PAC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
dcf45a151a tests/krb5: Allow excluding the PAC server checksum 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
a927cecafd tests/krb5: Fix checksum generation and verification 
The KDC and server checksums may be generated using the same key, but
only the KDC checksum should have an RODCIdentifier. To fix this,
instead of overriding the existing methods, add additional ones for
RODC-specific signatures, so that both types of signatures can be
generated or verified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
ae09219c3a tests/krb5: Fix method for creating invalid length zeroed checksum 
Previously the base class method was being used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
9d142dc3a4 tests/krb5: Introduce helper method for creating invalid length checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
1fd00135fa tests/krb5: Fix PA-PAC-OPTIONS checking 
Make the check work correctly if bits other than the claims bit are
specified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
6f1282e8d3 tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST 
These padata were not being sent if other FAST padata was not specified.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
8e4b215908 tests/krb5: Remove unused parameter 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
d501ddca3b tests/krb5: Rename method parameter 
For class methods, the name given to the first parameter is generally 'cls'
rather than 'self'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
5b331443d0 tests/krb5: Add classes for testing invalid checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184
 2021-09-23 19:28:44 +00:00
Joseph Sutton
c0b81f0dd5 tests/krb5: Add method to determine if principal is krbtgt 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
ea7b550a50 tests/krb5: Verify checksums of tickets obtained from the KDC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
1458cd9065 tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
f9284d8517 tests/krb5: Fix checking for presence of authorization data 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
14cd933a9d tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
b6eaf2cf44 tests/krb5: Get supported enctypes for credentials from database 
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
432eba9e09 tests/krb5: Add methods to convert between enctypes and bitfields 
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
4c67a53cdc tests/krb5: Simplify adding authdata to ticket by using modified_ticket() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
1fcde7cb6c tests/krb5: Add method for modifying a ticket and creating PAC checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
12b5e72a35 tests/krb5: Add method to verify ticket PAC checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
ec95b3042b tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures 
Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184
 2021-09-21 23:55:39 +00:00
Joseph Sutton
a562882b15 tests/krb5: Add methods for creating zeroed checksums and verifying checksums 
Creating a zeroed checksum is needed for signing a PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-21 23:05:42 +00:00