1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

56 Commits

Author SHA1 Message Date
Matthew DeVore
232054c09b lib/util: remove extra safe_string.h file
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.

Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
2020-08-28 02:18:40 +00:00
Isaac Boukris
19875a3731 Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum"
This reverts commit 5639e973c1.

This is no longer needed as the next commit includes a Python
test for this, without the complexity of being inside krb5.kdc.canon.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-15 10:27:41 +00:00
Isaac Boukris
b5adc11277 Revert "selftest: mitm-s4u2self: use zlib for CRC32_checksum calc"
This reverts commit 151f8c0f31.

This allows a clean revert (and so removal) of the test.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-15 10:27:41 +00:00
Isaac Boukris
ce65e8979d Revert "selftest: allow any kdc error in mitm-s4u2self test"
This reverts commit a53fa8ffe3.

This allows a clean revert (and so removal) of the test.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-15 10:27:41 +00:00
Isaac Boukris
a53fa8ffe3 selftest: allow any kdc error in mitm-s4u2self test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-19 14:48:41 +00:00
Isaac Boukris
151f8c0f31 selftest: mitm-s4u2self: use zlib for CRC32_checksum calc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-19 14:48:41 +00:00
Mathieu Parent
06e0f89345 Spelling fixes s/optinally/optionally/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:26 +00:00
Isaac Boukris
5639e973c1 CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-05-14 10:23:33 +00:00
Andrew Bartlett
f7c409c4c8 torture krb5.kdc.canon: Correct principal being checked in TEST_AS_REQ_SELF stage
We have already checked the client principal.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-09-05 11:42:26 +02:00
Andrew Bartlett
9e1ba904d0 torture: Confirm that this element of the krb5.kdc test does not pass against Windows
This should be fixed, but in the meantime add clue to avoid regressions on
bug 11539.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-09-05 11:42:26 +02:00
Andrew Bartlett
630cc6e626 torture: Add tests to prove that kinit to an SPN is not allowed (unless it is also a UPN)
The krb5.kdc.canon testsuite has been updated to pass against Windows
Server 1709 in four modes:

* A normal user
* A user with a UPN
* A user with an SPN (machine account)
* A user with an SPN as the UPN

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-09-05 11:42:23 +02:00
Joe Guo
5ca89d84a7 Fix typo for response
reponse --> response

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-12 02:09:25 +02:00
Andrew Bartlett
dc3adc898e s4-smbtorture: Show that the KDC provides no protection from CVE-2017-11103
The server name in the AS-REQ is unprotected, sadly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov  2 07:16:50 CET 2017 on sn-devel-144
2017-11-02 07:16:50 +01:00
Andrew Bartlett
4d056974dd s4-smbtorture: Add test krb5.kdc to prove fix for CVE-2017-11103
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-02 03:17:38 +01:00
Jeremy Allison
b2de5a81bf s4: popt: Global replace of cmdline_credentials -> popt_get_cmdline_credentials().
Add one use of popt_set_cmdline_credentials().
Fix 80 column limits when cmdline_credentials changes
to popt_get_cmdline_credentials().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-11 20:30:13 +02:00
Jeremy Allison
e7e56bcc72 s4: torture: Change torture_register_suite() to add a TALLOC_CTX *.
Change callers to use the passed in TALLOC_CTX *
instead of talloc_autofree_context().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
2017-05-05 15:52:11 +02:00
Andreas Schneider
088f171e93 s4-torture: Add AES and RC4 enctype checks
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
3b0f1c2712 s4-torture: Add TORTURE_KRB5_TEST_CLOCK_SKEW test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
3022307a63 s4-torture: Add TORTURE_KRB5_TEST_BREAK_PW test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
5d51e4b39b s4-torture: Add TORTURE_KRB5_TEST_PAC_REQUEST test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
7ad7fca683 s4-torture: Add KDC test harness and first test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
6ffef6f5ae waf: Only build KRB5 KDC tests when AD_DC build is enabled
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Andreas Schneider
860d465e2b s4-torture: Add AES and RC4 enctype checks
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul  6 19:06:19 CEST 2016 on sn-devel-144
2016-07-06 19:06:18 +02:00
Andreas Schneider
bc3473e67c s4-torture: Add torture_check_krb5_error() function
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2016-07-06 15:35:17 +02:00
Garming Sam
978bc8681e kerberos: Return enc data on PREAUTH_FAILED
Without the enc data, Windows clients will perform two AS-REQ causing the password
lockout count to increase by two instead of one.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul  5 10:52:32 CEST 2016 on sn-devel-144
2016-07-05 10:52:32 +02:00
Andreas Schneider
db23c0fa97 torture: Add a dummy test for MIT Kerberos case
This is a preperatory test to add tests for the MIT KDC.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-02 12:48:13 +02:00
Andreas Schneider
38faafef23 torture: Fix trailing whitespaces in krb5 tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-02 12:48:13 +02:00
Stefan Metzmacher
0ba6e0dc2a s4:torture/krb5: add a --option=torture:run_removedollar_test=true option to kdc-conon
With this option a machine account is tested without the trailing '$'
in the account name.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Andrew Bartlett
a1b4a5d977 torture-krb5: Test accepting the ticket to ensure PAC is well-formed
A future test will ask for impersonation to a different user, and
validate returned principal and the PAC matches that user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Andrew Bartlett
02f6cfd14c torture-krb5: Add an initial test for s4u2self behaviour
This test only checks for S4U2Self of the same user, but shows
that a user account is not a valid service for this purpose.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar  9 12:10:09 CET 2015 on sn-devel-104
2015-03-09 12:10:09 +01:00
Andrew Bartlett
bfccf0abf8 torture-krb5: Provide a generic handler to catch and print unexpected KRB_ERROR packets
This may aid debugging in the future.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by:  Kamen Mazdrashki <kamenim@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Feb  8 10:37:23 CET 2015 on sn-devel-104
2015-02-08 10:37:23 +01:00
Andrew Bartlett
3c89b25e4f torture-krb5: Add test for TGS-REQ with type KRB5_NT_PRINCIPAL, KRB5_NT_SRV_INST, KRB5_NT_SRV_HST
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2015-02-08 08:07:08 +01:00
Andrew Bartlett
52b74a4eaf torture-krb5: Add test in for normal TGS-REQ
For example, host/server

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2015-02-08 08:07:08 +01:00
Andrew Bartlett
0a4da2fc97 torture-krb5: Split out TEST_AS_REQ_SELF recv testing routine
This duplicates more code, but re-using the callbacks makes it much, much harder to debug

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2015-02-08 08:07:08 +01:00
Andrew Bartlett
60c7913391 torture-krb5: Add additional assertions for non-canon TGS-REP
This confirms that the KDC does not modify the returned principal in a TGS-REP unconditionally.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-02-08 08:07:08 +01:00
Andrew Bartlett
e05ad3500f torture-krb5: Further test improvements to cover KRB5_GC_CANONICALIZE on krbtgt/
This covers more of the protocol, and confirms which tests actually send network
packets (and so actually run the assertions in the send_and_recv handlers.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-02-08 08:07:08 +01:00
Andrew Bartlett
5fe76cc02a torture-krb5: Add tests for AS-REQ to our own name
This allows us to probe the behaviour of AS-REQ requests against a principal other than krbtgt/

This alos allows verification of behaviour of principals of type KRB5_NT_ENTERPRISE_PRINCIPAL

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-02-08 08:07:07 +01:00
Andrew Bartlett
4bafb45b09 torture-krb5: Improve the assertions in our KDC tests to be more explicit
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2015-02-08 08:07:07 +01:00
Andrew Bartlett
11871c853a torture-krb5: Reformat and re-work test to be easier to follow
The behaviour is the same as in the previous commit, but it is much easier to follow
as the main test code now indicates to the send_and_recv callbacks what stage of the
test we are at, and resets the packet counter between stages.

This also re-orders the code so that the send and recv callbacks for each stage
are next to each other, and uses a case statement in the main send_and_recv driver
for clarity.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2015-02-08 08:07:07 +01:00
Andrew Bartlett
0a4374a93a torture-krb5: Add tests for the canonicalise TGS-REQ case
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2015-02-08 08:07:07 +01:00
Andrew Bartlett
bcd33c0dce torture-krb5: add TGS-REQ testing to krb5.kdc.canon testsuite
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-08 08:07:07 +01:00
Andrew Bartlett
d7752757c2 torture-krb5: Do not do post-recv checks if the packet recv failed
This may be the cause of the flapping tests in this code previously,
as the recv_buf would be 0 length.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by:  Kamen Mazdrashki <kamenim@samba.org>
2015-02-08 08:07:07 +01:00
Günther Deschner
94cd324be9 s4-torture: the new krb5 kdc tests are heimdal, not dc specific.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-01-26 17:29:06 +01:00
Andrew Bartlett
52526ee265 torture-krb5: Check for UPN hanlding in krb5.kdc.canon test
This allows us to confirm correct behaviour when a UPN is in use, particularly
with the canonicalize flag and with enterprise principal names

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:08 +01:00
Andrew Bartlett
157539c5ad torture-krb5: Move checking of server and client names to krb5.kdc.canon
This keeps this test in one place, rather than duplicated between krb5.kdc and krb5.kdc.canon

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:08 +01:00
Andrew Bartlett
9d7719b62b torture-krb5: Move test of krb5_get_init_creds_opt_set_win2k to krb5.kdc.canon
This allows the impact of this to be verified with the other options we are setting

This also removes duplication in the kdc.c testsuite.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:08 +01:00
Andrew Bartlett
62905cd6d2 torture-krb5: Split the expected behaviour of the RODC up
The expectations of the cached accounts are different to those of the RODC in general.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:08 +01:00
Andrew Bartlett
89b868f677 torture-kdc: Skip the request-pac behaviour for now against an RODC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:08 +01:00
Andrew Bartlett
d0751b5763 torture-krb5: Add comments
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:08 +01:00