1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-28 17:47:29 +03:00
samba-mirror/python/samba/tests/krb5/as_req_tests.py
Joseph Sutton be239c7168 CVE-2022-2031 tests/krb5: Test truncated forms of server principals
We should not be able to use krb@REALM instead of krbtgt@REALM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00

526 lines
18 KiB
Python
Executable File

#!/usr/bin/env python3
# Unix SMB/CIFS implementation.
# Copyright (C) Stefan Metzmacher 2020
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
from samba.tests import DynamicTestCase
from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.kcrypto as kcrypto
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_C_PRINCIPAL_UNKNOWN,
KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_PREAUTH_REQUIRED,
KU_PA_ENC_TIMESTAMP,
NT_ENTERPRISE_PRINCIPAL,
NT_PRINCIPAL,
NT_SRV_INST,
PADATA_ENC_TIMESTAMP
)
global_asn1_print = False
global_hexdump = False
class AsReqBaseTest(KDCBaseTest):
def _run_as_req_enc_timestamp(self, client_creds, client_account=None,
expected_cname=None, sname=None,
name_type=NT_PRINCIPAL, etypes=None,
expected_error=None, expect_edata=None,
kdc_options=None):
user_name = client_creds.get_username()
if client_account is None:
client_account = user_name
client_as_etypes = self.get_default_enctypes()
client_kvno = client_creds.get_kvno()
krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
krbtgt_account = krbtgt_creds.get_username()
krbtgt_supported_etypes = krbtgt_creds.tgs_supported_enctypes
realm = krbtgt_creds.get_realm()
cname = self.PrincipalName_create(name_type=name_type,
names=client_account.split('/'))
if sname is None:
sname = self.PrincipalName_create(name_type=NT_SRV_INST,
names=[krbtgt_account, realm])
expected_crealm = realm
if expected_cname is None:
expected_cname = cname
expected_srealm = realm
expected_sname = sname
expected_salt = client_creds.get_salt()
till = self.get_KerberosTime(offset=36000)
if etypes is None:
etypes = client_as_etypes
if kdc_options is None:
kdc_options = krb5_asn1.KDCOptions('forwardable')
if expected_error is not None:
initial_error_mode = expected_error
else:
initial_error_mode = KDC_ERR_PREAUTH_REQUIRED
rep, kdc_exchange_dict = self._test_as_exchange(
cname,
realm,
sname,
till,
client_as_etypes,
initial_error_mode,
expected_crealm,
expected_cname,
expected_srealm,
expected_sname,
expected_salt,
etypes,
None,
kdc_options,
expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name,
pac_request=True,
expect_edata=expect_edata)
if expected_error is not None:
return None
etype_info2 = kdc_exchange_dict['preauth_etype_info2']
self.assertIsNotNone(etype_info2)
preauth_key = self.PasswordKey_from_etype_info2(client_creds,
etype_info2[0],
kvno=client_kvno)
(patime, pausec) = self.get_KerberosTimeWithUsec()
pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec)
pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC())
enc_pa_ts_usage = KU_PA_ENC_TIMESTAMP
pa_ts = self.EncryptedData_create(preauth_key, enc_pa_ts_usage, pa_ts)
pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData())
pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts)
preauth_padata = [pa_ts]
preauth_error_mode = 0 # AS-REP
krbtgt_decryption_key = (
self.TicketDecryptionKey_from_creds(krbtgt_creds))
as_rep, kdc_exchange_dict = self._test_as_exchange(
cname,
realm,
sname,
till,
client_as_etypes,
preauth_error_mode,
expected_crealm,
expected_cname,
expected_srealm,
expected_sname,
expected_salt,
etypes,
preauth_padata,
kdc_options,
expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name,
preauth_key=preauth_key,
ticket_decryption_key=krbtgt_decryption_key,
pac_request=True)
self.assertIsNotNone(as_rep)
return etype_info2
@DynamicTestCase
class AsReqKerberosTests(AsReqBaseTest):
@classmethod
def setUpDynamicTestCases(cls):
for (name, idx) in cls.etype_test_permutation_name_idx():
for pac in [None, True, False]:
tname = "%s_pac_%s" % (name, pac)
targs = (idx, pac)
cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs)
def setUp(self):
super(AsReqKerberosTests, self).setUp()
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
def _test_as_req_nopreauth(self,
initial_etypes,
pac=None,
initial_kdc_options=None):
client_creds = self.get_client_creds()
client_account = client_creds.get_username()
client_as_etypes = self.get_default_enctypes()
krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
krbtgt_account = krbtgt_creds.get_username()
realm = krbtgt_creds.get_realm()
cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[client_account])
sname = self.PrincipalName_create(name_type=NT_SRV_INST,
names=[krbtgt_account, realm])
expected_crealm = realm
expected_cname = cname
expected_srealm = realm
expected_sname = sname
expected_salt = client_creds.get_salt()
if any(etype in client_as_etypes and etype in initial_etypes
for etype in (kcrypto.Enctype.AES256,
kcrypto.Enctype.AES128,
kcrypto.Enctype.RC4)):
expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
else:
expected_error_mode = KDC_ERR_ETYPE_NOSUPP
kdc_exchange_dict = self.as_exchange_dict(
expected_crealm=expected_crealm,
expected_cname=expected_cname,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
generate_padata_fn=None,
check_error_fn=self.generic_check_kdc_error,
check_rep_fn=None,
expected_error_mode=expected_error_mode,
client_as_etypes=client_as_etypes,
expected_salt=expected_salt,
kdc_options=str(initial_kdc_options),
pac_request=pac)
self._generic_kdc_exchange(kdc_exchange_dict,
cname=cname,
realm=realm,
sname=sname,
etypes=initial_etypes)
def _test_as_req_no_preauth_with_args(self, etype_idx, pac):
name, etypes = self.etype_test_permutation_by_idx(etype_idx)
self._test_as_req_nopreauth(
pac=pac,
initial_etypes=etypes,
initial_kdc_options=krb5_asn1.KDCOptions('forwardable'))
def test_as_req_enc_timestamp(self):
client_creds = self.get_client_creds()
self._run_as_req_enc_timestamp(client_creds)
def test_as_req_enc_timestamp_mac(self):
client_creds = self.get_mach_creds()
self._run_as_req_enc_timestamp(client_creds)
def test_as_req_enc_timestamp_rc4(self):
client_creds = self.get_client_creds()
self._run_as_req_enc_timestamp(
client_creds,
etypes={kcrypto.Enctype.RC4})
def test_as_req_enc_timestamp_mac_rc4(self):
client_creds = self.get_mach_creds()
self._run_as_req_enc_timestamp(
client_creds,
etypes={kcrypto.Enctype.RC4})
def test_as_req_enc_timestamp_rc4_dummy(self):
client_creds = self.get_client_creds()
self._run_as_req_enc_timestamp(
client_creds,
etypes={kcrypto.Enctype.RC4,
-1111})
def test_as_req_enc_timestamp_mac_rc4_dummy(self):
client_creds = self.get_mach_creds()
self._run_as_req_enc_timestamp(
client_creds,
etypes={kcrypto.Enctype.RC4,
-1111})
def test_as_req_enc_timestamp_aes128_rc4(self):
client_creds = self.get_client_creds()
self._run_as_req_enc_timestamp(
client_creds,
etypes={kcrypto.Enctype.AES128,
kcrypto.Enctype.RC4})
def test_as_req_enc_timestamp_mac_aes128_rc4(self):
client_creds = self.get_mach_creds()
self._run_as_req_enc_timestamp(
client_creds,
etypes={kcrypto.Enctype.AES128,
kcrypto.Enctype.RC4})
def test_as_req_enc_timestamp_spn(self):
client_creds = self.get_mach_creds()
spn = client_creds.get_spn()
self._run_as_req_enc_timestamp(
client_creds, client_account=spn,
expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
expect_edata=False)
def test_as_req_enc_timestamp_spn_realm(self):
samdb = self.get_samdb()
realm = samdb.domain_dns_name().upper()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': f'host/{{account}}.{realm}@{realm}'})
spn = client_creds.get_spn()
self._run_as_req_enc_timestamp(
client_creds, client_account=spn,
expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
expect_edata=False)
def test_as_req_enc_timestamp_spn_upn(self):
samdb = self.get_samdb()
realm = samdb.domain_dns_name().upper()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': f'host/{{account}}.{realm}@{realm}',
'spn': f'host/{{account}}.{realm}'})
spn = client_creds.get_spn()
self._run_as_req_enc_timestamp(client_creds, client_account=spn)
def test_as_req_enc_timestamp_spn_enterprise(self):
client_creds = self.get_mach_creds()
spn = client_creds.get_spn()
self._run_as_req_enc_timestamp(
client_creds, client_account=spn,
name_type=NT_ENTERPRISE_PRINCIPAL,
expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
expect_edata=False)
def test_as_req_enc_timestamp_spn_enterprise_realm(self):
samdb = self.get_samdb()
realm = samdb.domain_dns_name().upper()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': f'host/{{account}}.{realm}@{realm}'})
spn = client_creds.get_spn()
self._run_as_req_enc_timestamp(
client_creds,
name_type=NT_ENTERPRISE_PRINCIPAL,
client_account=spn,
expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
expect_edata=False)
def test_as_req_enc_timestamp_spn_upn_enterprise(self):
samdb = self.get_samdb()
realm = samdb.domain_dns_name().upper()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': f'host/{{account}}.{realm}@{realm}',
'spn': f'host/{{account}}.{realm}'})
spn = client_creds.get_spn()
self._run_as_req_enc_timestamp(
client_creds,
name_type=NT_ENTERPRISE_PRINCIPAL,
client_account=spn,
expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
expect_edata=False)
def test_as_req_enterprise_canon(self):
upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm()
client_account = f'{user_name}@{realm}'
expected_cname = self.PrincipalName_create(
name_type=NT_PRINCIPAL,
names=[user_name])
self._run_as_req_enc_timestamp(
client_creds,
client_account=client_account,
expected_cname=expected_cname,
name_type=NT_ENTERPRISE_PRINCIPAL,
kdc_options=krb5_asn1.KDCOptions('canonicalize'))
def test_as_req_enterprise_canon_case(self):
upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm().lower()
client_account = f'{user_name}@{realm}'
expected_cname = self.PrincipalName_create(
name_type=NT_PRINCIPAL,
names=[user_name])
self._run_as_req_enc_timestamp(
client_creds,
client_account=client_account,
expected_cname=expected_cname,
name_type=NT_ENTERPRISE_PRINCIPAL,
kdc_options=krb5_asn1.KDCOptions('canonicalize'))
def test_as_req_enterprise_canon_mac(self):
upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm()
client_account = f'{user_name}@{realm}'
expected_cname = self.PrincipalName_create(
name_type=NT_PRINCIPAL,
names=[user_name])
self._run_as_req_enc_timestamp(
client_creds,
client_account=client_account,
expected_cname=expected_cname,
name_type=NT_ENTERPRISE_PRINCIPAL,
kdc_options=krb5_asn1.KDCOptions('canonicalize'))
def test_as_req_enterprise_canon_mac_case(self):
upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm().lower()
client_account = f'{user_name}@{realm}'
expected_cname = self.PrincipalName_create(
name_type=NT_PRINCIPAL,
names=[user_name])
self._run_as_req_enc_timestamp(
client_creds,
client_account=client_account,
expected_cname=expected_cname,
name_type=NT_ENTERPRISE_PRINCIPAL,
kdc_options=krb5_asn1.KDCOptions('canonicalize'))
def test_as_req_enterprise_no_canon(self):
upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm()
client_account = f'{user_name}@{realm}'
self._run_as_req_enc_timestamp(
client_creds,
client_account=client_account,
name_type=NT_ENTERPRISE_PRINCIPAL,
kdc_options=0)
def test_as_req_enterprise_no_canon_case(self):
upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm().lower()
client_account = f'{user_name}@{realm}'
self._run_as_req_enc_timestamp(
client_creds,
client_account=client_account,
name_type=NT_ENTERPRISE_PRINCIPAL,
kdc_options=0)
def test_as_req_enterprise_no_canon_mac(self):
upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm()
client_account = f'{user_name}@{realm}'
self._run_as_req_enc_timestamp(
client_creds,
client_account=client_account,
name_type=NT_ENTERPRISE_PRINCIPAL,
kdc_options=0)
def test_as_req_enterprise_no_canon_mac_case(self):
upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm().lower()
client_account = f'{user_name}@{realm}'
self._run_as_req_enc_timestamp(
client_creds,
client_account=client_account,
name_type=NT_ENTERPRISE_PRINCIPAL,
kdc_options=0)
# Ensure we can't use truncated well-known principals such as krb@REALM
# instead of krbtgt@REALM.
def test_krbtgt_wrong_principal(self):
client_creds = self.get_client_creds()
krbtgt_creds = self.get_krbtgt_creds()
krbtgt_account = krbtgt_creds.get_username()
realm = krbtgt_creds.get_realm()
# Truncate the name of the krbtgt principal.
krbtgt_account = krbtgt_account[:3]
wrong_krbtgt_princ = self.PrincipalName_create(
name_type=NT_SRV_INST,
names=[krbtgt_account, realm])
self._run_as_req_enc_timestamp(
client_creds,
sname=wrong_krbtgt_princ,
expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
if __name__ == "__main__":
global_asn1_print = False
global_hexdump = False
import unittest
unittest.main()