From 7a22f4b56cb75473e63673bd975f6b852c15bc03 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 09:48:09 +0100
Subject: [PATCH 42/54] CVE-2022-37966 python:tests/krb5: fix some tests
 running against Windows 2022

I'm using the following options:

SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1

in order to run these:

python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
 python/samba/tests/krb5/as_req_tests.py  | 19 +++++++++++++++----
 python/samba/tests/krb5/kdc_base_test.py |  9 +++++++++
 python/samba/tests/krb5/raw_testcase.py  | 18 +++++++++++++++---
 3 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 6b3b5ad4a226..22e5e373c51b 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -47,6 +47,7 @@ class AsReqBaseTest(KDCBaseTest):
                                   expected_cname=None, sname=None,
                                   name_type=NT_PRINCIPAL, etypes=None,
                                   expected_error=None, expect_edata=None,
+                                  expected_pa_error=None, expect_pa_edata=None,
                                   kdc_options=None, till=None):
         user_name = client_creds.get_username()
         if client_account is None:
@@ -125,6 +126,8 @@ class AsReqBaseTest(KDCBaseTest):
 
         preauth_padata = [pa_ts]
         preauth_error_mode = 0 # AS-REP
+        if expected_pa_error is not None:
+            preauth_error_mode = expected_pa_error
 
         krbtgt_decryption_key = (
             self.TicketDecryptionKey_from_creds(krbtgt_creds))
@@ -146,6 +149,7 @@ class AsReqBaseTest(KDCBaseTest):
             kdc_options,
             expected_supported_etypes=krbtgt_supported_etypes,
             expected_account_name=user_name,
+            expect_edata=expect_pa_edata,
             preauth_key=preauth_key,
             ticket_decryption_key=krbtgt_decryption_key,
             pac_request=True)
@@ -512,10 +516,17 @@ class AsReqKerberosTests(AsReqBaseTest):
             name_type=NT_SRV_INST,
             names=[krbtgt_account, realm])
 
-        self._run_as_req_enc_timestamp(
-            client_creds,
-            sname=wrong_krbtgt_princ,
-            expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
+        if self.strict_checking:
+            self._run_as_req_enc_timestamp(
+                client_creds,
+                sname=wrong_krbtgt_princ,
+                expected_pa_error=KDC_ERR_S_PRINCIPAL_UNKNOWN,
+                expect_pa_edata=False)
+        else:
+            self._run_as_req_enc_timestamp(
+                client_creds,
+                sname=wrong_krbtgt_princ,
+                expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
 
     # Test that we can make a request for a ticket expiring post-2038.
     def test_future_till(self):
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index e92049a2ecda..beefd1654494 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -53,6 +53,11 @@ from samba.dsdb import (
     UF_SERVER_TRUST_ACCOUNT,
     UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
 )
+from samba.dcerpc.misc import (
+    SEC_CHAN_NULL,
+    SEC_CHAN_WKSTA,
+    SEC_CHAN_BDC,
+)
 from samba.join import DCJoinContext
 from samba.ndr import ndr_pack, ndr_unpack
 from samba import net
@@ -292,6 +297,7 @@ class KDCBaseTest(RawKerberosTest):
         # run failed
         delete_force(samdb, dn)
         account_name = name
+        secure_schannel_type = SEC_CHAN_NULL
         if account_type is self.AccountType.USER:
             object_class = "user"
             account_control |= UF_NORMAL_ACCOUNT
@@ -301,8 +307,10 @@ class KDCBaseTest(RawKerberosTest):
                 account_name += '$'
             if account_type is self.AccountType.COMPUTER:
                 account_control |= UF_WORKSTATION_TRUST_ACCOUNT
+                secure_schannel_type = SEC_CHAN_WKSTA
             elif account_type is self.AccountType.SERVER:
                 account_control |= UF_SERVER_TRUST_ACCOUNT
+                secure_schannel_type = SEC_CHAN_BDC
             else:
                 self.fail()
 
@@ -343,6 +351,7 @@ class KDCBaseTest(RawKerberosTest):
             creds.set_workstation('')
         else:
             creds.set_workstation(name)
+        creds.set_secure_channel_type(secure_schannel_type)
         creds.set_dn(ldb.Dn(samdb, dn))
         creds.set_upn(upn)
         creds.set_spn(spn)
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index f13ada7bbf83..d601c7bb5018 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -41,6 +41,10 @@ from samba.credentials import Credentials
 from samba.dcerpc import krb5pac, security
 from samba.gensec import FEATURE_SEAL
 from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc.misc import (
+    SEC_CHAN_WKSTA,
+    SEC_CHAN_BDC,
+)
 
 import samba.tests
 from samba.tests import TestCaseInTempDir
@@ -484,7 +488,8 @@ class KerberosCredentials(Credentials):
         else:
             salt_name = self.get_username()
 
-        if self.get_workstation():
+        secure_schannel_type = self.get_secure_channel_type()
+        if secure_schannel_type in [SEC_CHAN_WKSTA,SEC_CHAN_BDC]:
             salt_name = self.get_username().lower()
             if salt_name[-1] == '$':
                 salt_name = salt_name[:-1]
@@ -2934,7 +2939,7 @@ class RawKerberosTest(TestCaseInTempDir):
                 else:
                     self.assertElementMissing(ticket_private, 'renew-till')
             if self.strict_checking:
-                self.assertElementEqual(ticket_private, 'caddr', [])
+                self.assertElementMissing(ticket_private, 'caddr')
             if expect_pac is not None:
                 if expect_pac:
                     self.assertElementPresent(ticket_private,
@@ -2988,7 +2993,7 @@ class RawKerberosTest(TestCaseInTempDir):
             self.assertElementEqualPrincipal(encpart_private, 'sname',
                                              expected_sname)
             if self.strict_checking:
-                self.assertElementEqual(encpart_private, 'caddr', [])
+                self.assertElementMissing(encpart_private, 'caddr')
 
             sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict)
 
@@ -3441,6 +3446,13 @@ class RawKerberosTest(TestCaseInTempDir):
                                 kcrypto.Enctype.AES128}:
                 expected_patypes += (PADATA_ETYPE_INFO2,)
 
+            preauth_key = kdc_exchange_dict['preauth_key']
+            if preauth_key.etype == kcrypto.Enctype.RC4 and rep_padata is None:
+                rep_padata = ()
+        elif rep_msg_type == KRB_TGS_REP:
+            if expected_patypes == () and rep_padata is None:
+                rep_padata = ()
+
         if not self.strict_checking and rep_padata is None:
             rep_padata = ()
 
-- 
2.34.1