packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0019-CVE-2022-37966.patch

138 lines
6.4 KiB
Diff
Raw Blame History

From ff929d86bf96ebe41ee8ee0f1d069409308bc855 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Nov 2022 18:05:36 +1300
Subject: [PATCH 19/54] CVE-2022-37966 tests/krb5: Test different preauth
etypes with Protected Users group
Extend the RC4 Protected Users tests to use different preauth etypes.
This helps test the nuances of the new expected behaviour and allows the
tests to continue passing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a7a0b9ad0757d6586905d64bc645a8946fe5c10e)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../samba/tests/krb5/protected_users_tests.py | 47 +++++++++++++++----
selftest/knownfail_mit_kdc | 6 ++-
2 files changed, 42 insertions(+), 11 deletions(-)
diff --git a/python/samba/tests/krb5/protected_users_tests.py b/python/samba/tests/krb5/protected_users_tests.py
index a03ccaf0c66d..02d7356bb7dc 100755
--- a/python/samba/tests/krb5/protected_users_tests.py
+++ b/python/samba/tests/krb5/protected_users_tests.py
@@ -41,6 +41,7 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_POLICY,
KDC_ERR_PREAUTH_REQUIRED,
+ KRB_ERROR,
NT_PRINCIPAL,
NT_SRV_INST,
)
@@ -451,11 +452,20 @@ class ProtectedUsersTests(KDCBaseTest):
self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5)
- def test_rc4_protected(self):
+ def test_rc4_protected_aes256_preauth(self):
client_creds = self._get_creds(protected=True)
self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
- expect_error=True, rc4_support=False)
+ preauth_etype=AES256_CTS_HMAC_SHA1_96,
+ rc4_support=False)
+
+ def test_rc4_protected_rc4_preauth(self):
+ client_creds = self._get_creds(protected=True)
+
+ self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
+ preauth_etype=ARCFOUR_HMAC_MD5,
+ expect_error=True, rc4_support=False,
+ expect_edata=False)
# Test that AES256 can always be used.
def test_aes256_not_protected(self):
@@ -541,13 +551,24 @@ class ProtectedUsersTests(KDCBaseTest):
self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5)
- def test_rc4_mac_protected(self):
+ def test_rc4_mac_protected_aes256_preauth(self):
client_creds = self._get_creds(
protected=True,
account_type=self.AccountType.COMPUTER)
self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
- expect_error=True, rc4_support=False)
+ preauth_etype=AES256_CTS_HMAC_SHA1_96,
+ rc4_support=False)
+
+ def test_rc4_mac_protected_rc4_preauth(self):
+ client_creds = self._get_creds(
+ protected=True,
+ account_type=self.AccountType.COMPUTER)
+
+ self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
+ preauth_etype=ARCFOUR_HMAC_MD5,
+ expect_error=True, rc4_support=False,
+ expect_edata=False)
def test_aes256_rc4_mac_not_protected(self):
client_creds = self._get_creds(
@@ -1009,7 +1030,10 @@ class ProtectedUsersTests(KDCBaseTest):
expected_error = KDC_ERR_ETYPE_NOSUPP if expect_error else 0
if preauth_etype is None:
- expected_error_mode = expected_error or KDC_ERR_PREAUTH_REQUIRED
+ if expected_error:
+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED, expected_error
+ else:
+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
rep, kdc_exchange_dict = self._test_as_exchange(
cname=cname,
@@ -1032,10 +1056,15 @@ class ProtectedUsersTests(KDCBaseTest):
ticket_decryption_key=ticket_decryption_key,
rc4_support=rc4_support,
expect_edata=expect_edata)
- self.check_error_rep(rep, expected_error_mode)
-
- if expect_error:
- return None
+ self.assertIsNotNone(rep)
+ self.assertEqual(KRB_ERROR, rep['msg-type'])
+ error_code = rep['error-code']
+ if expected_error:
+ self.assertIn(error_code, expected_error_mode)
+ if error_code == expected_error:
+ return
+ else:
+ self.assertEqual(expected_error_mode, error_code)
etype_info2 = kdc_exchange_dict['preauth_etype_info2']
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index d55908324acf..c5c42b170bd2 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -442,8 +442,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
# Protected Users tests
#
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected_policy_error.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected_aes256_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected_rc4_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected_aes256_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected_rc4_preauth.ad_dc
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_not_protected.ad_dc
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_protected.ad_dc
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink