packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0021-CVE-2022-37966.patch

283 lines
11 KiB
Diff
Raw Blame History

From 1a599de882b913f161427a4fa5736dd21d32c1d4 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 23 Nov 2022 16:05:04 +1300
Subject: [PATCH 21/54] CVE-2022-37966 selftest: Run S4U tests against FL2003
DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/s4u_tests.py | 61 ++++++++++++++++++++++++++--
selftest/knownfail_mit_kdc | 7 ++++
source4/selftest/tests.py | 9 +++-
3 files changed, 71 insertions(+), 6 deletions(-)
diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 84b8160bb931..97d07682ffe3 100755
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -23,7 +23,7 @@ import functools
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
-from samba import ntstatus
+from samba import dsdb, ntstatus
from samba.dcerpc import krb5pac, lsa, security
from samba.tests import env_get_var_value
@@ -766,6 +766,13 @@ class S4UKerberosTests(KDCBaseTest):
# Ensure we used all the parameters given to us.
self.assertEqual({}, kdc_dict)
+ def skip_unless_fl2008(self):
+ samdb = self.get_samdb()
+ functional_level = self.get_domain_functional_level(samdb)
+
+ if functional_level < dsdb.DS_DOMAIN_FUNCTION_2008:
+ self.skipTest('RBCD requires FL2008')
+
def test_constrained_delegation(self):
# Test constrained delegation.
self._run_delegation_test(
@@ -913,6 +920,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_auth_data_required(self):
+ self.skip_unless_fl2008()
+
self._run_delegation_test(
{
'expected_error_mode': 0,
@@ -925,6 +934,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_existing_delegation_info(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation with an existing S4U_DELEGATION_INFO
# structure in the PAC.
@@ -952,6 +963,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_client_pac_a(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the client service ticket does not
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -964,6 +977,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_client_pac_b(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the client service ticket does not
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -979,6 +994,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_service_pac(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the service TGT does not contain a
# PAC.
self._run_delegation_test(
@@ -991,6 +1008,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_client_pac_no_auth_data_required_a(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the client service ticket does not
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -1006,6 +1025,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_client_pac_no_auth_data_required_b(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the client service ticket does not
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -1024,6 +1045,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_service_pac_no_auth_data_required(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the service TGT does not contain a
# PAC.
self._run_delegation_test(
@@ -1039,6 +1062,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_non_forwardable(self):
+ self.skip_unless_fl2008()
+
# Test resource-based constrained delegation with a non-forwardable
# ticket.
self._run_delegation_test(
@@ -1052,6 +1077,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_pac_options_a(self):
+ self.skip_unless_fl2008()
+
# Test resource-based constrained delegation without the RBCD bit set
# in the PAC options, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -1063,6 +1090,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_pac_options_b(self):
+ self.skip_unless_fl2008()
+
# Test resource-based constrained delegation without the RBCD bit set
# in the PAC options, and a non-empty msDS-AllowedToDelegateTo
# attribute.
@@ -1092,6 +1121,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_bronze_bit_rbcd_old_checksum(self):
+ self.skip_unless_fl2008()
+
# Attempt to modify the ticket without updating the PAC checksums.
self._run_delegation_test(
{
@@ -1141,6 +1172,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_missing_client_checksum(self):
+ self.skip_unless_fl2008()
+
# Present a user ticket without the required checksums.
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
@@ -1161,6 +1194,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_missing_service_checksum(self):
+ self.skip_unless_fl2008()
+
# Present the service's ticket without the required checksums.
for checksum in (krb5pac.PAC_TYPE_SRV_CHECKSUM,
krb5pac.PAC_TYPE_KDC_CHECKSUM):
@@ -1212,6 +1247,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_zeroed_client_checksum(self):
+ self.skip_unless_fl2008()
+
# Present a user ticket with invalid checksums.
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
@@ -1227,6 +1264,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_zeroed_service_checksum(self):
+ self.skip_unless_fl2008()
+
# Present the service's ticket with invalid checksums.
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
@@ -1302,6 +1341,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_unkeyed_client_checksum(self):
+ self.skip_unless_fl2008()
+
# Present a user ticket with invalid checksums.
for checksum in self.pac_checksum_types:
for ctype in self.unkeyed_ctypes:
@@ -1325,6 +1366,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_unkeyed_service_checksum(self):
+ self.skip_unless_fl2008()
+
# Present the service's ticket with invalid checksums.
for checksum in self.pac_checksum_types:
for ctype in self.unkeyed_ctypes:
@@ -1354,18 +1397,28 @@ class S4UKerberosTests(KDCBaseTest):
def test_constrained_delegation_rc4_client_checksum(self):
# Present a user ticket with RC4 checksums.
- expected_error_mode = (KDC_ERR_GENERIC,
- KDC_ERR_INAPP_CKSUM)
+ samdb = self.get_samdb()
+ functional_level = self.get_domain_functional_level(samdb)
+
+ if functional_level >= dsdb.DS_DOMAIN_FUNCTION_2008:
+ expected_error_mode = (KDC_ERR_GENERIC,
+ KDC_ERR_INAPP_CKSUM)
+ expect_edata = False
+ else:
+ expected_error_mode = 0
+ expect_edata = None
self._run_delegation_test(
{
'expected_error_mode': expected_error_mode,
'allow_delegation': True,
'modify_client_tkt_fn': self.rc4_pac_checksums,
- 'expect_edata': False,
+ 'expect_edata': expect_edata,
})
def test_rbcd_rc4_client_checksum(self):
+ self.skip_unless_fl2008()
+
# Present a user ticket with RC4 checksums.
expected_error_mode = (KDC_ERR_GENERIC,
KDC_ERR_BADOPTION)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 223df5602ca1..ed24afcd0034 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -1074,3 +1074,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
#
^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.ad_dc
^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.fl2003dc
+#
+# S4U tests
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_authentication_asserted_identity.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_service_asserted_identity.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_asserted_identity.fl2003dc:local
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index ac8a40ea6bc1..c6bf668aa9cb 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1040,8 +1040,13 @@ krb5_environ = {
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests",
environ=krb5_environ)
-planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
- environ=krb5_environ)
+for env, fast_support in [("ad_dc_default:local", True),
+ ("fl2003dc:local", False)]:
+ planoldpythontestsuite(env, "samba.tests.krb5.s4u_tests",
+ environ={
+ **krb5_environ,
+ 'FAST_SUPPORT': int(fast_support),
+ })
planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests",
environ=krb5_environ)
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink