diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-11-23 16:05:04 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 11:39:17 +0000 |
| commit | 3d85ff9dd5760168618d8f338a154b25e7605b52 (patch) | |
| tree | 1607418b8b6d2bea094f7a1e9c05429a3646fc20 | |
| parent | 64bfe0ef7868b23e12f465ca9a37f8a8ee161a70 (diff) | |
| download | samba-3d85ff9dd5760168618d8f338a154b25e7605b52.tar.gz | |
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
| -rwxr-xr-x | python/samba/tests/krb5/s4u_tests.py | 61 | ||||
| -rw-r--r-- | selftest/knownfail_mit_kdc | 7 | ||||
| -rwxr-xr-x | source4/selftest/tests.py | 9 |
3 files changed, 71 insertions, 6 deletions
diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 84b8160bb93..97d07682ffe 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -23,7 +23,7 @@ import functools sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" -from samba import ntstatus +from samba import dsdb, ntstatus from samba.dcerpc import krb5pac, lsa, security from samba.tests import env_get_var_value @@ -766,6 +766,13 @@ class S4UKerberosTests(KDCBaseTest): # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) + def skip_unless_fl2008(self): + samdb = self.get_samdb() + functional_level = self.get_domain_functional_level(samdb) + + if functional_level < dsdb.DS_DOMAIN_FUNCTION_2008: + self.skipTest('RBCD requires FL2008') + def test_constrained_delegation(self): # Test constrained delegation. self._run_delegation_test( @@ -913,6 +920,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_auth_data_required(self): + self.skip_unless_fl2008() + self._run_delegation_test( { 'expected_error_mode': 0, @@ -925,6 +934,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_existing_delegation_info(self): + self.skip_unless_fl2008() + # Test constrained delegation with an existing S4U_DELEGATION_INFO # structure in the PAC. @@ -952,6 +963,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_client_pac_a(self): + self.skip_unless_fl2008() + # Test constrained delegation when the client service ticket does not # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -964,6 +977,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_client_pac_b(self): + self.skip_unless_fl2008() + # Test constrained delegation when the client service ticket does not # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -979,6 +994,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_service_pac(self): + self.skip_unless_fl2008() + # Test constrained delegation when the service TGT does not contain a # PAC. self._run_delegation_test( @@ -991,6 +1008,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_client_pac_no_auth_data_required_a(self): + self.skip_unless_fl2008() + # Test constrained delegation when the client service ticket does not # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -1006,6 +1025,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_client_pac_no_auth_data_required_b(self): + self.skip_unless_fl2008() + # Test constrained delegation when the client service ticket does not # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -1024,6 +1045,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_service_pac_no_auth_data_required(self): + self.skip_unless_fl2008() + # Test constrained delegation when the service TGT does not contain a # PAC. self._run_delegation_test( @@ -1039,6 +1062,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_non_forwardable(self): + self.skip_unless_fl2008() + # Test resource-based constrained delegation with a non-forwardable # ticket. self._run_delegation_test( @@ -1052,6 +1077,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_pac_options_a(self): + self.skip_unless_fl2008() + # Test resource-based constrained delegation without the RBCD bit set # in the PAC options, and an empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -1063,6 +1090,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_pac_options_b(self): + self.skip_unless_fl2008() + # Test resource-based constrained delegation without the RBCD bit set # in the PAC options, and a non-empty msDS-AllowedToDelegateTo # attribute. @@ -1092,6 +1121,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_bronze_bit_rbcd_old_checksum(self): + self.skip_unless_fl2008() + # Attempt to modify the ticket without updating the PAC checksums. self._run_delegation_test( { @@ -1141,6 +1172,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_missing_client_checksum(self): + self.skip_unless_fl2008() + # Present a user ticket without the required checksums. for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): @@ -1161,6 +1194,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_missing_service_checksum(self): + self.skip_unless_fl2008() + # Present the service's ticket without the required checksums. for checksum in (krb5pac.PAC_TYPE_SRV_CHECKSUM, krb5pac.PAC_TYPE_KDC_CHECKSUM): @@ -1212,6 +1247,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_zeroed_client_checksum(self): + self.skip_unless_fl2008() + # Present a user ticket with invalid checksums. for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): @@ -1227,6 +1264,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_zeroed_service_checksum(self): + self.skip_unless_fl2008() + # Present the service's ticket with invalid checksums. for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): @@ -1302,6 +1341,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_unkeyed_client_checksum(self): + self.skip_unless_fl2008() + # Present a user ticket with invalid checksums. for checksum in self.pac_checksum_types: for ctype in self.unkeyed_ctypes: @@ -1325,6 +1366,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_unkeyed_service_checksum(self): + self.skip_unless_fl2008() + # Present the service's ticket with invalid checksums. for checksum in self.pac_checksum_types: for ctype in self.unkeyed_ctypes: @@ -1354,18 +1397,28 @@ class S4UKerberosTests(KDCBaseTest): def test_constrained_delegation_rc4_client_checksum(self): # Present a user ticket with RC4 checksums. - expected_error_mode = (KDC_ERR_GENERIC, - KDC_ERR_INAPP_CKSUM) + samdb = self.get_samdb() + functional_level = self.get_domain_functional_level(samdb) + + if functional_level >= dsdb.DS_DOMAIN_FUNCTION_2008: + expected_error_mode = (KDC_ERR_GENERIC, + KDC_ERR_INAPP_CKSUM) + expect_edata = False + else: + expected_error_mode = 0 + expect_edata = None self._run_delegation_test( { 'expected_error_mode': expected_error_mode, 'allow_delegation': True, 'modify_client_tkt_fn': self.rc4_pac_checksums, - 'expect_edata': False, + 'expect_edata': expect_edata, }) def test_rbcd_rc4_client_checksum(self): + self.skip_unless_fl2008() + # Present a user ticket with RC4 checksums. expected_error_mode = (KDC_ERR_GENERIC, KDC_ERR_BADOPTION) diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 223df5602ca..ed24afcd003 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -1074,3 +1074,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.ad_dc ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.fl2003dc +# +# S4U tests +# +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_authentication_asserted_identity.fl2003dc:local +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.fl2003dc:local +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_service_asserted_identity.fl2003dc:local +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_asserted_identity.fl2003dc:local diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index ac8a40ea6bc..c6bf668aa9c 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1040,8 +1040,13 @@ krb5_environ = { planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", environ=krb5_environ) -planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", - environ=krb5_environ) +for env, fast_support in [("ad_dc_default:local", True), + ("fl2003dc:local", False)]: + planoldpythontestsuite(env, "samba.tests.krb5.s4u_tests", + environ={ + **krb5_environ, + 'FAST_SUPPORT': int(fast_support), + }) planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests", environ=krb5_environ) |