diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-10-20 12:36:44 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 11:39:17 +0000 |
| commit | fea5bde53c41b07ae0fb15f4af0f0bab7f376a46 (patch) | |
| tree | 356e74afe4a6e2dd1927a4d83bb8b929c7dfc9b7 /python/samba | |
| parent | c5eda69a10b20c7a9ec09dd75d74dbf2c18d49e6 (diff) | |
| download | samba-fea5bde53c41b07ae0fb15f4af0f0bab7f376a46.tar.gz | |
CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
(cherry picked from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'python/samba')
| -rwxr-xr-x | python/samba/tests/krb5/as_req_tests.py | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 6a573947067..6b3b5ad4a22 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -47,7 +47,7 @@ class AsReqBaseTest(KDCBaseTest): expected_cname=None, sname=None, name_type=NT_PRINCIPAL, etypes=None, expected_error=None, expect_edata=None, - kdc_options=None): + kdc_options=None, till=None): user_name = client_creds.get_username() if client_account is None: client_account = user_name @@ -71,7 +71,8 @@ class AsReqBaseTest(KDCBaseTest): expected_sname = sname expected_salt = client_creds.get_salt() - till = self.get_KerberosTime(offset=36000) + if till is None: + till = self.get_KerberosTime(offset=36000) if etypes is None: etypes = client_as_etypes @@ -516,6 +517,14 @@ class AsReqKerberosTests(AsReqBaseTest): sname=wrong_krbtgt_princ, expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) + # Test that we can make a request for a ticket expiring post-2038. + def test_future_till(self): + client_creds = self.get_client_creds() + + self._run_as_req_enc_timestamp( + client_creds, + till='99990913024805Z') + if __name__ == "__main__": global_asn1_print = False |