CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2021-10-28 16:20:07 +1300
committer: Jule Anger <janger@samba.org> 2021-11-09 19:45:32 +0000
commit: 24be204834889fca3f963ac4fee503a6ecbef439 (patch)
tree: 28419739fc00033ed55d0c01a27bc832635966bd /python
parent: 3af0c36a06354bae9737dad37a341d3c120a1aba (diff)
download: samba-24be204834889fca3f963ac4fee503a6ecbef439.tar.gz
2 files changed, 40 insertions, 6 deletions
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 74f1032163e..5de79c30e1b 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -485,6 +485,34 @@ class KdcTgsTests(KDCBaseTest):
         tgt = self._get_tgt(creds, remove_pac=True)
         self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION)
 
+    # Test making a request with authdata and without a PAC.
+    def test_tgs_authdata_no_pac(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
+        self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION)
+
+    def test_renew_authdata_no_pac(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, renewable=True, remove_pac=True,
+                            allow_empty_authdata=True)
+        self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+
+    def test_validate_authdata_no_pac(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, invalid=True, remove_pac=True,
+                            allow_empty_authdata=True)
+        self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+
+    def test_s4u2self_authdata_no_pac(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
+        self._s4u2self(tgt, creds, expected_error=KDC_ERR_BADOPTION)
+
+    def test_user2user_authdata_no_pac(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
+        self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION)
+
     # Test changing the SID in the PAC to that of another account.
     def test_tgs_sid_mismatch_existing(self):
         creds = self._get_creds()
@@ -928,7 +956,8 @@ class KdcTgsTests(KDCBaseTest):
                  invalid=False,
                  from_rodc=False,
                  new_rid=None,
-                 remove_pac=False):
+                 remove_pac=False,
+                 allow_empty_authdata=False):
         self.assertFalse(renewable and invalid)
 
         if remove_pac:
@@ -1011,6 +1040,7 @@ class KdcTgsTests(KDCBaseTest):
             modify_fn=modify_fn,
             modify_pac_fn=modify_pac_fn,
             exclude_pac=remove_pac,
+            allow_empty_authdata=allow_empty_authdata,
             update_pac_checksums=not remove_pac,
             checksum_keys=checksum_keys)
 
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 8e55790272a..b5ac393ea67 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -3224,6 +3224,7 @@ class RawKerberosTest(TestCaseInTempDir):
                         modify_fn=None,
                         modify_pac_fn=None,
                         exclude_pac=False,
+                        allow_empty_authdata=False,
                         update_pac_checksums=True,
                         checksum_keys=None,
                         include_checksums=None):
@@ -3332,8 +3333,10 @@ class RawKerberosTest(TestCaseInTempDir):
 
             # Replace the PAC in the authorization data and re-add it to the
             # ticket enc-part.
-            auth_data, _ = self.replace_pac(auth_data, new_pac,
-                                            expect_pac=expect_pac)
+            auth_data, _ = self.replace_pac(
+                auth_data, new_pac,
+                expect_pac=expect_pac,
+                allow_empty_authdata=allow_empty_authdata)
             enc_part['authorization-data'] = auth_data
 
         # Re-encrypt the ticket enc-part with the new key.
@@ -3454,7 +3457,8 @@ class RawKerberosTest(TestCaseInTempDir):
 
             kdc_checksum_buffer.info.signature = kdc_checksum
 
-    def replace_pac(self, auth_data, new_pac, expect_pac=True):
+    def replace_pac(self, auth_data, new_pac, expect_pac=True,
+                    allow_empty_authdata=False):
         if new_pac is not None:
             self.assertElementEqual(new_pac, 'ad-type', AD_WIN2K_PAC)
             self.assertElementPresent(new_pac, 'ad-data')
@@ -3483,7 +3487,7 @@ class RawKerberosTest(TestCaseInTempDir):
                 if expect_pac:
                     self.assertIsNotNone(old_pac, 'Expected PAC')
 
-                if relevant_elems:
+                if relevant_elems or allow_empty_authdata:
                     ad_relevant = self.der_encode(
                         relevant_elems,
                         asn1Spec=krb5_asn1.AD_IF_RELEVANT())
@@ -3494,7 +3498,7 @@ class RawKerberosTest(TestCaseInTempDir):
                 else:
                     authdata_elem = None
 
-            if authdata_elem is not None:
+            if authdata_elem is not None or allow_empty_authdata:
                 new_auth_data.append(authdata_elem)
 
         if expect_pac:
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2021-10-28 16:20:07 +1300
committer	Jule Anger <janger@samba.org>	2021-11-09 19:45:32 +0000
commit	24be204834889fca3f963ac4fee503a6ecbef439 (patch)
tree	28419739fc00033ed55d0c01a27bc832635966bd /python
parent	3af0c36a06354bae9737dad37a341d3c120a1aba (diff)
download	samba-24be204834889fca3f963ac4fee503a6ecbef439.tar.gz