From cc6196fa005187c93486a83348b1d69a94219b1e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 23 Nov 2022 16:05:04 +1300 Subject: CVE-2022-37966 selftest: Run S4U tests against FL2003 DC This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5) [jsutton@samba.org Fixed import conflict] --- python/samba/tests/krb5/s4u_tests.py | 61 +++++++++++++++++++++++++++++++++--- selftest/knownfail_mit_kdc | 7 +++++ source4/selftest/tests.py | 9 ++++-- 3 files changed, 71 insertions(+), 6 deletions(-) diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 7fb0cfb4f65..38e1bd7c65d 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -23,7 +23,7 @@ import functools sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" -from samba import ntstatus +from samba import dsdb, ntstatus from samba.dcerpc import krb5pac, lsa from samba.tests import env_get_var_value @@ -691,6 +691,13 @@ class S4UKerberosTests(KDCBaseTest): # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) + def skip_unless_fl2008(self): + samdb = self.get_samdb() + functional_level = self.get_domain_functional_level(samdb) + + if functional_level < dsdb.DS_DOMAIN_FUNCTION_2008: + self.skipTest('RBCD requires FL2008') + def test_constrained_delegation(self): # Test constrained delegation. self._run_delegation_test( @@ -811,6 +818,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_auth_data_required(self): + self.skip_unless_fl2008() + self._run_delegation_test( { 'expected_error_mode': 0, @@ -823,6 +832,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_existing_delegation_info(self): + self.skip_unless_fl2008() + # Test constrained delegation with an existing S4U_DELEGATION_INFO # structure in the PAC. @@ -850,6 +861,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_client_pac_a(self): + self.skip_unless_fl2008() + # Test constrained delegation when the client service ticket does not # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -862,6 +875,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_client_pac_b(self): + self.skip_unless_fl2008() + # Test constrained delegation when the client service ticket does not # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -877,6 +892,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_service_pac(self): + self.skip_unless_fl2008() + # Test constrained delegation when the service TGT does not contain a # PAC. self._run_delegation_test( @@ -889,6 +906,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_client_pac_no_auth_data_required_a(self): + self.skip_unless_fl2008() + # Test constrained delegation when the client service ticket does not # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -904,6 +923,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_client_pac_no_auth_data_required_b(self): + self.skip_unless_fl2008() + # Test constrained delegation when the client service ticket does not # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -922,6 +943,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_service_pac_no_auth_data_required(self): + self.skip_unless_fl2008() + # Test constrained delegation when the service TGT does not contain a # PAC. self._run_delegation_test( @@ -937,6 +960,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_non_forwardable(self): + self.skip_unless_fl2008() + # Test resource-based constrained delegation with a non-forwardable # ticket. self._run_delegation_test( @@ -950,6 +975,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_pac_options_a(self): + self.skip_unless_fl2008() + # Test resource-based constrained delegation without the RBCD bit set # in the PAC options, and an empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( @@ -961,6 +988,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_no_pac_options_b(self): + self.skip_unless_fl2008() + # Test resource-based constrained delegation without the RBCD bit set # in the PAC options, and a non-empty msDS-AllowedToDelegateTo # attribute. @@ -990,6 +1019,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_bronze_bit_rbcd_old_checksum(self): + self.skip_unless_fl2008() + # Attempt to modify the ticket without updating the PAC checksums. self._run_delegation_test( { @@ -1039,6 +1070,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_missing_client_checksum(self): + self.skip_unless_fl2008() + # Present a user ticket without the required checksums. for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): @@ -1059,6 +1092,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_missing_service_checksum(self): + self.skip_unless_fl2008() + # Present the service's ticket without the required checksums. for checksum in (krb5pac.PAC_TYPE_SRV_CHECKSUM, krb5pac.PAC_TYPE_KDC_CHECKSUM): @@ -1110,6 +1145,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_zeroed_client_checksum(self): + self.skip_unless_fl2008() + # Present a user ticket with invalid checksums. for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): @@ -1125,6 +1162,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_zeroed_service_checksum(self): + self.skip_unless_fl2008() + # Present the service's ticket with invalid checksums. for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): @@ -1200,6 +1239,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_unkeyed_client_checksum(self): + self.skip_unless_fl2008() + # Present a user ticket with invalid checksums. for checksum in self.pac_checksum_types: for ctype in self.unkeyed_ctypes: @@ -1223,6 +1264,8 @@ class S4UKerberosTests(KDCBaseTest): }) def test_rbcd_unkeyed_service_checksum(self): + self.skip_unless_fl2008() + # Present the service's ticket with invalid checksums. for checksum in self.pac_checksum_types: for ctype in self.unkeyed_ctypes: @@ -1252,18 +1295,28 @@ class S4UKerberosTests(KDCBaseTest): def test_constrained_delegation_rc4_client_checksum(self): # Present a user ticket with RC4 checksums. - expected_error_mode = (KDC_ERR_GENERIC, - KDC_ERR_INAPP_CKSUM) + samdb = self.get_samdb() + functional_level = self.get_domain_functional_level(samdb) + + if functional_level >= dsdb.DS_DOMAIN_FUNCTION_2008: + expected_error_mode = (KDC_ERR_GENERIC, + KDC_ERR_INAPP_CKSUM) + expect_edata = False + else: + expected_error_mode = 0 + expect_edata = None self._run_delegation_test( { 'expected_error_mode': expected_error_mode, 'allow_delegation': True, 'modify_client_tkt_fn': self.rc4_pac_checksums, - 'expect_edata': False, + 'expect_edata': expect_edata, }) def test_rbcd_rc4_client_checksum(self): + self.skip_unless_fl2008() + # Present a user ticket with RC4 checksums. expected_error_mode = (KDC_ERR_GENERIC, KDC_ERR_BADOPTION) diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index e555168bb46..0b8dc06aaf4 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -1155,3 +1155,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.ad_dc ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.fl2003dc +# +# S4U tests +# +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_authentication_asserted_identity.fl2003dc:local +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.fl2003dc:local +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_service_asserted_identity.fl2003dc:local +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_asserted_identity.fl2003dc:local diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index ab53ab5b945..3da47a964e2 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -928,8 +928,13 @@ krb5_environ = { planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", environ=krb5_environ) -planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", - environ=krb5_environ) +for env, fast_support in [("ad_dc_default:local", True), + ("fl2003dc:local", False)]: + planoldpythontestsuite(env, "samba.tests.krb5.s4u_tests", + environ={ + **krb5_environ, + 'FAST_SUPPORT': int(fast_support), + }) planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests", environ=krb5_environ) -- cgit v1.2.1