]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Thu, 29 Jul 2021 04:52:29 +0000 (16:52 +1200)
committerAndreas Schneider <asn@cryptomilk.org>
Thu, 2 Sep 2021 13:41:28 +0000 (13:41 +0000)
Note: This test crashed the MIT KDC prior to MIT commit
fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given
CVE-2021-36222.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
python/samba/tests/krb5/fast_tests.py
selftest/knownfail_heimdal_kdc

index e38b2e0a6e16a0c64746cb0d38e457a57589e7d2..6d08ad942e15417013c68bbc61d24ec5ee750b57 100755 (executable)
@@ -405,6 +405,21 @@ class FAST_Tests(KDCBaseTest):
             }
         ])
 
+    def test_fast_encrypted_challenge_no_fast(self):
+        self._run_test_sequence([
+            {
+                'rep_type': KRB_AS_REP,
+                'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+                'use_fast': False
+            },
+            {
+                'rep_type': KRB_AS_REP,
+                'expected_error_mode': KDC_ERR_PREAUTH_FAILED,
+                'use_fast': False,
+                'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key
+            }
+        ])
+
     def test_fast_encrypted_challenge_clock_skew(self):
         # The KDC is supposed to confirm that the timestamp is within its
         # current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113
index 02a3db1a3cd68f28d631c159c4b444cd927d26f1..c177706822ea0e90c3c1b8ead32230b9313322b6 100644 (file)
@@ -28,6 +28,7 @@
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_no_fast.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc