Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"

author Joseph Sutton <josephsutton@catalyst.net.nz>

Thu, 25 Nov 2021 00:24:57 +0000 (13:24 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Tue, 30 Nov 2021 02:42:31 +0000 (02:42 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Thu, 25 Nov 2021 00:24:57 +0000 (13:24 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Tue, 30 Nov 2021 02:42:31 +0000 (02:42 +0000)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc

index cc2396b2d38c9efe0e18d635a9ffdd1e9b4df04c..1e42007f31f463d3bcafad570f0fd1259847054a 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -135,3 +135,42 @@
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed
+#
+# PAC tests
+#
+^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local
+^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc_ntvfs:local
+^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc_ntvfs:local
+^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc_ntvfs:local
+^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc_ntvfs:local
+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local
+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c

index 5a1567f1bde887518c1708111c69dc9135d4480b..16249799e3695be6232cac844fe5a2fd1ef4db99 100644 (file)
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -308,7 +308,7 @@ static bool test_PACVerify(struct torture_context *tctx,
                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
  
-       num_pac_buffers = 7;
+       num_pac_buffers = 5;
         if (expect_pac_upn_dns_info) {
                 num_pac_buffers += 1;
         }
@@ -365,18 +365,6 @@ static bool test_PACVerify(struct torture_context *tctx,
                        pac_buf->info != NULL,
                        "PAC_TYPE_TICKET_CHECKSUM info");
  
-       pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_ATTRIBUTES_INFO);
-       torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_ATTRIBUTES_INFO");
-       torture_assert(tctx,
-                      pac_buf->info != NULL,
-                      "PAC_TYPE_ATTRIBUTES_INFO info");
-
-       pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_REQUESTER_SID);
-       torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_REQUESTER_SID");
-       torture_assert(tctx,
-                      pac_buf->info != NULL,
-                      "PAC_TYPE_REQUESTER_SID info");
-
         ok = netlogon_validate_pac(tctx, p, server_creds, secure_channel_type, test_machine_name,
                                    negotiate_flags, pac_data, session_info);
  
@@ -1140,7 +1128,7 @@ static bool test_S4U2Proxy(struct torture_context *tctx,
                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
  
-       num_pac_buffers = 9;
+       num_pac_buffers = 7;
  
         torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version");
         torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers");
@@ -1180,14 +1168,6 @@ static bool test_S4U2Proxy(struct torture_context *tctx,
                                  talloc_asprintf(tctx, "%s@%s", self_princ, cli_credentials_get_realm(credentials)),
                                  "wrong transited_services[0]");
  
-       pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_ATTRIBUTES_INFO);
-       torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_ATTRIBUTES_INFO");
-       torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_ATTRIBUTES_INFO info");
-
-       pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_REQUESTER_SID);
-       torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_REQUESTER_SID");
-       torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_REQUESTER_SID info");
-
         return netlogon_validate_pac(tctx, p, server_creds, secure_channel_type, test_machine_name,
                                      negotiate_flags, pac_data, session_info);
  }
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Thu, 25 Nov 2021 00:24:57 +0000 (13:24 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Tue, 30 Nov 2021 02:42:31 +0000 (02:42 +0000)
selftest/knownfail_heimdal_kdc		patch \| blob \| blame \| history
source4/torture/rpc/remote_pac.c		patch \| blob \| blame \| history