From: Joseph Sutton Date: Thu, 23 Dec 2021 02:59:21 +0000 (+1300) Subject: CVE-2022-37966 tests/krb5: Update supported enctype checking X-Git-Tag: samba-4.15.13~64 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d09d8f995c9a12a0c96aecdbc9f6dac4f5864890;p=thirdparty%2Fsamba.git CVE-2022-37966 tests/krb5: Update supported enctype checking We now do not expect the claims or compound ID bits to be set unless explicitly specified, nor the DES bits. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher (cherry picked from commit e9caa1edef846cdea2a719976ee0fd5bd8531048) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 --- diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index f0306dde110..e42af00cdfc 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -600,13 +600,21 @@ class KDCBaseTest(RawKerberosTest): creds.set_tgs_supported_enctypes(supported_enctypes) creds.set_ap_supported_enctypes(supported_enctypes) - def creds_set_default_enctypes(self, creds, fast_support=False): + def creds_set_default_enctypes(self, creds, + fast_support=False, + claims_support=False, + compound_id_support=False): default_enctypes = self.get_default_enctypes() supported_enctypes = KerberosCredentials.etypes_to_bits( default_enctypes) if fast_support: - supported_enctypes |= KerberosCredentials.fast_supported_bits + supported_enctypes |= security.KERB_ENCTYPE_FAST_SUPPORTED + if claims_support: + supported_enctypes |= security.KERB_ENCTYPE_CLAIMS_SUPPORTED + if compound_id_support: + supported_enctypes |= ( + security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED) creds.set_as_supported_enctypes(supported_enctypes) creds.set_tgs_supported_enctypes(supported_enctypes) @@ -924,7 +932,11 @@ class KDCBaseTest(RawKerberosTest): # The RODC krbtgt account should support the default enctypes, # although it might not have the msDS-SupportedEncryptionTypes # attribute. - self.creds_set_default_enctypes(creds) + self.creds_set_default_enctypes( + creds, + fast_support=self.kdc_fast_support, + claims_support=self.kdc_claims_support, + compound_id_support=self.kdc_compound_id_support) return creds @@ -1015,8 +1027,11 @@ class KDCBaseTest(RawKerberosTest): # The krbtgt account should support the default enctypes, although # it might not (on Samba) have the msDS-SupportedEncryptionTypes # attribute. - self.creds_set_default_enctypes(creds, - fast_support=self.kdc_fast_support) + self.creds_set_default_enctypes( + creds, + fast_support=self.kdc_fast_support, + claims_support=self.kdc_claims_support, + compound_id_support=self.kdc_compound_id_support) return creds diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 2dedccf6188..b463b168242 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -613,6 +613,19 @@ class RawKerberosTest(TestCaseInTempDir): kdc_fast_support = '0' cls.kdc_fast_support = bool(int(kdc_fast_support)) + kdc_claims_support = samba.tests.env_get_var_value('CLAIMS_SUPPORT', + allow_missing=True) + if kdc_claims_support is None: + kdc_claims_support = '0' + cls.kdc_claims_support = bool(int(kdc_claims_support)) + + kdc_compound_id_support = samba.tests.env_get_var_value( + 'COMPOUND_ID_SUPPORT', + allow_missing=True) + if kdc_compound_id_support is None: + kdc_compound_id_support = '0' + cls.kdc_compound_id_support = bool(int(kdc_compound_id_support)) + tkt_sig_support = samba.tests.env_get_var_value('TKT_SIG_SUPPORT', allow_missing=True) if tkt_sig_support is None: @@ -2901,8 +2914,14 @@ class RawKerberosTest(TestCaseInTempDir): '