From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Nov 2022 05:05:36 +0000 (+1300)
Subject: CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group
X-Git-Tag: talloc-2.4.0~302
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a7a0b9ad0757d6586905d64bc645a8946fe5c10e;p=thirdparty%2Fsamba.git

CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group

Extend the RC4 Protected Users tests to use different preauth etypes.
This helps test the nuances of the new expected behaviour and allows the
tests to continue passing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/protected_users_tests.py b/python/samba/tests/krb5/protected_users_tests.py
index 441ccd178cd..dd32672a559 100755
--- a/python/samba/tests/krb5/protected_users_tests.py
+++ b/python/samba/tests/krb5/protected_users_tests.py
@@ -41,6 +41,7 @@ from samba.tests.krb5.rfc4120_constants import (
     KDC_ERR_ETYPE_NOSUPP,
     KDC_ERR_POLICY,
     KDC_ERR_PREAUTH_REQUIRED,
+    KRB_ERROR,
     NT_PRINCIPAL,
     NT_SRV_INST,
 )
@@ -445,11 +446,20 @@ class ProtectedUsersTests(KDCBaseTest):
 
         self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5)
 
-    def test_rc4_protected(self):
+    def test_rc4_protected_aes256_preauth(self):
         client_creds = self._get_creds(protected=True)
 
         self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
-                         expect_error=True, rc4_support=False)
+                         preauth_etype=AES256_CTS_HMAC_SHA1_96,
+                         rc4_support=False)
+
+    def test_rc4_protected_rc4_preauth(self):
+        client_creds = self._get_creds(protected=True)
+
+        self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
+                         preauth_etype=ARCFOUR_HMAC_MD5,
+                         expect_error=True, rc4_support=False,
+                         expect_edata=False)
 
     # Test that AES256 can always be used.
     def test_aes256_not_protected(self):
@@ -535,13 +545,24 @@ class ProtectedUsersTests(KDCBaseTest):
 
         self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5)
 
-    def test_rc4_mac_protected(self):
+    def test_rc4_mac_protected_aes256_preauth(self):
         client_creds = self._get_creds(
             protected=True,
             account_type=self.AccountType.COMPUTER)
 
         self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
-                         expect_error=True, rc4_support=False)
+                         preauth_etype=AES256_CTS_HMAC_SHA1_96,
+                         rc4_support=False)
+
+    def test_rc4_mac_protected_rc4_preauth(self):
+        client_creds = self._get_creds(
+            protected=True,
+            account_type=self.AccountType.COMPUTER)
+
+        self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
+                         preauth_etype=ARCFOUR_HMAC_MD5,
+                         expect_error=True, rc4_support=False,
+                         expect_edata=False)
 
     def test_aes256_rc4_mac_not_protected(self):
         client_creds = self._get_creds(
@@ -1003,7 +1024,10 @@ class ProtectedUsersTests(KDCBaseTest):
         expected_error = KDC_ERR_ETYPE_NOSUPP if expect_error else 0
 
         if preauth_etype is None:
-            expected_error_mode = expected_error or KDC_ERR_PREAUTH_REQUIRED
+            if expected_error:
+                expected_error_mode = KDC_ERR_PREAUTH_REQUIRED, expected_error
+            else:
+                expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
 
             rep, kdc_exchange_dict = self._test_as_exchange(
                 cname=cname,
@@ -1026,10 +1050,15 @@ class ProtectedUsersTests(KDCBaseTest):
                 ticket_decryption_key=ticket_decryption_key,
                 rc4_support=rc4_support,
                 expect_edata=expect_edata)
-            self.check_error_rep(rep, expected_error_mode)
-
-            if expect_error:
-                return None
+            self.assertIsNotNone(rep)
+            self.assertEqual(KRB_ERROR, rep['msg-type'])
+            error_code = rep['error-code']
+            if expected_error:
+                self.assertIn(error_code, expected_error_mode)
+                if error_code == expected_error:
+                    return
+            else:
+                self.assertEqual(expected_error_mode, error_code)
 
             etype_info2 = kdc_exchange_dict['preauth_etype_info2']
 
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 75ac7c2b239..afcb1ff6452 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -442,8 +442,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 # Protected Users tests
 #
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected_policy_error.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected_aes256_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected_rc4_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected_aes256_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected_rc4_preauth.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_not_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_protected.ad_dc