CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 593ef94c9103dac31ca0cca9545282247a5b580b..a80a7b3427e03e423da83a893af46a9d041d7445 100755 (executable)
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -256,6 +256,17 @@ class S4UKerberosTests(KDCBaseTest):
         if unexpected_flags is not None:
             unexpected_flags = krb5_asn1.TicketFlags(unexpected_flags)
 
+        expected_error_mode = kdc_dict.pop('expected_error_mode', 0)
+        expected_status = kdc_dict.pop('expected_status', None)
+        if expected_error_mode:
+            check_error_fn = self.generic_check_kdc_error
+            check_rep_fn = None
+        else:
+            check_error_fn = None
+            check_rep_fn = self.generic_check_kdc_rep
+
+            self.assertIsNone(expected_status)
+
         kdc_options = kdc_dict.pop('kdc_options', '0')
         kdc_options = krb5_asn1.KDCOptions(kdc_options)
 
@@ -290,9 +301,11 @@ class S4UKerberosTests(KDCBaseTest):
             ticket_decryption_key=service_decryption_key,
             expect_ticket_checksum=True,
             generate_padata_fn=generate_s4u2self_padata,
-            check_rep_fn=self.generic_check_kdc_rep,
+            check_error_fn=check_error_fn,
+            check_rep_fn=check_rep_fn,
             check_kdc_private_fn=self.generic_check_kdc_private,
-            expected_error_mode=0,
+            expected_error_mode=expected_error_mode,
+            expected_status=expected_status,
             tgt=service_tgt,
             authenticator_subkey=authenticator_subkey,
             kdc_options=str(kdc_options),
@@ -321,6 +334,26 @@ class S4UKerberosTests(KDCBaseTest):
                 'expected_flags': 'forwardable'
             })
 
+    # Test performing an S4U2Self operation with a forwardable ticket that does
+    # not contain a PAC. The request should fail.
+    def test_s4u2self_no_pac(self):
+        def forwardable_no_pac(ticket):
+            ticket = self.set_ticket_forwardable(ticket, flag=True)
+            return self.remove_ticket_pac(ticket)
+
+        self._run_s4u2self_test(
+            {
+                'expected_error_mode': (KDC_ERR_GENERIC,
+                                        KDC_ERR_BADOPTION),
+                'expected_status': ntstatus.NT_STATUS_INVALID_PARAMETER,
+                'client_opts': {
+                    'not_delegated': False
+                },
+                'kdc_options': 'forwardable',
+                'modify_service_tgt_fn': forwardable_no_pac,
+                'expected_flags': 'forwardable'
+            })
+
     # Test performing an S4U2Self operation without requesting a forwardable
     # ticket. The resulting ticket should not have the 'forwardable' flag set.
     def test_s4u2self_without_forwardable(self):

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 86d1733926ff4874c043dd5eaf33e896add4ec79..76322fc187e82cda7dbe2009515b3a1f00c5d009 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -81,6 +81,7 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
 #
 # The lack of KRB5SignedPath means we no longer return