CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index dc1ba629b41a7dc285e1d9b97b2c4f6c15234fd9..61eeb2333f9b4b08fd4767bb66d8db964da7b2a9 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1362,6 +1362,7 @@ class KDCBaseTest(RawKerberosTest):
                 expected_sid=None,
                 pac_request=True, expect_pac=True,
                 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
+                expect_requester_sid=None,
                 fresh=False):
         user_name = creds.get_username()
         cache_key = (user_name, to_rodc, kdc_options, pac_request)
@@ -1430,6 +1431,7 @@ class KDCBaseTest(RawKerberosTest):
             expect_pac=expect_pac,
             expect_pac_attrs=expect_pac_attrs,
             expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
+            expect_requester_sid=expect_requester_sid,
             to_rodc=to_rodc)
         self.check_pre_authentication(rep)
 
@@ -1476,6 +1478,7 @@ class KDCBaseTest(RawKerberosTest):
             expect_pac=expect_pac,
             expect_pac_attrs=expect_pac_attrs,
             expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
+            expect_requester_sid=expect_requester_sid,
             to_rodc=to_rodc)
         self.check_as_reply(rep)
 

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index d63366318be1122a40edc0d815173756a55dfea1..8779d0f7869f6701e6690ee9234d4a2a63cb1084 100644 (file)
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2023,6 +2023,7 @@ class RawKerberosTest(TestCaseInTempDir):
                          expect_upn_dns_info_ex=None,
                          expect_pac_attrs=None,
                          expect_pac_attrs_pac_request=None,
+                         expect_requester_sid=None,
                          to_rodc=False):
         if expected_error_mode == 0:
             expected_error_mode = ()
@@ -2078,6 +2079,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'expect_upn_dns_info_ex': expect_upn_dns_info_ex,
             'expect_pac_attrs': expect_pac_attrs,
             'expect_pac_attrs_pac_request': expect_pac_attrs_pac_request,
+            'expect_requester_sid': expect_requester_sid,
             'to_rodc': to_rodc
         }
         if callback_dict is None:
@@ -2128,6 +2130,7 @@ class RawKerberosTest(TestCaseInTempDir):
                           expect_upn_dns_info_ex=None,
                           expect_pac_attrs=None,
                           expect_pac_attrs_pac_request=None,
+                          expect_requester_sid=None,
                           expected_proxy_target=None,
                           expected_transited_services=None,
                           to_rodc=False):
@@ -2184,6 +2187,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'expect_upn_dns_info_ex': expect_upn_dns_info_ex,
             'expect_pac_attrs': expect_pac_attrs,
             'expect_pac_attrs_pac_request': expect_pac_attrs_pac_request,
+            'expect_requester_sid': expect_requester_sid,
             'expected_proxy_target': expected_proxy_target,
             'expected_transited_services': expected_transited_services,
             'to_rodc': to_rodc
@@ -2610,6 +2614,12 @@ class RawKerberosTest(TestCaseInTempDir):
         elif expect_pac_attrs is None:
             require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO)
 
+        expect_requester_sid = kdc_exchange_dict['expect_requester_sid']
+        if expect_requester_sid:
+            expected_types.append(krb5pac.PAC_TYPE_REQUESTER_SID)
+        elif expect_requester_sid is None:
+            require_strict.add(krb5pac.PAC_TYPE_REQUESTER_SID)
+
         buffer_types = [pac_buffer.type
                         for pac_buffer in pac.buffers]
         self.assertSequenceElementsEqual(
@@ -2704,6 +2714,13 @@ class RawKerberosTest(TestCaseInTempDir):
                 self.assertEqual(expect_pac_attrs_pac_request is None,
                                  given_pac)
 
+            elif (pac_buffer.type == krb5pac.PAC_TYPE_REQUESTER_SID
+                      and expect_requester_sid):
+                requester_sid = pac_buffer.info.sid
+
+                self.assertIsNotNone(expected_sid)
+                self.assertEqual(expected_sid, str(requester_sid))
+
     def generic_check_kdc_error(self,
                                 kdc_exchange_dict,
                                 callback_dict,
@@ -3698,6 +3715,7 @@ class RawKerberosTest(TestCaseInTempDir):
                           expect_pac=True,
                           expect_pac_attrs=None,
                           expect_pac_attrs_pac_request=None,
+                          expect_requester_sid=None,
                           to_rodc=False):
 
         def _generate_padata_copy(_kdc_exchange_dict,
@@ -3743,6 +3761,7 @@ class RawKerberosTest(TestCaseInTempDir):
             expect_pac=expect_pac,
             expect_pac_attrs=expect_pac_attrs,
             expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
+            expect_requester_sid=expect_requester_sid,
             to_rodc=to_rodc)
 
         rep = self._generic_kdc_exchange(kdc_exchange_dict,