CVE-2022-37966 tests/krb5: Update supported enctype checking

We now do not expect the claims or compound ID bits to be set unless
explicitly specified, nor the DES bits.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e9caa1edef846cdea2a719976ee0fd5bd8531048)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index f0306dde11029ce2d40d06e36b106c2bd1b57736..e42af00cdfcfe38a0c53ebab5baa3f1d477e168d 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -600,13 +600,21 @@ class KDCBaseTest(RawKerberosTest):
         creds.set_tgs_supported_enctypes(supported_enctypes)
         creds.set_ap_supported_enctypes(supported_enctypes)
 
-    def creds_set_default_enctypes(self, creds, fast_support=False):
+    def creds_set_default_enctypes(self, creds,
+                                   fast_support=False,
+                                   claims_support=False,
+                                   compound_id_support=False):
         default_enctypes = self.get_default_enctypes()
         supported_enctypes = KerberosCredentials.etypes_to_bits(
             default_enctypes)
 
         if fast_support:
-            supported_enctypes |= KerberosCredentials.fast_supported_bits
+            supported_enctypes |= security.KERB_ENCTYPE_FAST_SUPPORTED
+        if claims_support:
+            supported_enctypes |= security.KERB_ENCTYPE_CLAIMS_SUPPORTED
+        if compound_id_support:
+            supported_enctypes |= (
+                security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED)
 
         creds.set_as_supported_enctypes(supported_enctypes)
         creds.set_tgs_supported_enctypes(supported_enctypes)
@@ -924,7 +932,11 @@ class KDCBaseTest(RawKerberosTest):
             # The RODC krbtgt account should support the default enctypes,
             # although it might not have the msDS-SupportedEncryptionTypes
             # attribute.
-            self.creds_set_default_enctypes(creds)
+            self.creds_set_default_enctypes(
+                creds,
+                fast_support=self.kdc_fast_support,
+                claims_support=self.kdc_claims_support,
+                compound_id_support=self.kdc_compound_id_support)
 
             return creds
 
@@ -1015,8 +1027,11 @@ class KDCBaseTest(RawKerberosTest):
             # The krbtgt account should support the default enctypes, although
             # it might not (on Samba) have the msDS-SupportedEncryptionTypes
             # attribute.
-            self.creds_set_default_enctypes(creds,
-                                            fast_support=self.kdc_fast_support)
+            self.creds_set_default_enctypes(
+                creds,
+                fast_support=self.kdc_fast_support,
+                claims_support=self.kdc_claims_support,
+                compound_id_support=self.kdc_compound_id_support)
 
             return creds
 

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 2dedccf6188564b3d10ab15a135c12fd70fff935..b463b168242411dd7468c9e4193f643700382748 100644 (file)
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -613,6 +613,19 @@ class RawKerberosTest(TestCaseInTempDir):
             kdc_fast_support = '0'
         cls.kdc_fast_support = bool(int(kdc_fast_support))
 
+        kdc_claims_support = samba.tests.env_get_var_value('CLAIMS_SUPPORT',
+                                                           allow_missing=True)
+        if kdc_claims_support is None:
+            kdc_claims_support = '0'
+        cls.kdc_claims_support = bool(int(kdc_claims_support))
+
+        kdc_compound_id_support = samba.tests.env_get_var_value(
+            'COMPOUND_ID_SUPPORT',
+            allow_missing=True)
+        if kdc_compound_id_support is None:
+            kdc_compound_id_support = '0'
+        cls.kdc_compound_id_support = bool(int(kdc_compound_id_support))
+
         tkt_sig_support = samba.tests.env_get_var_value('TKT_SIG_SUPPORT',
                                                         allow_missing=True)
         if tkt_sig_support is None:
@@ -2901,8 +2914,14 @@ class RawKerberosTest(TestCaseInTempDir):
                             '<L',
                             enc_pa_dict[PADATA_SUPPORTED_ETYPES])
 
-                        self.assertEqual(supported_etypes,
-                                         expected_supported_etypes)
+                        ignore_bits = (security.KERB_ENCTYPE_DES_CBC_CRC |
+                                       security.KERB_ENCTYPE_DES_CBC_MD5)
+
+                        self.assertEqual(
+                            supported_etypes & ~ignore_bits,
+                            expected_supported_etypes & ~ignore_bits,
+                            f'got: {supported_etypes}, '
+                            f'expected: {expected_supported_etypes}')
 
                     if PADATA_PAC_OPTIONS in enc_pa_dict:
                         pac_options = self.der_decode(