tests: add PAC test for CVE-2020-17049 (bronze bit)
This commit is contained in:

committed by
Luke Howard

parent
1ae7c61ef7
commit
152e28fc40
@@ -50,7 +50,8 @@ TESTS = \
|
||||
|
||||
check_DATA = test_config_strings.out
|
||||
|
||||
check_PROGRAMS = $(TESTS) test_hostname test_ap-req test_canon test_set_kvno0
|
||||
check_PROGRAMS = $(TESTS) test_hostname test_ap-req test_canon test_set_kvno0 \
|
||||
test_mkforwardable
|
||||
|
||||
LDADD = libkrb5.la \
|
||||
$(LIB_hcrypto) \
|
||||
|
191
lib/krb5/test_mkforwardable.c
Normal file
191
lib/krb5/test_mkforwardable.c
Normal file
@@ -0,0 +1,191 @@
|
||||
/*
|
||||
* Copyright (c) 1997-2021 Kungliga Tekniska Högskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* Copyright (c) 2021 Isaac Boukris
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* 3. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "krb5_locl.h"
|
||||
|
||||
/*
|
||||
* Usage: mkforwardable server out_ccache
|
||||
*
|
||||
* The default cache contains a ticket to server and the default keytab
|
||||
* contains a key to decrypt it, the ticket is decrypted and the forwardable
|
||||
* flag is added, the ticket is then re-encrypted and stored in out_cache.
|
||||
*
|
||||
*/
|
||||
|
||||
static krb5_context context;
|
||||
|
||||
static void
|
||||
check(krb5_error_code code)
|
||||
{
|
||||
const char *errmsg;
|
||||
|
||||
if (code == 0)
|
||||
return;
|
||||
|
||||
errmsg = krb5_get_error_message(context, code);
|
||||
fprintf(stderr, "%s\n", errmsg);
|
||||
krb5_free_error_message(context, errmsg);
|
||||
|
||||
abort();
|
||||
}
|
||||
|
||||
static void
|
||||
decrypt_ticket_enc_part(EncryptionKey *key,
|
||||
krb5_enctype etype,
|
||||
Ticket *ticket,
|
||||
EncTicketPart *et)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_data plain;
|
||||
size_t len;
|
||||
krb5_crypto crypto;
|
||||
|
||||
check(krb5_crypto_init(context, key, etype, &crypto));
|
||||
|
||||
ret = krb5_decrypt_EncryptedData (context,
|
||||
crypto,
|
||||
KRB5_KU_TICKET,
|
||||
&ticket->enc_part,
|
||||
&plain);
|
||||
check(ret);
|
||||
|
||||
check(decode_EncTicketPart(plain.data, plain.length, et, &len));
|
||||
|
||||
krb5_data_free (&plain);
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
}
|
||||
|
||||
static void
|
||||
encrypt_ticket_enc_part(EncryptionKey *key,
|
||||
krb5_enctype etype,
|
||||
krb5_kvno skvno,
|
||||
EncTicketPart *et,
|
||||
Ticket *ticket)
|
||||
{
|
||||
size_t len, size;
|
||||
char *buf;
|
||||
krb5_error_code ret;
|
||||
krb5_crypto crypto;
|
||||
|
||||
ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, et, &size, ret);
|
||||
check(ret);
|
||||
|
||||
check(krb5_crypto_init(context, key, etype, &crypto));
|
||||
ret = krb5_encrypt_EncryptedData(context,
|
||||
crypto,
|
||||
KRB5_KU_TICKET,
|
||||
buf,
|
||||
len,
|
||||
skvno,
|
||||
&ticket->enc_part);
|
||||
check(ret);
|
||||
|
||||
free(buf);
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
}
|
||||
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_keytab kt;
|
||||
krb5_keytab_entry entry;
|
||||
krb5_enctype etype;
|
||||
krb5_creds mc, cred;
|
||||
krb5_ccache ccache;
|
||||
EncTicketPart et;
|
||||
Ticket ticket;
|
||||
size_t size;
|
||||
krb5_kvno kvno = 0;
|
||||
|
||||
memset(&cred, 0, sizeof(cred));
|
||||
|
||||
if (argc != 3)
|
||||
errx(1, "Usage: mkforwardable server out_ccache");
|
||||
|
||||
ret = krb5_init_context(&context);
|
||||
if (ret)
|
||||
errx(1, "krb5_init_context failed: %u", ret);
|
||||
|
||||
check(krb5_cc_default(context, &ccache));
|
||||
|
||||
krb5_cc_clear_mcred(&mc);
|
||||
|
||||
check(krb5_parse_name(context, argv[1], &mc.server));
|
||||
|
||||
check(krb5_cc_retrieve_cred(context, ccache, 0, &mc, &cred));
|
||||
|
||||
check(decode_Ticket(cred.ticket.data, cred.ticket.length, &ticket, NULL));
|
||||
|
||||
etype = ticket.enc_part.etype;
|
||||
|
||||
if (ticket.enc_part.kvno != NULL)
|
||||
kvno = *ticket.enc_part.kvno;
|
||||
|
||||
check(krb5_kt_default(context, &kt));
|
||||
|
||||
check(krb5_kt_get_entry(context, kt, mc.server, kvno, etype, &entry));
|
||||
|
||||
decrypt_ticket_enc_part(&entry.keyblock, etype, &ticket, &et);
|
||||
|
||||
et.flags.forwardable = 1;
|
||||
cred.flags.b = et.flags;
|
||||
|
||||
free_EncryptedData(&ticket.enc_part);
|
||||
|
||||
encrypt_ticket_enc_part(&entry.keyblock, etype, kvno, &et, &ticket);
|
||||
|
||||
krb5_data_free(&cred.ticket);
|
||||
ASN1_MALLOC_ENCODE(Ticket, cred.ticket.data, cred.ticket.length, &ticket,
|
||||
&size, ret);
|
||||
check(ret);
|
||||
|
||||
krb5_cc_close(context, ccache);
|
||||
|
||||
check(krb5_cc_resolve(context, argv[2], &ccache));
|
||||
check(krb5_cc_initialize(context, ccache, cred.client));
|
||||
|
||||
check(krb5_cc_store_cred(context, ccache, &cred));
|
||||
|
||||
free_Ticket(&ticket);
|
||||
free_EncTicketPart(&et);
|
||||
krb5_cc_close(context, ccache);
|
||||
krb5_free_principal(context, mc.server);
|
||||
krb5_free_cred_contents(context, &cred);
|
||||
krb5_kt_free_entry(context, &entry);
|
||||
krb5_kt_close(context, kt);
|
||||
|
||||
return 0;
|
||||
}
|
@@ -58,6 +58,7 @@ rkvis="${TESTS_ENVIRONMENT} ${top_builddir}/lib/roken/rkvis"
|
||||
test_set_kvno0="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_set_kvno0"
|
||||
test_alname="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_alname"
|
||||
test_kuserok="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_kuserok"
|
||||
test_mkforwardable="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_mkforwardable"
|
||||
|
||||
# misc apps
|
||||
have_db="${top_builddir}/tests/db/have-db"
|
||||
|
@@ -89,6 +89,7 @@ icache="FILE:${objdir}/icache.krb5"
|
||||
keytabfile=${objdir}/server.keytab
|
||||
keytab="FILE:${keytabfile}"
|
||||
ps="proxy-service@${R}"
|
||||
rps="restricted-proxy-service@${R}"
|
||||
aesenctype="aes256-cts-hmac-sha1-96"
|
||||
|
||||
kinit="${kinit} -c $cache ${afs_no_afslog}"
|
||||
@@ -225,6 +226,11 @@ ${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
|
||||
${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
|
||||
${kadmin} ext -k ${keytab} ${ps} || exit 1
|
||||
|
||||
# Note: rps is not trusted-for-delegation
|
||||
${kadmin} add -p foo --use-defaults ${rps} || exit 1
|
||||
${kadmin} modify --constrained-delegation=${server} ${rps} || exit 1
|
||||
${kadmin} ext -k ${keytab} ${rps} || exit 1
|
||||
|
||||
${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
|
||||
${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
|
||||
${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
|
||||
@@ -906,6 +912,46 @@ ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${ser
|
||||
|
||||
${kdestroy}
|
||||
|
||||
echo "test constrained delegation NOT trusted-for-delegation (evidence from TGS)"; > messages.log
|
||||
|
||||
${kinit} --forwardable --password-file=${objdir}/foopassword ${rps} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kgetcred} --cache=${icache} --out-cache=${ocache} ${rps} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kgetcred} \
|
||||
--out-cache=${o2cache} \
|
||||
--delegation-credential-cache=${ocache} \
|
||||
${server}@${R} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "test constrained delegation NOT trusted-for-delegation (evidence from impersonate, negative)"; > messages.log
|
||||
rm -f ocache.krb5
|
||||
${kgetcred_imp} --impersonate=bar@${R} ${rps} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${test_ap_req} ${rps} ${keytab} ${ocache} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kgetcred} \
|
||||
--out-cache=${o2cache} \
|
||||
--delegation-credential-cache=${ocache} \
|
||||
${server}@${R} && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "test constrained delegation bronze-bit attack, aka CVE-2020-17049"; > messages.log
|
||||
|
||||
KRB5CCNAME=${ocache} KRB5_KTNAME=${keytab} ${test_mkforwardable} ${rps} ${icache} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
${kgetcred} \
|
||||
--out-cache=${o2cache} \
|
||||
--delegation-credential-cache=${icache} \
|
||||
${server}@${R} && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kdestroy}
|
||||
|
||||
echo "check renewing" > messages.log
|
||||
${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
Reference in New Issue
Block a user