diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-05-31 19:23:06 +1200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-27 10:52:36 +0000 |
commit | 192d597c2f2025845c3cd478fab9d72299c075bd (patch) | |
tree | 83b7f7a2ac73580d230ae32752f12149f1f4343f /python | |
parent | 4212037a6a37080206c8459920087b1a113c3fb5 (diff) | |
download | samba-192d597c2f2025845c3cd478fab9d72299c075bd.tar.gz |
CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20
With MIT Kerberos >= 1.20, we should not expect a ticket checksum in
tickets to principals such as kpasswd/changepw, as they are encrypted
with the krbtgt's key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'python')
-rw-r--r-- | python/samba/tests/krb5/kdc_base_test.py | 5 | ||||
-rw-r--r-- | python/samba/tests/krb5/raw_testcase.py | 28 |
2 files changed, 28 insertions, 5 deletions
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 33727a4abc5..4a4bcfeed53 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1516,9 +1516,12 @@ class KDCBaseTest(RawKerberosTest): else: krbtgt_creds = self.get_krbtgt_creds() krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) + + expect_ticket_checksum = (self.tkt_sig_support + and not self.is_tgs_principal(sname)) self.verify_ticket(service_ticket_creds, krbtgt_key, service_ticket=True, expect_pac=expect_pac, - expect_ticket_checksum=self.tkt_sig_support) + expect_ticket_checksum=expect_ticket_checksum) self.tkt_cache[cache_key] = service_ticket_creds diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index b22617c3882..4ef37c51222 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -657,6 +657,12 @@ class RawKerberosTest(TestCaseInTempDir): padata_checking = '1' cls.padata_checking = bool(int(padata_checking)) + kadmin_is_tgs = samba.tests.env_get_var_value('KADMIN_IS_TGS', + allow_missing=True) + if kadmin_is_tgs is None: + kadmin_is_tgs = '0' + cls.kadmin_is_tgs = bool(int(kadmin_is_tgs)) + def setUp(self): super().setUp() self.do_asn1_print = False @@ -3057,8 +3063,8 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(ticket_decryption_key) if ticket_decryption_key is not None: - service_ticket = (not self.is_tgs(expected_sname) - and rep_msg_type == KRB_TGS_REP) + service_ticket = (rep_msg_type == KRB_TGS_REP + and not self.is_tgs_principal(expected_sname)) self.verify_ticket(ticket_creds, krbtgt_keys, service_ticket=service_ticket, expect_pac=expect_pac, @@ -3098,8 +3104,9 @@ class RawKerberosTest(TestCaseInTempDir): expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO) expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO) - if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP: - expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM) + if rep_msg_type == KRB_TGS_REP: + if not self.is_tgs_principal(expected_sname): + expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM) require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO, krb5pac.PAC_TYPE_DEVICE_INFO, @@ -4244,6 +4251,19 @@ class RawKerberosTest(TestCaseInTempDir): krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key } + def is_tgs_principal(self, principal): + if self.is_tgs(principal): + return True + + if self.kadmin_is_tgs and self.is_kadmin(principal): + return True + + return False + + def is_kadmin(self, principal): + name = principal['name-string'][0] + return name in ('kadmin', b'kadmin') + def is_tgs(self, principal): name = principal['name-string'][0] return name in ('krbtgt', b'krbtgt') |