auth: keytab invalidation test

chgtdcpass should add a new DC password and delete the old ones but the bug exposed by this test causes the tool to remove only a single record from the old entries, leaving the old passwords functional. Since the tool is used by administrators who may have disclosed their domain join password and want to invalidate it, this is a security concern. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
author: Aaron Haslett <aaronhaslett@catalyst.net.nz> 2018-05-01 11:10:24 +1200
committer: Andreas Schneider <asn@cryptomilk.org> 2018-05-15 12:41:55 +0200
commit: a3d6fdd5355d366f3d23915cecc10c6f039daa44 (patch)
tree: 71f7d788e1df5506c1cc92219197e1a7c38e5f4d /source4
parent: 506c520503eacff33064c1c23a068399f7296d86 (diff)
download: samba-a3d6fdd5355d366f3d23915cecc10c6f039daa44.tar.gz
2 files changed, 113 insertions, 0 deletions
diff --git a/source4/auth/tests/kerberos.c b/source4/auth/tests/kerberos.c
new file mode 100644
index 00000000000..703c8067908
--- /dev/null
+++ b/source4/auth/tests/kerberos.c
@@ -0,0 +1,107 @@
+#include <time.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <stdint.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_proto.h"
+#include "auth/credentials/credentials_krb5.h"
+#include "auth/kerberos/kerberos_credentials.h"
+#include "auth/kerberos/kerberos_util.h"
+
+static void internal_obsolete_keytab_test(int num_principals, int num_kvnos,
+					  krb5_kvno kvno, const char *kt_name)
+{
+	krb5_context krb5_ctx;
+	krb5_keytab keytab;
+	krb5_keytab_entry kt_entry;
+	krb5_kt_cursor cursor;
+	krb5_error_code code;
+
+	int i,j;
+	char princ_name[6] = "user0";
+	char expect_princ_name[23] = "user0@samba.example.com";
+	bool found_previous;
+	const char *error_str;
+
+	TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+	krb5_principal *principals = talloc_zero_array(tmp_ctx,
+						       krb5_principal,
+						       num_principals);
+	krb5_init_context(&krb5_ctx);
+	krb5_kt_resolve(krb5_ctx, kt_name, &keytab);
+	ZERO_STRUCT(kt_entry);
+
+	for(i=0; i<num_principals; i++) {
+		princ_name[4] = (char)i+48;
+		smb_krb5_make_principal(krb5_ctx, &(principals[i]),
+				    "samba.example.com", princ_name, NULL);
+		kt_entry.principal = principals[i];
+		for (j=0; j<num_kvnos; j++) {
+			kt_entry.vno = j+1;
+			krb5_kt_add_entry(krb5_ctx, keytab, &kt_entry);
+		}
+	}
+
+	code = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+	assert_int_equal(code, 0);
+	for (i=0; i<num_principals; i++) {
+		expect_princ_name[4] = (char)i+48;
+		for (j=0; j<num_kvnos; j++) {
+			char *unparsed_name;
+			code = krb5_kt_next_entry(krb5_ctx, keytab,
+						  &kt_entry, &cursor);
+			assert_int_equal(code, 0);
+			assert_int_equal(kt_entry.vno, j+1);
+			krb5_unparse_name(krb5_ctx, kt_entry.principal,
+					  &unparsed_name);
+			assert_string_equal(expect_princ_name, unparsed_name);
+		}
+	}
+
+	smb_krb5_remove_obsolete_keytab_entries(tmp_ctx, krb5_ctx, keytab,
+						num_principals, principals,
+						kvno, &found_previous,
+						&error_str);
+
+	code = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+	assert_int_equal(code, 0);
+	for (i=0; i<num_principals; i++) {
+		char *unparsed_name;
+		expect_princ_name[4] = (char)i+48;
+		code = krb5_kt_next_entry(krb5_ctx, keytab, &kt_entry, &cursor);
+		assert_int_equal(code, 0);
+		assert_int_equal(kt_entry.vno, kvno-1);
+		krb5_unparse_name(krb5_ctx, kt_entry.principal, &unparsed_name);
+		assert_string_equal(expect_princ_name, unparsed_name);
+	}
+	code = krb5_kt_next_entry(krb5_ctx, keytab, &kt_entry, &cursor);
+	assert_int_not_equal(code, 0);
+}
+
+static void test_krb5_remove_obsolete_keytab_entries_many(void **state)
+{
+	internal_obsolete_keytab_test(5, 4, (krb5_kvno)5, "MEMORY:LOL2");
+}
+
+static void test_krb5_remove_obsolete_keytab_entries_one(void **state)
+{
+	internal_obsolete_keytab_test(1, 2, (krb5_kvno)3, "MEMORY:LOL");
+}
+
+int main(int argc, const char **argv)
+{
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(test_krb5_remove_obsolete_keytab_entries_one),
+		cmocka_unit_test(test_krb5_remove_obsolete_keytab_entries_many),
+	};
+
+	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+	return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/source4/auth/wscript_build b/source4/auth/wscript_build
index f7508619cd7..d3452d2ca92 100644
--- a/source4/auth/wscript_build
+++ b/source4/auth/wscript_build
@@ -42,6 +42,12 @@ bld.SAMBA_SUBSYSTEM('auth4_sam',
 	deps=''
 	)
 
+bld.SAMBA_BINARY('test_kerberos',
+        source='tests/kerberos.c',
+        deps='cmocka authkrb5 krb5samba com_err CREDENTIALS_KRB5',
+        local_include=False,
+        install=False
+        )
 
 for env in bld.gen_python_environments():
 	pytalloc_util = bld.pyembed_libname('pytalloc-util')
author	Aaron Haslett <aaronhaslett@catalyst.net.nz>	2018-05-01 11:10:24 +1200
committer	Andreas Schneider <asn@cryptomilk.org>	2018-05-15 12:41:55 +0200
commit	a3d6fdd5355d366f3d23915cecc10c6f039daa44 (patch)
tree	71f7d788e1df5506c1cc92219197e1a7c38e5f4d /source4
parent	506c520503eacff33064c1c23a068399f7296d86 (diff)
download	samba-a3d6fdd5355d366f3d23915cecc10c6f039daa44.tar.gz