diff options
author | Andreas Schneider <asn@samba.org> | 2022-05-19 16:35:28 +0200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-27 10:52:36 +0000 |
commit | a8068e32a02d4f399f91c41427778d588b2b7b6a (patch) | |
tree | cc9833db0c83000289d02646754ecf03c5aa08a2 /testprogs | |
parent | d6580f35724a3b1202b77f607fa4e9d342d62b8a (diff) | |
download | samba-a8068e32a02d4f399f91c41427778d588b2b7b6a.tar.gz |
CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Diffstat (limited to 'testprogs')
-rwxr-xr-x | testprogs/blackbox/test_kpasswd_heimdal.sh | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh index a73c6665a18..698044a3fd3 100755 --- a/testprogs/blackbox/test_kpasswd_heimdal.sh +++ b/testprogs/blackbox/test_kpasswd_heimdal.sh @@ -7,7 +7,7 @@ if [ $# -lt 6 ]; then cat <<EOF -Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT +Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT EOF exit 1; fi @@ -27,6 +27,8 @@ smbclient="$samba_bindir/smbclient" samba_kinit=$samba_bindir/samba4kinit samba_kpasswd=$samba_bindir/samba4kpasswd +mit_kpasswd="$(command -v kpasswd)" + samba_tool="$samba_bindir/samba-tool" net_tool="$samba_bindir/net" texpect="$samba_bindir/texpect" @@ -142,6 +144,37 @@ TEST_PASSWORD=$TEST_PASSWORD_NEW TEST_PASSWORD_NEW="testPaSS@03%" ########################################################### +### CVE-2022-XXXXX +########################################################### + +if [ -n "${mit_kpasswd}" ]; then + cat > "${PREFIX}/tmpkpasswdscript" <<EOF +expect Password for ${TEST_PRINCIPAL} +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_NEW}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +expect Password changed. +EOF + + SAVE_KRB5_CONFIG="${KRB5_CONFIG}" + KRB5_CONFIG="${PREFIX}/tmpkrb5.conf" + export KRB5_CONFIG + sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \ + "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}" + testit "MIT kpasswd change user password" \ + "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \ + "${TEST_PRINCIPAL}" || + failed=$((failed + 1)) + KRB5_CONFIG="${SAVE_KRB5_CONFIG}" + export KRB5_CONFIG +fi + +TEST_PASSWORD="${TEST_PASSWORD_NEW}" +TEST_PASSWORD_NEW="testPaSS@03force%" + +########################################################### ### Force password change at login ########################################################### |