From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 24 May 2022 07:34:59 +0000 (+1200)
Subject: CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
X-Git-Tag: samba-4.14.14~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c41e20fae268e04aa05e821c7f388ea090727af;p=thirdparty%2Fsamba.git

CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

[jsutton@samba.org Fixed conflict due to lacking rc4_support parameter]

[jsutton@samba.org Fixed conflicts due to lacking client_name_type and
 expected_cname parameters]
---

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 777b3b4aaf1..c0ca881985a 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1344,10 +1344,12 @@ class KDCBaseTest(RawKerberosTest):
                            expected_flags=None, unexpected_flags=None,
                            pac_request=True, expect_pac=True, fresh=False):
         user_name = tgt.cname['name-string'][0]
+        ticket_sname = tgt.sname
         if target_name is None:
             target_name = target_creds.get_username()[:-1]
         cache_key = (user_name, target_name, service, to_rodc, kdc_options,
                      pac_request, str(expected_flags), str(unexpected_flags),
+                     str(ticket_sname),
                      expect_pac)
 
         if not fresh:
@@ -1414,6 +1416,7 @@ class KDCBaseTest(RawKerberosTest):
                 expected_flags=None, unexpected_flags=None,
                 expected_account_name=None, expected_upn_name=None,
                 expected_sid=None,
+                sname=None, realm=None,
                 pac_request=True, expect_pac=True,
                 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
                 expect_requester_sid=None,
@@ -1422,6 +1425,7 @@ class KDCBaseTest(RawKerberosTest):
         cache_key = (user_name, to_rodc, kdc_options, pac_request,
                      str(expected_flags), str(unexpected_flags),
                      expected_account_name, expected_upn_name, expected_sid,
+                     str(sname), str(realm),
                      expect_pac, expect_pac_attrs,
                      expect_pac_attrs_pac_request, expect_requester_sid)
 
@@ -1431,15 +1435,21 @@ class KDCBaseTest(RawKerberosTest):
             if tgt is not None:
                 return tgt
 
-        realm = creds.get_realm()
+        if realm is None:
+            realm = creds.get_realm()
 
         salt = creds.get_salt()
 
         etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
         cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
                                           names=[user_name])
-        sname = self.PrincipalName_create(name_type=NT_SRV_INST,
-                                          names=['krbtgt', realm])
+        if sname is None:
+            sname = self.PrincipalName_create(name_type=NT_SRV_INST,
+                                              names=['krbtgt', realm])
+            expected_sname = self.PrincipalName_create(
+                name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
+        else:
+            expected_sname = sname
 
         till = self.get_KerberosTime(offset=36000)
 
@@ -1505,9 +1515,6 @@ class KDCBaseTest(RawKerberosTest):
 
         expected_realm = realm.upper()
 
-        expected_sname = self.PrincipalName_create(
-            name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
-
         rep, kdc_exchange_dict = self._test_as_exchange(
             cname=cname,
             realm=realm,