From 91a1b0955a053f73e6d531f0f12eaa604aca79d7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 19 May 2022 16:35:28 +0200
Subject: [PATCH] CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization
 test with MIT kpasswd

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 selftest/knownfail.d/kadmin_changepw       |  1 +
 testprogs/blackbox/test_kpasswd_heimdal.sh | 35 +++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 selftest/knownfail.d/kadmin_changepw

diff --git a/selftest/knownfail.d/kadmin_changepw b/selftest/knownfail.d/kadmin_changepw
new file mode 100644
index 00000000000..97c14793ea5
--- /dev/null
+++ b/selftest/knownfail.d/kadmin_changepw
@@ -0,0 +1 @@
+^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password
diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh
index 1e895daa162..059b7a8e4d1 100755
--- a/testprogs/blackbox/test_kpasswd_heimdal.sh
+++ b/testprogs/blackbox/test_kpasswd_heimdal.sh
@@ -7,7 +7,7 @@
 
 if [ $# -lt 6 ]; then
 cat <<EOF
-Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
+Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
 EOF
 exit 1;
 fi
@@ -27,6 +27,8 @@ smbclient="$samba_bindir/smbclient"
 samba_kinit=$samba_bindir/samba4kinit
 samba_kpasswd=$samba_bindir/samba4kpasswd
 
+mit_kpasswd="$(command -v kpasswd)"
+
 samba_tool="$samba_bindir/samba-tool"
 net_tool="$samba_bindir/net"
 texpect="$samba_bindir/texpect"
@@ -142,6 +144,37 @@ testit "kpasswd change user password" \
 TEST_PASSWORD=$TEST_PASSWORD_NEW
 TEST_PASSWORD_NEW="testPaSS@03%"
 
+###########################################################
+### CVE-2022-XXXXX
+###########################################################
+
+if [ -n "${mit_kpasswd}" ]; then
+	cat > "${PREFIX}/tmpkpasswdscript" <<EOF
+expect Password for ${TEST_PRINCIPAL}
+password ${TEST_PASSWORD}\n
+expect Enter new password
+send ${TEST_PASSWORD_NEW}\n
+expect Enter it again
+send ${TEST_PASSWORD_NEW}\n
+expect Password changed.
+EOF
+
+	SAVE_KRB5_CONFIG="${KRB5_CONFIG}"
+	KRB5_CONFIG="${PREFIX}/tmpkrb5.conf"
+	export KRB5_CONFIG
+	sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \
+		"${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}"
+	testit "MIT kpasswd change user password" \
+		"${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \
+		"${TEST_PRINCIPAL}" ||
+		failed=$((failed + 1))
+	KRB5_CONFIG="${SAVE_KRB5_CONFIG}"
+	export KRB5_CONFIG
+fi
+
+TEST_PASSWORD="${TEST_PASSWORD_NEW}"
+TEST_PASSWORD_NEW="testPaSS@03force%"
+
 ###########################################################
 ### Force password change at login
 ###########################################################
-- 
2.47.2