CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20

With MIT Kerberos >= 1.20, we should not expect a ticket checksum in
tickets to principals such as kpasswd/changepw, as they are encrypted
with the krbtgt's key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 33727a4abc5cbf7668232491aeae0587d30dd9fa..4a4bcfeed53e9eef56b52ce12e868cf8e50e91aa 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1516,9 +1516,12 @@ class KDCBaseTest(RawKerberosTest):
         else:
             krbtgt_creds = self.get_krbtgt_creds()
         krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
+
+        expect_ticket_checksum = (self.tkt_sig_support
+                                  and not self.is_tgs_principal(sname))
         self.verify_ticket(service_ticket_creds, krbtgt_key,
                            service_ticket=True, expect_pac=expect_pac,
-                           expect_ticket_checksum=self.tkt_sig_support)
+                           expect_ticket_checksum=expect_ticket_checksum)
 
         self.tkt_cache[cache_key] = service_ticket_creds
 

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index b22617c38820260a43e8d454c441fe5b272b86c2..4ef37c512222e4e15c09211c47666de762c9ec60 100644 (file)
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -657,6 +657,12 @@ class RawKerberosTest(TestCaseInTempDir):
             padata_checking = '1'
         cls.padata_checking = bool(int(padata_checking))
 
+        kadmin_is_tgs = samba.tests.env_get_var_value('KADMIN_IS_TGS',
+                                                      allow_missing=True)
+        if kadmin_is_tgs is None:
+            kadmin_is_tgs = '0'
+        cls.kadmin_is_tgs = bool(int(kadmin_is_tgs))
+
     def setUp(self):
         super().setUp()
         self.do_asn1_print = False
@@ -3057,8 +3063,8 @@ class RawKerberosTest(TestCaseInTempDir):
             self.assertIsNotNone(ticket_decryption_key)
 
         if ticket_decryption_key is not None:
-            service_ticket = (not self.is_tgs(expected_sname)
-                              and rep_msg_type == KRB_TGS_REP)
+            service_ticket = (rep_msg_type == KRB_TGS_REP
+                              and not self.is_tgs_principal(expected_sname))
             self.verify_ticket(ticket_creds, krbtgt_keys,
                                service_ticket=service_ticket,
                                expect_pac=expect_pac,
@@ -3098,8 +3104,9 @@ class RawKerberosTest(TestCaseInTempDir):
                 expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO)
                 expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO)
 
-        if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP:
-            expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
+        if rep_msg_type == KRB_TGS_REP:
+            if not self.is_tgs_principal(expected_sname):
+                expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
 
         require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO,
                           krb5pac.PAC_TYPE_DEVICE_INFO,
@@ -4244,6 +4251,19 @@ class RawKerberosTest(TestCaseInTempDir):
             krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key
         }
 
+    def is_tgs_principal(self, principal):
+        if self.is_tgs(principal):
+            return True
+
+        if self.kadmin_is_tgs and self.is_kadmin(principal):
+            return True
+
+        return False
+
+    def is_kadmin(self, principal):
+        name = principal['name-string'][0]
+        return name in ('kadmin', b'kadmin')
+
     def is_tgs(self, principal):
         name = principal['name-string'][0]
         return name in ('krbtgt', b'krbtgt')

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 36777153294df945797b0c0bab09800efddfd6ed..2d8e0a1ba275ca1ee409d4c781437097190c75bc 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1001,6 +1001,11 @@ if ('SAMBA4_USES_HEIMDAL' in config_hash or
 else:
     tkt_sig_support = 0
 
+if 'HAVE_MIT_KRB5_1_20' in config_hash:
+    kadmin_is_tgs = 1
+else:
+    kadmin_is_tgs = 0
+
 expect_pac = int('SAMBA4_USES_HEIMDAL' in config_hash)
 extra_pac_buffers = int('SAMBA4_USES_HEIMDAL' in config_hash)
 check_cname = int('SAMBA4_USES_HEIMDAL' in config_hash)
@@ -1020,6 +1025,7 @@ krb5_environ = {
     'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
     'CHECK_CNAME': check_cname,
     'CHECK_PADATA': check_padata,
+    'KADMIN_IS_TGS': kadmin_is_tgs,
 }
 planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
 planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests",