CVE-2022-2031 s4:kpasswd: Require an initial ticket

Ensure that for password changes the client uses an AS-REQ to get the
ticket to kpasswd, and not a TGS-REQ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 3a45c91320aae54fa7a2b42eaa6ea18914372c50..ee22fcf688e77de01315d4cb39706bc3d954364e 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -60,7 +60,6 @@
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index a1059a54b8168ef68cd317e934ff6741212b8f10..4059f2210f41d3dfa7d94f83bb34ba5ec2faca4b 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -438,7 +438,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc

diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
index c4f2ea2def7909fddff6f9fd2e471db5f0545c96..ea9de50ff52917c4a2a75a811b5eff1337bfb2d2 100644 (file)
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -18,6 +18,7 @@
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc
+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc

diff --git a/source4/kdc/kpasswd-service-heimdal.c b/source4/kdc/kpasswd-service-heimdal.c
index 21596d8d8a42071f1437fc19734af246124486b4..7ddf1af148e091d0c26e0e88ceb2b77ee2b77a1a 100644 (file)
--- a/source4/kdc/kpasswd-service-heimdal.c
+++ b/source4/kdc/kpasswd-service-heimdal.c
@@ -24,6 +24,7 @@
 #include "param/param.h"
 #include "auth/auth.h"
 #include "auth/gensec/gensec.h"
+#include "gensec_krb5_helpers.h"
 #include "kdc/kdc-server.h"
 #include "kdc/kpasswd_glue.h"
 #include "kdc/kpasswd-service.h"
@@ -31,6 +32,7 @@
 
 static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
                                               TALLOC_CTX *mem_ctx,
+                                              const struct gensec_security *gensec_security,
                                               struct auth_session_info *session_info,
                                               DATA_BLOB *password,
                                               DATA_BLOB *kpasswd_reply,
@@ -42,6 +44,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
        const char *reject_string = NULL;
        struct samr_DomInfo1 *dominfo;
        bool ok;
+       int ret;
+
+       /*
+        * We're doing a password change (rather than a password set), so check
+        * that we were given an initial ticket.
+        */
+       ret = gensec_krb5_initial_ticket(gensec_security);
+       if (ret != 1) {
+               *error_string = "Expected an initial ticket";
+               return KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
+       }
 
        status = samdb_kpasswd_change_password(mem_ctx,
                                               kdc->task->lp_ctx,
@@ -80,6 +93,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
 
 static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
                                            TALLOC_CTX *mem_ctx,
+                                           const struct gensec_security *gensec_security,
                                            struct auth_session_info *session_info,
                                            DATA_BLOB *decoded_data,
                                            DATA_BLOB *kpasswd_reply,
@@ -172,6 +186,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
                free_ChangePasswdDataMS(&chpw);
                return kpasswd_change_password(kdc,
                                               mem_ctx,
+                                              gensec_security,
                                               session_info,
                                               &password,
                                               kpasswd_reply,
@@ -271,6 +286,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 
                return kpasswd_change_password(kdc,
                                               mem_ctx,
+                                              gensec_security,
                                               session_info,
                                               &password,
                                               kpasswd_reply,
@@ -279,6 +295,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
        case KRB5_KPASSWD_VERS_SETPW: {
                return kpasswd_set_password(kdc,
                                            mem_ctx,
+                                           gensec_security,
                                            session_info,
                                            decoded_data,
                                            kpasswd_reply,

diff --git a/source4/kdc/kpasswd-service-mit.c b/source4/kdc/kpasswd-service-mit.c
index 26b62162e6829754517a59374ddfaabc07402e69..fe24693139c505fcb492eb073c1a89fa77f4bf97 100644 (file)
--- a/source4/kdc/kpasswd-service-mit.c
+++ b/source4/kdc/kpasswd-service-mit.c
@@ -24,6 +24,7 @@
 #include "param/param.h"
 #include "auth/auth.h"
 #include "auth/gensec/gensec.h"
+#include "gensec_krb5_helpers.h"
 #include "kdc/kdc-server.h"
 #include "kdc/kpasswd_glue.h"
 #include "kdc/kpasswd-service.h"
@@ -84,6 +85,7 @@ out:
 
 static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
                                               TALLOC_CTX *mem_ctx,
+                                              const struct gensec_security *gensec_security,
                                               struct auth_session_info *session_info,
                                               DATA_BLOB *password,
                                               DATA_BLOB *kpasswd_reply,
@@ -95,6 +97,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
        const char *reject_string = NULL;
        struct samr_DomInfo1 *dominfo;
        bool ok;
+       int ret;
+
+       /*
+        * We're doing a password change (rather than a password set), so check
+        * that we were given an initial ticket.
+        */
+       ret = gensec_krb5_initial_ticket(gensec_security);
+       if (ret != 1) {
+               *error_string = "Expected an initial ticket";
+               return KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
+       }
 
        status = samdb_kpasswd_change_password(mem_ctx,
                                               kdc->task->lp_ctx,
@@ -133,6 +146,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
 
 static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
                                            TALLOC_CTX *mem_ctx,
+                                           const struct gensec_security *gensec_security,
                                            struct auth_session_info *session_info,
                                            DATA_BLOB *decoded_data,
                                            DATA_BLOB *kpasswd_reply,
@@ -249,6 +263,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
 
                return kpasswd_change_password(kdc,
                                               mem_ctx,
+                                              gensec_security,
                                               session_info,
                                               &password,
                                               kpasswd_reply,
@@ -349,6 +364,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 
                return kpasswd_change_password(kdc,
                                               mem_ctx,
+                                              gensec_security,
                                               session_info,
                                               &password,
                                               kpasswd_reply,
@@ -357,6 +373,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
        case RFC3244_VERSION: {
                return kpasswd_set_password(kdc,
                                            mem_ctx,
+                                           gensec_security,
                                            session_info,
                                            decoded_data,
                                            kpasswd_reply,

diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 5c16e68ee0a61b38858a43cc54260c738e32d5ee..0c902f5053471757ba024330b316999d694e4289 100644 (file)
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -85,6 +85,7 @@ bld.SAMBA_SUBSYSTEM('KPASSWD-SERVICE',
                          krb5samba
                          samba_server_gensec
                          KPASSWD_GLUE
+                         gensec_krb5_helpers
                          ''')
 
 bld.SAMBA_SUBSYSTEM('KDC-GLUE',