The branch, v4-15-test has been updated
via 2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY
via ff5d6ada80e tests/krb5: Add test requesting a TGT expiring post-2038
via fd3cdcc1800 tests/krb5: Add test requesting a service ticket
expiring post-2038
from d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call
sys.path.insert(0, "bin/python") before any other imports
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 2620bea3af8d9e4e1db195deba414a46e8c66b3d
Author: Luke Howard <lu...@padl.com>
Date: Thu Oct 20 13:27:31 2022 +1300
kdc: avoid re-encoding KDC-REQ-BODY
Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
[abart...@samba.org adapted from Heimdal commit
ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
by removing references to FAST and GSS-pre-auth.
This fixes the Windows 11 22H2 issue with TGS-REQ
as seen at https://github.com/heimdal/heimdal/issues/1011 and so
removes the knownfail file for this test]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
[me...@samba.org private autobuild passed]
commit ff5d6ada80e90e5fd67086e52f7e82f91bbafcc0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Oct 20 12:36:44 2022 +1300
tests/krb5: Add test requesting a TGT expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
(backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
[abart...@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2
as the kerberos tests have changed parameters in newer versions
breaking the context]
commit fd3cdcc1800a4185857494626de9ba1c368dbcdb
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 4 12:25:08 2022 +1300
tests/krb5: Add test requesting a service ticket expiring post-2038
Windows 11 22H2 performs such requests, with year 9999.
The test fails with KDC_ERR_BAD_INTEGRITY on older
Heimdal versions, which are unable to verify a checksum
over the modified request body (due to a re-encoding failure).
REF: https://github.com/heimdal/heimdal/issues/1011
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
[abart...@samba.org Add knownfail for backport - as Samba
4.15 and earlier fail this test, adapted commit
67811e121fbef08337675d473390160793544719 to test
paraemters in 4.15]
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(backported from commit 67811e121fbef08337675d473390160793544719)
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++--
python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++
source4/heimdal/kdc/krb5tgs.c | 24 ++----------------------
source4/heimdal/kdc/pkinit.c | 16 ++--------------
source4/heimdal/lib/asn1/krb5.opt | 1 +
5 files changed, 30 insertions(+), 38 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/as_req_tests.py
b/python/samba/tests/krb5/as_req_tests.py
index da2c0b9d097..0d9a771b80d 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -42,7 +42,7 @@ global_hexdump = False
class AsReqBaseTest(KDCBaseTest):
def _run_as_req_enc_timestamp(self, client_creds, sname=None,
- expected_error=None,
+ expected_error=None, till=None,
expected_pa_error=None,
expect_pa_edata=None):
client_account = client_creds.get_username()
client_as_etypes = self.get_default_enctypes()
@@ -63,7 +63,8 @@ class AsReqBaseTest(KDCBaseTest):
expected_sname = sname
expected_salt = client_creds.get_salt()
- till = self.get_KerberosTime(offset=36000)
+ if till is None:
+ till = self.get_KerberosTime(offset=36000)
initial_etypes = client_as_etypes
initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
@@ -252,6 +253,14 @@ class AsReqKerberosTests(AsReqBaseTest):
sname=wrong_krbtgt_princ,
expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
+ # Test that we can make a request for a ticket expiring post-2038.
+ def test_future_till(self):
+ client_creds = self.get_client_creds()
+
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ till='99990913024805Z')
+
if __name__ == "__main__":
global_asn1_print = False
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py
b/python/samba/tests/krb5/kdc_tgs_tests.py
index e876efe1a6d..37a13ba9024 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -178,6 +178,7 @@ class KdcTgsBaseTests(KDCBaseTest):
sname=None,
srealm=None,
use_fast=False,
+ till=None,
expect_claims=True,
etypes=None,
expected_ticket_etype=None,
@@ -294,6 +295,7 @@ class KdcTgsBaseTests(KDCBaseTest):
cname=None,
realm=srealm,
sname=sname,
+ till_time=till,
etypes=etypes,
additional_tickets=additional_tickets)
if expected_error:
@@ -2392,6 +2394,18 @@ class KdcTgsTests(KdcTgsBaseTests):
self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED,
KDC_ERR_C_PRINCIPAL_UNKNOWN))
+ # Test making a TGS request for a ticket expiring post-2038.
+ def test_tgs_req_future_till(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds)
+
+ target_creds = self.get_service_creds()
+ self._tgs_req(
+ tgt=tgt,
+ expected_error=0,
+ target_creds=target_creds,
+ till='99990913024805Z')
+
def _modify_renewable(self, enc_part):
# Set the renewable flag.
enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True)
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index b8c8c39a3d4..3461cf0ef57 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context,
krb5_keyblock *key)
{
krb5_authenticator auth;
- size_t len = 0;
- unsigned char *buf;
- size_t buf_size;
krb5_error_code ret;
krb5_crypto crypto;
@@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context,
goto out;
}
- /* XXX should not re-encode this */
- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
- if(ret){
- const char *msg = krb5_get_error_message(context, ret);
- kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
- krb5_free_error_message(context, msg);
- goto out;
- }
- if(buf_size != len) {
- free(buf);
- kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
- *e_text = "KDC internal error";
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
- free(buf);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
goto out;
@@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context,
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_TGS_REQ_AUTH_CKSUM,
- buf,
- len,
+ b->_save.data,
+ b->_save.length,
auth->cksum);
- free(buf);
krb5_crypto_destroy(context, crypto);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index ad7f3efc10a..64ea4c00e41 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context,
PKAuthenticator *a,
const KDC_REQ *req)
{
- u_char *buf = NULL;
- size_t buf_size;
krb5_error_code ret;
- size_t len = 0;
krb5_timestamp now;
Checksum checksum;
@@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context,
return KRB5KRB_AP_ERR_SKEW;
}
- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
- if (ret) {
- krb5_clear_error_message(context);
- return ret;
- }
- if (buf_size != len)
- krb5_abortx(context, "Internal error in ASN.1 encoder");
-
ret = krb5_create_checksum(context,
NULL,
0,
CKSUMTYPE_SHA1,
- buf,
- len,
+ req->req_body._save.data,
+ req->req_body._save.length,
&checksum);
- free(buf);
if (ret) {
krb5_clear_error_message(context);
return ret;
diff --git a/source4/heimdal/lib/asn1/krb5.opt
b/source4/heimdal/lib/asn1/krb5.opt
index 1d6d5e8989f..5acc596d39c 100644
--- a/source4/heimdal/lib/asn1/krb5.opt
+++ b/source4/heimdal/lib/asn1/krb5.opt
@@ -4,3 +4,4 @@
--sequence=METHOD-DATA
--sequence=ETYPE-INFO
--sequence=ETYPE-INFO2
+--preserve-binary=KDC-REQ-BODY
--
Samba Shared Repository
