The branch, v4-15-test has been updated via 2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY via ff5d6ada80e tests/krb5: Add test requesting a TGT expiring post-2038 via fd3cdcc1800 tests/krb5: Add test requesting a service ticket expiring post-2038 from d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log ----------------------------------------------------------------- commit 2620bea3af8d9e4e1db195deba414a46e8c66b3d Author: Luke Howard <lu...@padl.com> Date: Thu Oct 20 13:27:31 2022 +1300 kdc: avoid re-encoding KDC-REQ-BODY Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT. [abart...@samba.org adapted from Heimdal commit ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e by removing references to FAST and GSS-pre-auth. This fixes the Windows 11 22H2 issue with TGS-REQ as seen at https://github.com/heimdal/heimdal/issues/1011 and so removes the knownfail file for this test] BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> [me...@samba.org private autobuild passed] commit ff5d6ada80e90e5fd67086e52f7e82f91bbafcc0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 20 12:36:44 2022 +1300 tests/krb5: Add test requesting a TGT expiring post-2038 This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year 9999 date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184 (backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2) [abart...@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2 as the kerberos tests have changed parameters in newer versions breaking the context] commit fd3cdcc1800a4185857494626de9ba1c368dbcdb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 4 12:25:08 2022 +1300 tests/krb5: Add test requesting a service ticket expiring post-2038 Windows 11 22H2 performs such requests, with year 9999. The test fails with KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to verify a checksum over the modified request body (due to a re-encoding failure). REF: https://github.com/heimdal/heimdal/issues/1011 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 [abart...@samba.org Add knownfail for backport - as Samba 4.15 and earlier fail this test, adapted commit 67811e121fbef08337675d473390160793544719 to test paraemters in 4.15] Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (backported from commit 67811e121fbef08337675d473390160793544719) ----------------------------------------------------------------------- Summary of changes: python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++-- python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++ source4/heimdal/kdc/krb5tgs.c | 24 ++---------------------- source4/heimdal/kdc/pkinit.c | 16 ++-------------- source4/heimdal/lib/asn1/krb5.opt | 1 + 5 files changed, 30 insertions(+), 38 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index da2c0b9d097..0d9a771b80d 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -42,7 +42,7 @@ global_hexdump = False class AsReqBaseTest(KDCBaseTest): def _run_as_req_enc_timestamp(self, client_creds, sname=None, - expected_error=None, + expected_error=None, till=None, expected_pa_error=None, expect_pa_edata=None): client_account = client_creds.get_username() client_as_etypes = self.get_default_enctypes() @@ -63,7 +63,8 @@ class AsReqBaseTest(KDCBaseTest): expected_sname = sname expected_salt = client_creds.get_salt() - till = self.get_KerberosTime(offset=36000) + if till is None: + till = self.get_KerberosTime(offset=36000) initial_etypes = client_as_etypes initial_kdc_options = krb5_asn1.KDCOptions('forwardable') @@ -252,6 +253,14 @@ class AsReqKerberosTests(AsReqBaseTest): sname=wrong_krbtgt_princ, expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) + # Test that we can make a request for a ticket expiring post-2038. + def test_future_till(self): + client_creds = self.get_client_creds() + + self._run_as_req_enc_timestamp( + client_creds, + till='99990913024805Z') + if __name__ == "__main__": global_asn1_print = False diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index e876efe1a6d..37a13ba9024 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -178,6 +178,7 @@ class KdcTgsBaseTests(KDCBaseTest): sname=None, srealm=None, use_fast=False, + till=None, expect_claims=True, etypes=None, expected_ticket_etype=None, @@ -294,6 +295,7 @@ class KdcTgsBaseTests(KDCBaseTest): cname=None, realm=srealm, sname=sname, + till_time=till, etypes=etypes, additional_tickets=additional_tickets) if expected_error: @@ -2392,6 +2394,18 @@ class KdcTgsTests(KdcTgsBaseTests): self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, KDC_ERR_C_PRINCIPAL_UNKNOWN)) + # Test making a TGS request for a ticket expiring post-2038. + def test_tgs_req_future_till(self): + creds = self._get_creds() + tgt = self._get_tgt(creds) + + target_creds = self.get_service_creds() + self._tgs_req( + tgt=tgt, + expected_error=0, + target_creds=target_creds, + till='99990913024805Z') + def _modify_renewable(self, enc_part): # Set the renewable flag. enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True) diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index b8c8c39a3d4..3461cf0ef57 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context, krb5_keyblock *key) { krb5_authenticator auth; - size_t len = 0; - unsigned char *buf; - size_t buf_size; krb5_error_code ret; krb5_crypto crypto; @@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context, goto out; } - /* XXX should not re-encode this */ - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); - if(ret){ - const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg); - krb5_free_error_message(context, msg); - goto out; - } - if(buf_size != len) { - free(buf); - kdc_log(context, config, 0, "Internal error in ASN.1 encoder"); - *e_text = "KDC internal error"; - ret = KRB5KRB_ERR_GENERIC; - goto out; - } ret = krb5_crypto_init(context, key, 0, &crypto); if (ret) { const char *msg = krb5_get_error_message(context, ret); - free(buf); kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(context, msg); goto out; @@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context, ret = krb5_verify_checksum(context, crypto, KRB5_KU_TGS_REQ_AUTH_CKSUM, - buf, - len, + b->_save.data, + b->_save.length, auth->cksum); - free(buf); krb5_crypto_destroy(context, crypto); if(ret){ const char *msg = krb5_get_error_message(context, ret); diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index ad7f3efc10a..64ea4c00e41 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context, PKAuthenticator *a, const KDC_REQ *req) { - u_char *buf = NULL; - size_t buf_size; krb5_error_code ret; - size_t len = 0; krb5_timestamp now; Checksum checksum; @@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context, return KRB5KRB_AP_ERR_SKEW; } - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret); - if (ret) { - krb5_clear_error_message(context); - return ret; - } - if (buf_size != len) - krb5_abortx(context, "Internal error in ASN.1 encoder"); - ret = krb5_create_checksum(context, NULL, 0, CKSUMTYPE_SHA1, - buf, - len, + req->req_body._save.data, + req->req_body._save.length, &checksum); - free(buf); if (ret) { krb5_clear_error_message(context); return ret; diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt index 1d6d5e8989f..5acc596d39c 100644 --- a/source4/heimdal/lib/asn1/krb5.opt +++ b/source4/heimdal/lib/asn1/krb5.opt @@ -4,3 +4,4 @@ --sequence=METHOD-DATA --sequence=ETYPE-INFO --sequence=ETYPE-INFO2 +--preserve-binary=KDC-REQ-BODY -- Samba Shared Repository