diff options
| author | Andreas Schneider <asn@samba.org> | 2022-05-19 16:35:28 +0200 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2022-07-24 11:42:02 +0200 |
| commit | 91a1b0955a053f73e6d531f0f12eaa604aca79d7 (patch) | |
| tree | 0c2918fd31c4566d2eee1400aeca79102c90a6f3 | |
| parent | b5adf7cc6d740c8f4f7b5888f106de24a1181da7 (diff) | |
| download | samba-91a1b0955a053f73e6d531f0f12eaa604aca79d7.tar.gz | |
CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
| -rw-r--r-- | selftest/knownfail.d/kadmin_changepw | 1 | ||||
| -rwxr-xr-x | testprogs/blackbox/test_kpasswd_heimdal.sh | 35 |
2 files changed, 35 insertions, 1 deletions
diff --git a/selftest/knownfail.d/kadmin_changepw b/selftest/knownfail.d/kadmin_changepw new file mode 100644 index 00000000000..97c14793ea5 --- /dev/null +++ b/selftest/knownfail.d/kadmin_changepw @@ -0,0 +1 @@ +^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh index 1e895daa162..059b7a8e4d1 100755 --- a/testprogs/blackbox/test_kpasswd_heimdal.sh +++ b/testprogs/blackbox/test_kpasswd_heimdal.sh @@ -7,7 +7,7 @@ if [ $# -lt 6 ]; then cat <<EOF -Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT +Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT EOF exit 1; fi @@ -27,6 +27,8 @@ smbclient="$samba_bindir/smbclient" samba_kinit=$samba_bindir/samba4kinit samba_kpasswd=$samba_bindir/samba4kpasswd +mit_kpasswd="$(command -v kpasswd)" + samba_tool="$samba_bindir/samba-tool" net_tool="$samba_bindir/net" texpect="$samba_bindir/texpect" @@ -143,6 +145,37 @@ TEST_PASSWORD=$TEST_PASSWORD_NEW TEST_PASSWORD_NEW="testPaSS@03%" ########################################################### +### CVE-2022-XXXXX +########################################################### + +if [ -n "${mit_kpasswd}" ]; then + cat > "${PREFIX}/tmpkpasswdscript" <<EOF +expect Password for ${TEST_PRINCIPAL} +password ${TEST_PASSWORD}\n +expect Enter new password +send ${TEST_PASSWORD_NEW}\n +expect Enter it again +send ${TEST_PASSWORD_NEW}\n +expect Password changed. +EOF + + SAVE_KRB5_CONFIG="${KRB5_CONFIG}" + KRB5_CONFIG="${PREFIX}/tmpkrb5.conf" + export KRB5_CONFIG + sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \ + "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}" + testit "MIT kpasswd change user password" \ + "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \ + "${TEST_PRINCIPAL}" || + failed=$((failed + 1)) + KRB5_CONFIG="${SAVE_KRB5_CONFIG}" + export KRB5_CONFIG +fi + +TEST_PASSWORD="${TEST_PASSWORD_NEW}" +TEST_PASSWORD_NEW="testPaSS@03force%" + +########################################################### ### Force password change at login ########################################################### |