summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* VERSION: Bump version up to Samba 4.14.15...v4-14-testJule Anger2022-07-271-2/+2
| | | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <janger@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* VERSION: Disable GIT_SNAPSHOT for the 4.14.14 release.samba-4.14.14v4-14-stableJule Anger2022-07-241-1/+1
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* WHATSNEW: Add release notes for Samba 4.14.14.Jule Anger2022-07-241-2/+72
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.Jeremy Allison2022-07-243-5/+3
| | | | | | | | | | | | | | | Fixes the raw.write.bad-write test. NB. We need the two (==0) changes in source3/smbd/reply.c as the gcc optimizer now knows that the return from smbreq_bufrem() can never be less than zero. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 Remove knownfail. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* CVE-2022-32742: s4: torture: Add raw.write.bad-write test.Jeremy Allison2022-07-242-0/+91
| | | | | | | | | | | Reproduces the test code in: BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 Add knownfail. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming ↵Joseph Sutton2022-07-241-1/+5
| | | | | | | | | | | | | | trust We ensure that the KDC does not reject a TGS-REQ with our short-lived TGT over an incoming trust. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> [jsutton@samba.org Changed --use-krb5-ccache to -k yes to match surrounding usage]
* CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd ticketsJoseph Sutton2022-07-246-8/+48
| | | | | | | | | | | | | | | | | | | | | | If TGTs can be used as kpasswd tickets, the two-minute lifetime of a authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets are not supposed to be cached, but using this flaw, a stolen credentials cache containing a TGT may be used to change that account's password, and thus is made more valuable to an attacker. Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and service tickets without it, we assert the absence of this buffer to ensure we're not accepting a TGT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts]
* CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGTJoseph Sutton2022-07-241-0/+44
| | | | | | | | | | | | We use the presence or absence of a REQUESTER_SID PAC buffer to determine whether the ticket is a TGT. We will later use this to reject TGTs where a service ticket is expected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and ↵Joseph Sutton2022-07-247-7/+32
| | | | | | | | | | | | | | auth_session_info This field may be used to convey whether we were provided with a TGT or a non-TGT. We ensure both structures are zeroed out to avoid incorrect results being produced by an uninitialised field. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswdJoseph Sutton2022-07-243-0/+36
| | | | | | | | | | | | | | | The kpasswd service should require a kpasswd service ticket, and disallow TGTs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts]
* CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into ↵Joseph Sutton2022-07-243-6/+30
| | | | | | | | | | | | | | | | | | | | | | | krb5_rd_req_ctx() To ensure that, when decrypting the kpasswd ticket, we look up the correct principal and don't trust the sname from the ticket, we should pass the principal name of the kpasswd service into krb5_rd_req_ctx(). However, gensec_krb5_update_internal() will pass in NULL unless the principal in our credentials is CRED_SPECIFIED. At present, our principal will be considered obtained as CRED_SMB_CONF (from the cli_credentials_set_conf() a few lines up), so we explicitly set the realm again, but this time as CRED_SPECIFIED. Now the value of server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not be NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Removed knownfail as KDC no longer panics]
* CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principalJoseph Sutton2022-07-244-4/+70
| | | | | | | | | | | | | | | | | | | This plugin is now only used by the kpasswd service. Thus, ensuring we only look up the kadmin/changepw principal means we can't be fooled into accepting tickets for other service principals. We make sure not to specify a specific kvno, to ensure that we do not accept RODC-issued tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Renamed entry to entry_ex; fixed knownfail conflicts; retained knownfail for test_kpasswd_from_rodc which now causes the KDC to panic]
* s4:kdc: Remove kadmin mode from HDB pluginJoseph Sutton2022-07-241-28/+7
| | | | | | | It appears we no longer require it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_nameJoseph Sutton2022-07-244-6/+6
| | | | | | | | | | | This makes explicitly clear the purpose of this keytab. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts due to lacking HDBGET support]
* CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal componentsJoseph Sutton2022-07-243-13/+22
| | | | | | | | | | | We would only compare the first 'n' characters, where 'n' is the length of the principal component string, so 'k@REALM' would erroneously be considered equal to 'krbtgt@REALM'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Test truncated forms of server principalsJoseph Sutton2022-07-243-4/+44
| | | | | | | | | | | | We should not be able to use krb@REALM instead of krbtgt@REALM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts due to having older version of _run_as_req_enc_timestamp()]
* CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their lifeJoseph Sutton2022-07-242-2/+18
| | | | | | | | | | | | | | | | | | For Heimdal, this now matches the behaviour of Windows. The object of this requirement is to ensure we don't allow kpasswd tickets, not having a lifetime of more than two minutes, to be passed off as TGTs. An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer suffices to prevent kpasswd ticket misuse, so this is just an additional precaution on top. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org As we don't have access to the ticket or the request in the plugin, rewrote check directly in Heimdal KDC]
* CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or lessJoseph Sutton2022-07-245-3/+8
| | | | | | | | | | | | | | This matches the behaviour of Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Adapted entry to entry_ex->entry; included samba_kdc.h header file] [jsutton@samba.org Fixed conflicts]
* CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principalJoseph Sutton2022-07-243-41/+46
| | | | | | | | | | | | | | | | | | | | Since this principal goes through the samba_kdc_fetch_server() path, setting the canonicalisation flag would cause the principal to be replaced with the sAMAccountName; this meant requests to kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we properly handle canonicalisation for the kadmin/changepw principal. View with 'git show -b'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Adapted entry to entry_ex->entry; removed MIT KDC 1.20-specific knownfails]
* CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()Joseph Sutton2022-07-241-61/+55
| | | | | | | | | | This eliminates some duplicate branches. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() functionJoseph Sutton2022-07-241-85/+107
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Adapted entry to entry_ex->entry] [jsutton@samba.org Fixed conflicts caused by superfluous whitespace]
* CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper functionAndreas Schneider2022-07-241-5/+11
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> [jsutton@samba.org Adapted entry to entry_ex->entry]
* CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT ↵Andreas Schneider2022-07-242-1/+35
| | | | | | | | | kpasswd BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccacheAndreas Schneider2022-07-241-2/+2
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> [jsutton@samba.org Fixed conflict and renamed --use-krb5-ccache to --krb5-ccache]
* s4:kpasswd: Restructure code for clarityJoseph Sutton2022-07-241-24/+22
| | | | | | | View with 'git show -b'. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 s4:kpasswd: Require an initial ticketJoseph Sutton2022-07-245-2/+35
| | | | | | | | | | | | | Ensure that for password changes the client uses an AS-REQ to get the ticket to kpasswd, and not a TGS-REQ. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Removed MIT KDC 1.20-specific knownfails]
* CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an ↵Joseph Sutton2022-07-245-18/+157
| | | | | | | | | | | | | initial ticket This will be used in the kpasswd service to ensure that the client has an initial ticket to kadmin/changepw, and not a service ticket. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERRORJoseph Sutton2022-07-243-7/+1
| | | | | | | | | | | | | | | If we attempt to return an error code outside of Heimdal's allowed range [KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC error, and the error text will be set to the meaningless result of krb5_get_error_message(). Avoid this by ensuring the error code is in the correct range. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()Joseph Sutton2022-07-242-1/+5
| | | | | | | | | | | | | The error code passed in will be an offset from ERROR_TABLE_BASE_krb5, so we need to subtract that before creating the error. Heimdal does this internally, so it isn't needed there. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failureJoseph Sutton2022-07-242-1/+2
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Removed MIT KDC 1.20-specific knownfails]
* CVE-2022-2031 s4:kpasswd: Correctly generate error stringsJoseph Sutton2022-07-243-34/+6
| | | | | | | | | | | | | | | | | | | The error_data we create already has an explicit length, and should not be zero-terminated, so we omit the trailing null byte. Previously, Heimdal builds would leave a superfluous trailing null byte on error strings, while MIT builds would omit the final character. The two bytes added to the string's length are for the prepended error code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Removed MIT KDC 1.20-specific knownfails]
* CVE-2022-2031 tests/krb5: Add tests for kpasswd serviceJoseph Sutton2022-07-247-1/+1089
| | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts in usage.py and knownfails; removed MIT KDC 1.20-specific knownfails as it's not supported] [jsutton@samba.org Fixed conflicts in usage.py, knownfails, and tests.py]
* CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 testsJoseph Sutton2022-07-241-0/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add kpasswd_exchange() methodJoseph Sutton2022-07-241-13/+251
| | | | | | | | | | | | | Now we can test the kpasswd service from Python. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts in imports]
* CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realmJoseph Sutton2022-07-241-6/+13
| | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflict due to lacking rc4_support parameter] [jsutton@samba.org Fixed conflicts due to lacking client_name_type and expected_cname parameters]
* tests/krb5: Add option for creating accounts with expired passwordsJoseph Sutton2022-07-241-2/+8
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* tests/krb5: Fix enum typoJoseph Sutton2022-07-241-2/+2
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add methods to send and receive generic messagesJoseph Sutton2022-07-241-17/+27
| | | | | | | | | | | | This allows us to send and receive kpasswd messages, while avoiding the existing logic for encoding and decoding other Kerberos message types. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()Joseph Sutton2022-07-241-5/+6
| | | | | | | | | | | This allows us to use the kpasswd port, 464. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structuresJoseph Sutton2022-07-241-0/+95
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add new definitions for kpasswdJoseph Sutton2022-07-243-1/+31
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accountsJoseph Sutton2022-07-242-0/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Split out _make_tgs_request()Joseph Sutton2022-07-242-76/+77
| | | | | | | | | | | | This allows us to make use of it in other tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts due to having older version of _make_tgs_request()]
* CVE-2022-32744 tests/krb5: Correctly handle specifying account kvnoJoseph Sutton2022-07-241-1/+1
| | | | | | | | | The environment variable is a string, but we expect an integer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structureJoseph Sutton2022-07-241-15/+79
| | | | | | | | | | | | | | | | | | | The target principal and realm fields of the setpw structure are supposed to be optional, but in MIT Kerberos they are mandatory. For better compatibility and ease of testing, fall back to parsing the simpler (containing only the new password) structure if the MIT function fails to decode it. Although the target principal and realm fields should be optional, one is not supposed to specified without the other, so we don't have to deal with the case where only one is specified. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 s4:kpasswd: Account for missing target principalJoseph Sutton2022-07-241-10/+12
| | | | | | | | | | | This field is supposed to be optional. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* heimdal:kdc: Accommodate NULL data parameter in krb5_pac_get_buffer()Joseph Sutton2022-07-241-4/+6
| | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID ↵Joseph Sutton2022-07-244-22/+94
| | | | | | | | | | | | | | | | | PAC buffers So that we do not confuse TGTs and kpasswd tickets, it is critical to check that the REQUESTER_SID buffer exists in TGTs, and to ensure that it is not propagated to service tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> [jsutton@samba.org Brought in changes to add ATTRIBUTES_INFO and REQUESTER_SID buffers to new PACs, and updated knownfails] [jsutton@samba.org Adjusted MIT knownfails]
* selftest: Simplify krb5 test environmentsJoseph Sutton2022-07-241-156/+35
| | | | | | | | | | | | | | It's not necessary to repeat the required environment variables for every test. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit e729606631b5bfaf7c4ad8c1e70697adf8274777) [jsutton@samba.org Fixed conflicts caused by missing check_cname, check_padata and fast_support variables] [jsutton@samba.org Fixed conflicts]
* tests/krb5: Add helper function to modify ticket flagsJoseph Sutton2022-07-243-30/+19
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit ded5115f73dff5b8b2f3212988e03f9dbe0c2aa3)
View Lorry Controller Status