From bf0214a46e3fd78dfff237e9a3c714bf725c9f7f Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 4 Oct 2022 12:25:08 +1300 Subject: [PATCH 1/3] tests/krb5: Add test requesting a service ticket expiring post-2038 Windows 11 22H2 performs such requests, with year 9999. The test fails with KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to verify a checksum over the modified request body (due to a re-encoding failure). REF: https://github.com/heimdal/heimdal/issues/1011 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 [abartlet@samba.org Add knownfail for backport - as Samba 4.15 and earlier fail this test, adapted commit 67811e121fbef08337675d473390160793544719 to test paraemters in 4.15] Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall --- python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++ selftest/knownfail.d/windows11-22h2 | 2 ++ 2 files changed, 16 insertions(+) create mode 100644 selftest/knownfail.d/windows11-22h2 diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index e52f46152fa..a4bc48e587a 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -2099,6 +2099,18 @@ class KdcTgsTests(KDCBaseTest): self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, KDC_ERR_C_PRINCIPAL_UNKNOWN)) + # Test making a TGS request for a ticket expiring post-2038. + def test_tgs_req_future_till(self): + creds = self._get_creds() + tgt = self._get_tgt(creds) + + target_creds = self.get_service_creds() + self._tgs_req( + tgt=tgt, + expected_error=0, + target_creds=target_creds, + till='99990913024805Z') + def _modify_renewable(self, enc_part): # Set the renewable flag. enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True) @@ -2469,6 +2481,7 @@ class KdcTgsTests(KDCBaseTest): sname=None, srealm=None, use_fast=False, + till=None, expect_claims=True, expect_pac=True, expect_pac_attrs=None, @@ -2580,6 +2593,7 @@ class KdcTgsTests(KDCBaseTest): cname=None, realm=srealm, sname=sname, + till_time=till, etypes=etypes, additional_tickets=additional_tickets) if expected_error: diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2 new file mode 100644 index 00000000000..69980ce763a --- /dev/null +++ b/selftest/knownfail.d/windows11-22h2 @@ -0,0 +1,2 @@ +# This tests shows the new timestamp from Windows 11 22H2 which fails in this version +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till \ No newline at end of file -- 2.25.1 From fb64e1d7b1be4ee66e6683a2342178a5d50812c4 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 20 Oct 2022 12:36:44 +1300 Subject: [PATCH 2/3] tests/krb5: Add test requesting a TGT expiring post-2038 This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year 9999 date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall [abartlet@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2 as the kerberos tests have changed parameters in newer versions breaking the context] --- python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 054a49b64aa..aa4bc2370c4 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -42,7 +42,7 @@ global_hexdump = False class AsReqBaseTest(KDCBaseTest): def _run_as_req_enc_timestamp(self, client_creds, sname=None, - expected_error=None): + expected_error=None, till=None): client_account = client_creds.get_username() client_as_etypes = self.get_default_enctypes() client_kvno = client_creds.get_kvno() @@ -62,7 +62,8 @@ class AsReqBaseTest(KDCBaseTest): expected_sname = sname expected_salt = client_creds.get_salt() - till = self.get_KerberosTime(offset=36000) + if till is None: + till = self.get_KerberosTime(offset=36000) initial_etypes = client_as_etypes initial_kdc_options = krb5_asn1.KDCOptions('forwardable') @@ -241,6 +242,14 @@ class AsReqKerberosTests(AsReqBaseTest): sname=wrong_krbtgt_princ, expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) + # Test that we can make a request for a ticket expiring post-2038. + def test_future_till(self): + client_creds = self.get_client_creds() + + self._run_as_req_enc_timestamp( + client_creds, + till='99990913024805Z') + if __name__ == "__main__": global_asn1_print = False -- 2.25.1 From 56c949d2764b69050bc441bec68008f4a046f1d3 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 20 Oct 2022 13:27:31 +1300 Subject: [PATCH 3/3] kdc: avoid re-encoding KDC-REQ-BODY Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT. [abartlet@samba.org adapted from Heimdal commit ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e by removing references to FAST and GSS-pre-auth. This fixes the Windows 11 22H2 issue with TGS-REQ as seen at https://github.com/heimdal/heimdal/issues/1011 and so removes the knownfail file for this test] BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Andrew Bartlett --- selftest/knownfail.d/windows11-22h2 | 2 -- source4/heimdal/kdc/krb5tgs.c | 24 ++---------------------- source4/heimdal/kdc/pkinit.c | 16 ++-------------- source4/heimdal/lib/asn1/krb5.opt | 1 + 4 files changed, 5 insertions(+), 38 deletions(-) delete mode 100644 selftest/knownfail.d/windows11-22h2 diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2 deleted file mode 100644 index 69980ce763a..00000000000 --- a/selftest/knownfail.d/windows11-22h2 +++ /dev/null @@ -1,2 +0,0 @@ -# This tests shows the new timestamp from Windows 11 22H2 which fails in this version -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till \ No newline at end of file diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 13996f96b4a..f1393fa87a1 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context, krb5_keyblock *key) { krb5_authenticator auth; - size_t len = 0; - unsigned char *buf; - size_t buf_size; krb5_error_code ret; krb5_crypto crypto; @@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context, goto out; } - /* XXX should not re-encode this */ - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); - if(ret){ - const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg); - krb5_free_error_message(context, msg); - goto out; - } - if(buf_size != len) { - free(buf); - kdc_log(context, config, 0, "Internal error in ASN.1 encoder"); - *e_text = "KDC internal error"; - ret = KRB5KRB_ERR_GENERIC; - goto out; - } ret = krb5_crypto_init(context, key, 0, &crypto); if (ret) { const char *msg = krb5_get_error_message(context, ret); - free(buf); kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(context, msg); goto out; @@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context, ret = krb5_verify_checksum(context, crypto, KRB5_KU_TGS_REQ_AUTH_CKSUM, - buf, - len, + b->_save.data, + b->_save.length, auth->cksum); - free(buf); krb5_crypto_destroy(context, crypto); if(ret){ const char *msg = krb5_get_error_message(context, ret); diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index ad7f3efc10a..64ea4c00e41 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context, PKAuthenticator *a, const KDC_REQ *req) { - u_char *buf = NULL; - size_t buf_size; krb5_error_code ret; - size_t len = 0; krb5_timestamp now; Checksum checksum; @@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context, return KRB5KRB_AP_ERR_SKEW; } - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret); - if (ret) { - krb5_clear_error_message(context); - return ret; - } - if (buf_size != len) - krb5_abortx(context, "Internal error in ASN.1 encoder"); - ret = krb5_create_checksum(context, NULL, 0, CKSUMTYPE_SHA1, - buf, - len, + req->req_body._save.data, + req->req_body._save.length, &checksum); - free(buf); if (ret) { krb5_clear_error_message(context); return ret; diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt index 1d6d5e8989f..5acc596d39c 100644 --- a/source4/heimdal/lib/asn1/krb5.opt +++ b/source4/heimdal/lib/asn1/krb5.opt @@ -4,3 +4,4 @@ --sequence=METHOD-DATA --sequence=ETYPE-INFO --sequence=ETYPE-INFO2 +--preserve-binary=KDC-REQ-BODY -- 2.25.1