CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 0cc7f6a7e849a58825f450db7a12825cba7da121..33727a4abc5cbf7668232491aeae0587d30dd9fa 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1453,11 +1453,13 @@ class KDCBaseTest(RawKerberosTest):
                            expected_flags=None, unexpected_flags=None,
                            pac_request=True, expect_pac=True, fresh=False):
         user_name = tgt.cname['name-string'][0]
+        ticket_sname = tgt.sname
         if target_name is None:
             target_name = target_creds.get_username()[:-1]
         cache_key = (user_name, target_name, service, to_rodc, kdc_options,
                      pac_request, str(expected_flags), str(unexpected_flags),
                      till, rc4_support,
+                     str(ticket_sname),
                      expect_pac)
 
         if not fresh:
@@ -1528,6 +1530,7 @@ class KDCBaseTest(RawKerberosTest):
                 expected_account_name=None, expected_upn_name=None,
                 expected_cname=None,
                 expected_sid=None,
+                sname=None, realm=None,
                 pac_request=True, expect_pac=True,
                 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
                 expect_requester_sid=None,
@@ -1542,6 +1545,7 @@ class KDCBaseTest(RawKerberosTest):
                      client_name_type,
                      str(expected_flags), str(unexpected_flags),
                      expected_account_name, expected_upn_name, expected_sid,
+                     str(sname), str(realm),
                      str(expected_cname),
                      rc4_support,
                      expect_pac, expect_pac_attrs,
@@ -1553,15 +1557,21 @@ class KDCBaseTest(RawKerberosTest):
             if tgt is not None:
                 return tgt
 
-        realm = creds.get_realm()
+        if realm is None:
+            realm = creds.get_realm()
 
         salt = creds.get_salt()
 
         etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
         cname = self.PrincipalName_create(name_type=client_name_type,
                                           names=user_name.split('/'))
-        sname = self.PrincipalName_create(name_type=NT_SRV_INST,
-                                          names=['krbtgt', realm])
+        if sname is None:
+            sname = self.PrincipalName_create(name_type=NT_SRV_INST,
+                                              names=['krbtgt', realm])
+            expected_sname = self.PrincipalName_create(
+                name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
+        else:
+            expected_sname = sname
 
         if expected_cname is None:
             expected_cname = cname
@@ -1631,9 +1641,6 @@ class KDCBaseTest(RawKerberosTest):
 
         expected_realm = realm.upper()
 
-        expected_sname = self.PrincipalName_create(
-            name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
-
         rep, kdc_exchange_dict = self._test_as_exchange(
             cname=cname,
             realm=realm,