git.samba.org / kseeger / samba-autobuild-v4-16-test / .git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 241d395)
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Tue, 26 Oct 2021 22:18:36 +0000 (11:18 +1300)
committerJule Anger <janger@samba.org>
Mon, 8 Nov 2021 09:52:12 +0000 (10:52 +0100)
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.

It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python/samba/tests/krb5/kdc_base_test.py patch | blob | history

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 61eeb2333f9b4b08fd4767bb66d8db964da7b2a9..4b4f1486f60d6c6994e9673f3515c8978a7adde0 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1294,7 +1294,8 @@ class KDCBaseTest(RawKerberosTest):
         if target_name is None:
             target_name = target_creds.get_username()[:-1]
         cache_key = (user_name, target_name, service, to_rodc, kdc_options,
-                     pac_request)
+                     pac_request, str(expected_flags), str(unexpected_flags),
+                     expect_pac)
 
         if not fresh:
             ticket = self.tkt_cache.get(cache_key)
@@ -1365,7 +1366,11 @@ class KDCBaseTest(RawKerberosTest):
                 expect_requester_sid=None,
                 fresh=False):
         user_name = creds.get_username()
-        cache_key = (user_name, to_rodc, kdc_options, pac_request)
+        cache_key = (user_name, to_rodc, kdc_options, pac_request,
+                     str(expected_flags), str(unexpected_flags),
+                     expected_account_name, expected_upn_name, expected_sid,
+                     expect_pac, expect_pac_attrs,
+                     expect_pac_attrs_pac_request, expect_requester_sid)
 
         if not fresh:
             tgt = self.tkt_cache.get(cache_key)
Unnamed repository; edit this file 'description' to name the repository.