samba/CVE-2018-16841-2.patch

From 58733073f6eb78e8b157ee55493e92ffa361b73c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 24 Oct 2018 15:41:28 +1300
Subject: [PATCH 4/5] CVE-2018-16841 selftest: Check for mismatching principal
 in certficate compared with principal in AS-REQ

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---
 testprogs/blackbox/test_pkinit_heimdal.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh
index 0a13aa293e7..0912e0dbfe8 100755
--- a/testprogs/blackbox/test_pkinit_heimdal.sh
+++ b/testprogs/blackbox/test_pkinit_heimdal.sh
@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque
 testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
 test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
 
+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1`
+
+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1`
+
 testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
 testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
 test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
 
+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1`
+
+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1`
+
 testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
 testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
 test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
-- 
2.11.0
Package init 2019-09-30 11:16:38 -04:00			`From 58733073f6eb78e8b157ee55493e92ffa361b73c Mon Sep 17 00:00:00 2001`
			`From: Andrew Bartlett <abartlet@samba.org>`
			`Date: Wed, 24 Oct 2018 15:41:28 +1300`
			`Subject: [PATCH 4/5] CVE-2018-16841 selftest: Check for mismatching principal`
			`in certficate compared with principal in AS-REQ`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628`
			`Signed-off-by: Andrew Bartlett <abartlet@samba.org>`
			`Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>`
			`---`
			`testprogs/blackbox/test_pkinit_heimdal.sh \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`

			`diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh`
			`index 0a13aa293e7..0912e0dbfe8 100755`
			`--- a/testprogs/blackbox/test_pkinit_heimdal.sh`
			`+++ b/testprogs/blackbox/test_pkinit_heimdal.sh`
			`@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque`
			testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R \|\| failed=`expr $failed + 1`
			test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes \|\| failed=`expr $failed + 1`

			+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM \|\| failed=`expr $failed + 1`
			`+`
			+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM \|\| failed=`expr $failed + 1`
			`+`
			testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM \|\| failed=`expr $failed + 1`
			testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R \|\| failed=`expr $failed + 1`
			test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes \|\| failed=`expr $failed + 1`

			+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM \|\| failed=`expr $failed + 1`
			`+`
			+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM \|\| failed=`expr $failed + 1`
			`+`
			testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise \|\| failed=`expr $failed + 1`
			testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R \|\| failed=`expr $failed + 1`
			test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes \|\| failed=`expr $failed + 1`
			`--`
			`2.11.0`