tests: add PAC test for CVE-2020-17049 (bronze bit)

tests/bin/setup-env.in

@@ -58,6 +58,7 @@ rkvis="${TESTS_ENVIRONMENT} ${top_builddir}/lib/roken/rkvis"
 test_set_kvno0="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_set_kvno0"
 test_alname="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_alname"
 test_kuserok="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_kuserok"
+test_mkforwardable="${TESTS_ENVIRONMENT} ${top_builddir}/lib/krb5/test_mkforwardable"
 
 # misc apps
 have_db="${top_builddir}/tests/db/have-db"

tests/kdc/check-kdc.in

@@ -89,6 +89,7 @@ icache="FILE:${objdir}/icache.krb5"
 keytabfile=${objdir}/server.keytab
 keytab="FILE:${keytabfile}"
 ps="proxy-service@${R}"
+rps="restricted-proxy-service@${R}"
 aesenctype="aes256-cts-hmac-sha1-96"
 
 kinit="${kinit} -c $cache ${afs_no_afslog}"
@@ -225,6 +226,11 @@ ${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
 ${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
 ${kadmin} ext -k ${keytab} ${ps} || exit 1
 
+# Note: rps is not trusted-for-delegation
+${kadmin} add -p foo --use-defaults ${rps} || exit 1
+${kadmin} modify --constrained-delegation=${server} ${rps} || exit 1
+${kadmin} ext -k ${keytab} ${rps} || exit 1
+
 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
 ${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
@@ -906,6 +912,46 @@ ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${ser
 
 ${kdestroy}
 
+echo "test constrained delegation NOT trusted-for-delegation (evidence from TGS)"; > messages.log
+
+${kinit} --forwardable --password-file=${objdir}/foopassword ${rps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
+        { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --cache=${icache} --out-cache=${ocache} ${rps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+	--out-cache=${o2cache} \
+	--delegation-credential-cache=${ocache} \
+	${server}@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation NOT trusted-for-delegation (evidence from impersonate, negative)"; > messages.log
+rm -f ocache.krb5
+${kgetcred_imp} --impersonate=bar@${R} ${rps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${rps} ${keytab} ${ocache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+	--out-cache=${o2cache} \
+	--delegation-credential-cache=${ocache} \
+	${server}@${R} && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation bronze-bit attack, aka CVE-2020-17049"; > messages.log
+
+KRB5CCNAME=${ocache} KRB5_KTNAME=${keytab} ${test_mkforwardable} ${rps} ${icache} || \
+{ ec=1 ; eval "${testfailed}"; }
+
+${kgetcred} \
+	--out-cache=${o2cache} \
+	--delegation-credential-cache=${icache} \
+	${server}@${R} && \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
 echo "check renewing" > messages.log
 ${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
 	{ ec=1 ; eval "${testfailed}"; }