211 lines
9.1 KiB
Diff
211 lines
9.1 KiB
Diff
From 14efe15daa8600ba9be658ce98cb0d30a6e35a2c Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Mon, 28 Nov 2022 15:02:13 +0100
|
|
Subject: [PATCH 14/30] CVE-2022-38023 s4:torture: use
|
|
NETLOGON_NEG_SUPPORTS_AES by default
|
|
|
|
For generic tests we should use the best available features.
|
|
|
|
And AES will be required by default soon.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17692
|
|
---
|
|
source4/torture/ntp/ntp_signd.c | 2 +-
|
|
source4/torture/rpc/lsa.c | 4 ++--
|
|
source4/torture/rpc/netlogon.c | 24 ++++++++++++------------
|
|
source4/torture/rpc/samba3rpc.c | 15 ++++++++++++---
|
|
4 files changed, 27 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c
|
|
index 124c9604871b..6d482bfdee16 100644
|
|
--- a/source4/torture/ntp/ntp_signd.c
|
|
+++ b/source4/torture/ntp/ntp_signd.c
|
|
@@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx,
|
|
uint32_t rid;
|
|
const char *machine_name;
|
|
const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
|
|
- uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
|
struct sign_request sign_req;
|
|
struct signed_reply signed_reply;
|
|
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
|
|
index d430ee571081..d22546862d5b 100644
|
|
--- a/source4/torture/rpc/lsa.c
|
|
+++ b/source4/torture/rpc/lsa.c
|
|
@@ -4408,7 +4408,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
|
|
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
|
|
|
|
ok = check_pw_with_ServerAuthenticate3(p1, tctx,
|
|
- NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
server_name,
|
|
incoming_creds, &creds);
|
|
torture_assert_int_equal(tctx, ok, expected_result,
|
|
@@ -4505,7 +4505,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
|
|
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
|
|
|
|
ok = check_pw_with_ServerAuthenticate3(p2, tctx,
|
|
- NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
server_name,
|
|
incoming_creds, &creds);
|
|
torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password");
|
|
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
|
|
index 59d7feb43f1d..1f068eb78265 100644
|
|
--- a/source4/torture/rpc/netlogon.c
|
|
+++ b/source4/torture/rpc/netlogon.c
|
|
@@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
|
|
/* This allows the tests to continue against the more fussy windows 2008 */
|
|
if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
|
|
- return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
+ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
credentials,
|
|
cli_credentials_get_secure_channel_type(credentials),
|
|
creds_out);
|
|
@@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
|
|
"ServerAuthenticate3 failed");
|
|
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
|
|
|
|
- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
a.in.computer_name,
|
|
a.in.secure_channel_type,
|
|
@@ -498,7 +498,7 @@ static bool test_ServerReqChallenge(
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
struct netr_ServerAuthenticate2 a;
|
|
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
uint32_t out_negotiate_flags = 0;
|
|
const struct samr_Password *mach_password = NULL;
|
|
enum netr_SchannelType sec_chan_type = 0;
|
|
@@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge(
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
struct netr_ServerAuthenticate2 a;
|
|
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
uint32_t out_negotiate_flags = 0;
|
|
const struct samr_Password *mach_password = NULL;
|
|
enum netr_SchannelType sec_chan_type = 0;
|
|
@@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats(
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
struct netr_ServerAuthenticate2 a;
|
|
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
uint32_t out_negotiate_flags = 0;
|
|
const struct samr_Password *mach_password = NULL;
|
|
enum netr_SchannelType sec_chan_type = 0;
|
|
@@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats(
|
|
const char *machine_name;
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
struct netr_ServerAuthenticate2 a;
|
|
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
uint32_t out_negotiate_flags = 0;
|
|
const struct samr_Password *mach_password = NULL;
|
|
enum netr_SchannelType sec_chan_type = 0;
|
|
@@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros(
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
|
|
|
|
if (!test_SetupCredentials2(
|
|
p1,
|
|
@@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password(
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
DATA_BLOB new_random_pass = data_blob_null;
|
|
|
|
if (!test_SetupCredentials2(
|
|
@@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password(
|
|
struct netr_CryptPassword new_password;
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
|
|
|
|
if (!test_SetupCredentials2(
|
|
p1,
|
|
@@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
|
|
struct dcerpc_pipe *p = NULL;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
|
|
- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
@@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
|
|
|
|
- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
@@ -5562,7 +5562,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
|
|
|
|
torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
|
|
|
|
- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
+ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
machine_credentials, &creds)) {
|
|
return false;
|
|
}
|
|
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
|
|
index 39e43e5fcdbe..36eabdc488d9 100644
|
|
--- a/source4/torture/rpc/samba3rpc.c
|
|
+++ b/source4/torture/rpc/samba3rpc.c
|
|
@@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx,
|
|
goto done;
|
|
}
|
|
|
|
- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
|
|
|
|
a.in.server_name = talloc_asprintf(
|
|
@@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx,
|
|
E_md4hash(cli_credentials_get_password(user_creds),
|
|
pinfo.ntpassword.hash);
|
|
|
|
- netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16);
|
|
-
|
|
logon.password = &pinfo;
|
|
|
|
+ /*
|
|
+ * We don't use this here:
|
|
+ *
|
|
+ * netlogon_creds_encrypt_samlogon_logon(creds_state,
|
|
+ * NetlogonInteractiveInformation,
|
|
+ * &logon);
|
|
+ *
|
|
+ * in order to detect bugs
|
|
+ */
|
|
+ netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16);
|
|
+
|
|
r.in.logon_level = NetlogonInteractiveInformation;
|
|
r.in.logon = &logon;
|
|
r.out.return_authenticator = &return_authenticator;
|
|
--
|
|
2.34.1
|