diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-11-25 11:48:59 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:48 +0100 |
| commit | 701b2650d1b47adac55f948c4e055d5ecc52e1da (patch) | |
| tree | 546bf7ad5aded1ad8c3fc7d9af713e71a54b00b4 | |
| parent | 590228fd72f66412a8188b3b09d2d71e91b0d568 (diff) | |
| download | samba-701b2650d1b47adac55f948c4e055d5ecc52e1da.tar.gz | |
CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[This is 4.15 only]
| -rw-r--r-- | selftest/knownfail_heimdal_kdc | 6 | ||||
| -rw-r--r-- | source4/torture/rpc/lsa.c | 50 |
2 files changed, 37 insertions, 19 deletions
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index a8315d965e8..3796ac6f6df 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -625,3 +625,9 @@ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rc4.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_lifetime_tgs.ad_dc ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.ad_dc_default:local +# +# LSA tests +# +^samba4.rpc.lsa.trusted.domains with .lsa.TrustedDomains.ad_dc_default +^samba4.rpc.lsa.trusted.domains with bigendian.lsa.TrustedDomains.ad_dc_default +^samba4.rpc.lsa.trusted.domains with validate.lsa.TrustedDomains.ad_dc_default diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 453a55562bc..98444ce3678 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -3217,8 +3217,8 @@ static bool check_pw_with_krb5(struct torture_context *tctx, const char *error_string = NULL; const char *workstation = cli_credentials_get_workstation(credentials); const char *password = cli_credentials_get_password(credentials); - const struct samr_Password *nthash = NULL; - const struct samr_Password *old_nthash = NULL; + DATA_BLOB aes256_key; + const char *salt = NULL; const char *old_password = cli_credentials_get_old_password(credentials); int kvno = cli_credentials_get_kvno(credentials); int expected_kvno = 0; @@ -3250,8 +3250,8 @@ static bool check_pw_with_krb5(struct torture_context *tctx, realm = cli_credentials_get_realm(credentials); trusted_realm_name = strupper_talloc(tctx, trusted_dns_name); - nthash = cli_credentials_get_nt_hash(credentials, ctx); - old_nthash = cli_credentials_get_old_nt_hash(credentials, ctx); + salt = talloc_asprintf(ctx, "%skrbtgt%s", realm, trusted_realm_name); + torture_assert(tctx, salt != NULL, "Failed to create salt"); k5ret = smb_krb5_init_context(ctx, tctx->lp_ctx, &ctx->smb_krb5_context); torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed"); @@ -3596,23 +3596,35 @@ static bool check_pw_with_krb5(struct torture_context *tctx, } torture_assert_int_equal(tctx, t_kvno, expected_kvno, assertion_message); - if (old_nthash != NULL && expected_kvno != kvno) { - torture_comment(tctx, "old_nthash: %s\n", assertion_message); - k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context, - ENCTYPE_ARCFOUR_HMAC, - old_nthash->hash, - sizeof(old_nthash->hash), - &ctx->krbtgt_referral_keyblock); - torture_assert_int_equal(tctx, k5ret, 0, assertion_message); + if (old_password != NULL && expected_kvno != kvno) { + torture_comment(tctx, "old_password: %s\n", assertion_message); + + k5ret = cli_credentials_get_aes256_key(credentials, ctx, tctx->lp_ctx, + old_password, salt, + &aes256_key); + torture_assert_int_equal(tctx, k5ret, 0, "cli_credentials_get_aes256_key failed"); } else { - torture_comment(tctx, "nthash: %s\n", assertion_message); - k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context, - ENCTYPE_ARCFOUR_HMAC, - nthash->hash, - sizeof(nthash->hash), - &ctx->krbtgt_referral_keyblock); - torture_assert_int_equal(tctx, k5ret, 0, assertion_message); + torture_comment(tctx, "password: %s\n", assertion_message); + + k5ret = cli_credentials_get_aes256_key(credentials, ctx, tctx->lp_ctx, + password, salt, + &aes256_key); + torture_assert_int_equal(tctx, k5ret, 0, "cli_credentials_get_aes256_key failed"); } + + k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + aes256_key.data, + aes256_key.length, + &ctx->krbtgt_referral_keyblock); + data_blob_free(&aes256_key); + torture_assert_int_equal(tctx, k5ret, 0, assertion_message); + + torture_assert_int_equal(tctx, + ctx->krbtgt_referral_keyblock.keytype, + ctx->krbtgt_referral_ticket.enc_part.etype, + "Key encryption type does not match enc-part encryption type"); + k5ret = krb5_decrypt_ticket(ctx->smb_krb5_context->krb5_context, &ctx->krbtgt_referral_ticket, &ctx->krbtgt_referral_keyblock, |