diff options
| author | Stefan Metzmacher <metze@samba.org> | 2022-11-28 15:02:13 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 21:37:58 +0100 |
| commit | 90f06ad6d7d00fc51a2d64557cf58739fef851c1 (patch) | |
| tree | 5e02cdad0bfa9baa0e1e80c8915c20674194e01a | |
| parent | 0be35930722530e5befa16a65a16232393258057 (diff) | |
| download | samba-90f06ad6d7d00fc51a2d64557cf58739fef851c1.tar.gz | |
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
| -rw-r--r-- | source4/torture/ntp/ntp_signd.c | 2 | ||||
| -rw-r--r-- | source4/torture/rpc/lsa.c | 4 | ||||
| -rw-r--r-- | source4/torture/rpc/netlogon.c | 24 | ||||
| -rw-r--r-- | source4/torture/rpc/samba3rpc.c | 15 |
4 files changed, 27 insertions, 18 deletions
diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c index 124c9604871..6d482bfdee1 100644 --- a/source4/torture/ntp/ntp_signd.c +++ b/source4/torture/ntp/ntp_signd.c @@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx, uint32_t rid; const char *machine_name; const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx); - uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; struct sign_request sign_req; struct signed_reply signed_reply; diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 908ea08019c..453a55562bc 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -4285,7 +4285,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); ok = check_pw_with_ServerAuthenticate3(p1, tctx, - NETLOGON_NEG_AUTH2_ADS_FLAGS, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, server_name, incoming_creds, &creds); torture_assert_int_equal(tctx, ok, expected_result, @@ -4382,7 +4382,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); ok = check_pw_with_ServerAuthenticate3(p2, tctx, - NETLOGON_NEG_AUTH2_ADS_FLAGS, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, server_name, incoming_creds, &creds); torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password"); diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 11f950d3aab..2803dd13b46 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, /* This allows the tests to continue against the more fussy windows 2008 */ if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) { - return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, credentials, cli_credentials_get_secure_channel_type(credentials), creds_out); @@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx, "ServerAuthenticate3 failed"); torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed"); - negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; creds = netlogon_creds_client_init(tctx, a.in.account_name, a.in.computer_name, a.in.secure_channel_type, @@ -498,7 +498,7 @@ static bool test_ServerReqChallenge( const char *machine_name; struct dcerpc_binding_handle *b = p->binding_handle; struct netr_ServerAuthenticate2 a; - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; uint32_t out_negotiate_flags = 0; const struct samr_Password *mach_password = NULL; enum netr_SchannelType sec_chan_type = 0; @@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge( const char *machine_name; struct dcerpc_binding_handle *b = p->binding_handle; struct netr_ServerAuthenticate2 a; - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; uint32_t out_negotiate_flags = 0; const struct samr_Password *mach_password = NULL; enum netr_SchannelType sec_chan_type = 0; @@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats( const char *machine_name; struct dcerpc_binding_handle *b = p->binding_handle; struct netr_ServerAuthenticate2 a; - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; uint32_t out_negotiate_flags = 0; const struct samr_Password *mach_password = NULL; enum netr_SchannelType sec_chan_type = 0; @@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats( const char *machine_name; struct dcerpc_binding_handle *b = p->binding_handle; struct netr_ServerAuthenticate2 a; - uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; uint32_t out_negotiate_flags = 0; const struct samr_Password *mach_password = NULL; enum netr_SchannelType sec_chan_type = 0; @@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros( struct netr_CryptPassword new_password; struct dcerpc_pipe *p = NULL; struct dcerpc_binding_handle *b = NULL; - uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */ if (!test_SetupCredentials2( p1, @@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password( struct netr_CryptPassword new_password; struct dcerpc_pipe *p = NULL; struct dcerpc_binding_handle *b = NULL; - uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; DATA_BLOB new_random_pass = data_blob_null; if (!test_SetupCredentials2( @@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password( struct netr_CryptPassword new_password; struct dcerpc_pipe *p = NULL; struct dcerpc_binding_handle *b = NULL; - uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */ if (!test_SetupCredentials2( p1, @@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx, struct dcerpc_pipe *p = NULL; struct dcerpc_binding_handle *b = NULL; - if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, machine_credentials, &creds)) { return false; } @@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n"); - if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, machine_credentials, &creds)) { return false; } @@ -5560,7 +5560,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT); - if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, machine_credentials, &creds)) { return false; } diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index ff5dc1d6800..ee8dac67dfa 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx, goto done; } - negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; + negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash); a.in.server_name = talloc_asprintf( @@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx, E_md4hash(cli_credentials_get_password(user_creds), pinfo.ntpassword.hash); - netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16); - logon.password = &pinfo; + /* + * We don't use this here: + * + * netlogon_creds_encrypt_samlogon_logon(creds_state, + * NetlogonInteractiveInformation, + * &logon); + * + * in order to detect bugs + */ + netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16); + r.in.logon_level = NetlogonInteractiveInformation; r.in.logon = &logon; r.out.return_authenticator = &return_authenticator; |