CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default

For generic tests we should use the best available features. And AES will be required by default soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
author: Stefan Metzmacher <metze@samba.org> 2022-11-28 15:02:13 +0100
committer: Stefan Metzmacher <metze@samba.org> 2022-12-14 11:39:16 +0000
commit: 84d5354026887f088c8bbf25d46738935105de56 (patch)
tree: da1106bf423628d0d827749260415fb9dbe64e0e /source4
parent: a656f2a3d66eed1a3f57077443b14f067bea18e7 (diff)
download: samba-84d5354026887f088c8bbf25d46738935105de56.tar.gz
4 files changed, 27 insertions, 18 deletions
diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c
index 124c9604871..6d482bfdee1 100644
--- a/source4/torture/ntp/ntp_signd.c
+++ b/source4/torture/ntp/ntp_signd.c
@@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx,
 	uint32_t rid;
 	const char *machine_name;
 	const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
-	uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 
 	struct sign_request sign_req;
 	struct signed_reply signed_reply;
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index d430ee57108..d22546862d5 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -4408,7 +4408,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
 	torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
 
 	ok = check_pw_with_ServerAuthenticate3(p1, tctx,
-					       NETLOGON_NEG_AUTH2_ADS_FLAGS,
+					       NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
 					       server_name,
 					       incoming_creds, &creds);
 	torture_assert_int_equal(tctx, ok, expected_result,
@@ -4505,7 +4505,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
 	torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
 
 	ok = check_pw_with_ServerAuthenticate3(p2, tctx,
-					       NETLOGON_NEG_AUTH2_ADS_FLAGS,
+					       NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
 					       server_name,
 					       incoming_creds, &creds);
 	torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password");
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 59d7feb43f1..1f068eb7826 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
 
 	/* This allows the tests to continue against the more fussy windows 2008 */
 	if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
-		return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+		return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
 					      credentials,
 					      cli_credentials_get_secure_channel_type(credentials),
 					      creds_out);
@@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
 		"ServerAuthenticate3 failed");
 	torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
 
-	negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 	creds = netlogon_creds_client_init(tctx, a.in.account_name,
 					   a.in.computer_name,
 					   a.in.secure_channel_type,
@@ -498,7 +498,7 @@ static bool test_ServerReqChallenge(
 	const char *machine_name;
 	struct dcerpc_binding_handle *b = p->binding_handle;
 	struct netr_ServerAuthenticate2 a;
-	uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 	uint32_t out_negotiate_flags = 0;
 	const struct samr_Password *mach_password = NULL;
 	enum netr_SchannelType sec_chan_type = 0;
@@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge(
 	const char *machine_name;
 	struct dcerpc_binding_handle *b = p->binding_handle;
 	struct netr_ServerAuthenticate2 a;
-	uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 	uint32_t out_negotiate_flags = 0;
 	const struct samr_Password *mach_password = NULL;
 	enum netr_SchannelType sec_chan_type = 0;
@@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats(
 	const char *machine_name;
 	struct dcerpc_binding_handle *b = p->binding_handle;
 	struct netr_ServerAuthenticate2 a;
-	uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 	uint32_t out_negotiate_flags = 0;
 	const struct samr_Password *mach_password = NULL;
 	enum netr_SchannelType sec_chan_type = 0;
@@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats(
 	const char *machine_name;
 	struct dcerpc_binding_handle *b = p->binding_handle;
 	struct netr_ServerAuthenticate2 a;
-	uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 	uint32_t out_negotiate_flags = 0;
 	const struct samr_Password *mach_password = NULL;
 	enum netr_SchannelType sec_chan_type = 0;
@@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros(
 	struct netr_CryptPassword new_password;
 	struct dcerpc_pipe *p = NULL;
 	struct dcerpc_binding_handle *b = NULL;
-	uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
 
 	if (!test_SetupCredentials2(
 		p1,
@@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password(
 	struct netr_CryptPassword new_password;
 	struct dcerpc_pipe *p = NULL;
 	struct dcerpc_binding_handle *b = NULL;
-	uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 	DATA_BLOB new_random_pass = data_blob_null;
 
 	if (!test_SetupCredentials2(
@@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password(
 	struct netr_CryptPassword new_password;
 	struct dcerpc_pipe *p = NULL;
 	struct dcerpc_binding_handle *b = NULL;
-	uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
 
 	if (!test_SetupCredentials2(
 		p1,
@@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
 	struct dcerpc_pipe *p = NULL;
 	struct dcerpc_binding_handle *b = NULL;
 
-	if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+	if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
 				    machine_credentials, &creds)) {
 		return false;
 	}
@@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
 
 	torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
 
-	if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+	if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
 				    machine_credentials, &creds)) {
 		return false;
 	}
@@ -5562,7 +5562,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
 
 	torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
 
-	if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+	if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
 				    machine_credentials, &creds)) {
 		return false;
 	}
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 39e43e5fcdb..36eabdc488d 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx,
 		goto done;
 	}
 
-	negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 	E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
 
 	a.in.server_name = talloc_asprintf(
@@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx,
 		E_md4hash(cli_credentials_get_password(user_creds),
 			  pinfo.ntpassword.hash);
 
-		netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16);
-
 		logon.password = &pinfo;
 
+		/*
+		 * We don't use this here:
+		 *
+		 * netlogon_creds_encrypt_samlogon_logon(creds_state,
+		 *                                       NetlogonInteractiveInformation,
+		 *                                       &logon);
+		 *
+		 * in order to detect bugs
+		 */
+		netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16);
+
 		r.in.logon_level = NetlogonInteractiveInformation;
 		r.in.logon = &logon;
 		r.out.return_authenticator = &return_authenticator;
author	Stefan Metzmacher <metze@samba.org>	2022-11-28 15:02:13 +0100
committer	Stefan Metzmacher <metze@samba.org>	2022-12-14 11:39:16 +0000
commit	84d5354026887f088c8bbf25d46738935105de56 (patch)
tree	da1106bf423628d0d827749260415fb9dbe64e0e /source4
parent	a656f2a3d66eed1a3f57077443b14f067bea18e7 (diff)
download	samba-84d5354026887f088c8bbf25d46738935105de56.tar.gz