summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoseph Sutton <josephsutton@catalyst.net.nz>2022-11-25 11:48:59 +1300
committerStefan Metzmacher <metze@samba.org>2022-12-14 00:48:48 +0100
commit701b2650d1b47adac55f948c4e055d5ecc52e1da (patch)
tree546bf7ad5aded1ad8c3fc7d9af713e71a54b00b4
parent590228fd72f66412a8188b3b09d2d71e91b0d568 (diff)
downloadsamba-701b2650d1b47adac55f948c4e055d5ecc52e1da.tar.gz
CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> [This is 4.15 only]
-rw-r--r--selftest/knownfail_heimdal_kdc6
-rw-r--r--source4/torture/rpc/lsa.c50
2 files changed, 37 insertions, 19 deletions
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index a8315d965e8..3796ac6f6df 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -625,3 +625,9 @@
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rc4.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_lifetime_tgs.ad_dc
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.ad_dc_default:local
+#
+# LSA tests
+#
+^samba4.rpc.lsa.trusted.domains with .lsa.TrustedDomains.ad_dc_default
+^samba4.rpc.lsa.trusted.domains with bigendian.lsa.TrustedDomains.ad_dc_default
+^samba4.rpc.lsa.trusted.domains with validate.lsa.TrustedDomains.ad_dc_default
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 453a55562bc..98444ce3678 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -3217,8 +3217,8 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
const char *error_string = NULL;
const char *workstation = cli_credentials_get_workstation(credentials);
const char *password = cli_credentials_get_password(credentials);
- const struct samr_Password *nthash = NULL;
- const struct samr_Password *old_nthash = NULL;
+ DATA_BLOB aes256_key;
+ const char *salt = NULL;
const char *old_password = cli_credentials_get_old_password(credentials);
int kvno = cli_credentials_get_kvno(credentials);
int expected_kvno = 0;
@@ -3250,8 +3250,8 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
realm = cli_credentials_get_realm(credentials);
trusted_realm_name = strupper_talloc(tctx, trusted_dns_name);
- nthash = cli_credentials_get_nt_hash(credentials, ctx);
- old_nthash = cli_credentials_get_old_nt_hash(credentials, ctx);
+ salt = talloc_asprintf(ctx, "%skrbtgt%s", realm, trusted_realm_name);
+ torture_assert(tctx, salt != NULL, "Failed to create salt");
k5ret = smb_krb5_init_context(ctx, tctx->lp_ctx, &ctx->smb_krb5_context);
torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
@@ -3596,23 +3596,35 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
}
torture_assert_int_equal(tctx, t_kvno, expected_kvno, assertion_message);
- if (old_nthash != NULL && expected_kvno != kvno) {
- torture_comment(tctx, "old_nthash: %s\n", assertion_message);
- k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context,
- ENCTYPE_ARCFOUR_HMAC,
- old_nthash->hash,
- sizeof(old_nthash->hash),
- &ctx->krbtgt_referral_keyblock);
- torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+ if (old_password != NULL && expected_kvno != kvno) {
+ torture_comment(tctx, "old_password: %s\n", assertion_message);
+
+ k5ret = cli_credentials_get_aes256_key(credentials, ctx, tctx->lp_ctx,
+ old_password, salt,
+ &aes256_key);
+ torture_assert_int_equal(tctx, k5ret, 0, "cli_credentials_get_aes256_key failed");
} else {
- torture_comment(tctx, "nthash: %s\n", assertion_message);
- k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context,
- ENCTYPE_ARCFOUR_HMAC,
- nthash->hash,
- sizeof(nthash->hash),
- &ctx->krbtgt_referral_keyblock);
- torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+ torture_comment(tctx, "password: %s\n", assertion_message);
+
+ k5ret = cli_credentials_get_aes256_key(credentials, ctx, tctx->lp_ctx,
+ password, salt,
+ &aes256_key);
+ torture_assert_int_equal(tctx, k5ret, 0, "cli_credentials_get_aes256_key failed");
}
+
+ k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ aes256_key.data,
+ aes256_key.length,
+ &ctx->krbtgt_referral_keyblock);
+ data_blob_free(&aes256_key);
+ torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+
+ torture_assert_int_equal(tctx,
+ ctx->krbtgt_referral_keyblock.keytype,
+ ctx->krbtgt_referral_ticket.enc_part.etype,
+ "Key encryption type does not match enc-part encryption type");
+
k5ret = krb5_decrypt_ticket(ctx->smb_krb5_context->krb5_context,
&ctx->krbtgt_referral_ticket,
&ctx->krbtgt_referral_keyblock,