CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default

For generic tests we should use the best available features.

And AES will be required by default soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c
index 124c9604871b1468505d89641c9c7a5ceca741e0..6d482bfdee16b35968470b90915f79f7fc6073d7 100644 (file)
--- a/source4/torture/ntp/ntp_signd.c
+++ b/source4/torture/ntp/ntp_signd.c
@@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx,
        uint32_t rid;
        const char *machine_name;
        const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
-       uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
 
        struct sign_request sign_req;
        struct signed_reply signed_reply;

diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index d430ee57108122be12fd2754de723606e28c1929..d22546862d5ba3c25aee261ce1658e6be89726c9 100644 (file)
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -4408,7 +4408,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
        torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
 
        ok = check_pw_with_ServerAuthenticate3(p1, tctx,
-                                              NETLOGON_NEG_AUTH2_ADS_FLAGS,
+                                              NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
                                               server_name,
                                               incoming_creds, &creds);
        torture_assert_int_equal(tctx, ok, expected_result,
@@ -4505,7 +4505,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
        torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
 
        ok = check_pw_with_ServerAuthenticate3(p2, tctx,
-                                              NETLOGON_NEG_AUTH2_ADS_FLAGS,
+                                              NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
                                               server_name,
                                               incoming_creds, &creds);
        torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password");

diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 59d7feb43f1d022117b34f51160431916609b809..1f068eb7826500971e1f4b72f8db313873174216 100644 (file)
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
 
        /* This allows the tests to continue against the more fussy windows 2008 */
        if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
-               return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+               return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
                                              credentials,
                                              cli_credentials_get_secure_channel_type(credentials),
                                              creds_out);
@@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
                "ServerAuthenticate3 failed");
        torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
 
-       negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
        creds = netlogon_creds_client_init(tctx, a.in.account_name,
                                           a.in.computer_name,
                                           a.in.secure_channel_type,
@@ -498,7 +498,7 @@ static bool test_ServerReqChallenge(
        const char *machine_name;
        struct dcerpc_binding_handle *b = p->binding_handle;
        struct netr_ServerAuthenticate2 a;
-       uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
        uint32_t out_negotiate_flags = 0;
        const struct samr_Password *mach_password = NULL;
        enum netr_SchannelType sec_chan_type = 0;
@@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge(
        const char *machine_name;
        struct dcerpc_binding_handle *b = p->binding_handle;
        struct netr_ServerAuthenticate2 a;
-       uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
        uint32_t out_negotiate_flags = 0;
        const struct samr_Password *mach_password = NULL;
        enum netr_SchannelType sec_chan_type = 0;
@@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats(
        const char *machine_name;
        struct dcerpc_binding_handle *b = p->binding_handle;
        struct netr_ServerAuthenticate2 a;
-       uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
        uint32_t out_negotiate_flags = 0;
        const struct samr_Password *mach_password = NULL;
        enum netr_SchannelType sec_chan_type = 0;
@@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats(
        const char *machine_name;
        struct dcerpc_binding_handle *b = p->binding_handle;
        struct netr_ServerAuthenticate2 a;
-       uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
        uint32_t out_negotiate_flags = 0;
        const struct samr_Password *mach_password = NULL;
        enum netr_SchannelType sec_chan_type = 0;
@@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros(
        struct netr_CryptPassword new_password;
        struct dcerpc_pipe *p = NULL;
        struct dcerpc_binding_handle *b = NULL;
-       uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
 
        if (!test_SetupCredentials2(
                p1,
@@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password(
        struct netr_CryptPassword new_password;
        struct dcerpc_pipe *p = NULL;
        struct dcerpc_binding_handle *b = NULL;
-       uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
        DATA_BLOB new_random_pass = data_blob_null;
 
        if (!test_SetupCredentials2(
@@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password(
        struct netr_CryptPassword new_password;
        struct dcerpc_pipe *p = NULL;
        struct dcerpc_binding_handle *b = NULL;
-       uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
 
        if (!test_SetupCredentials2(
                p1,
@@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
        struct dcerpc_pipe *p = NULL;
        struct dcerpc_binding_handle *b = NULL;
 
-       if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+       if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
                                    machine_credentials, &creds)) {
                return false;
        }
@@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
 
        torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
 
-       if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+       if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
                                    machine_credentials, &creds)) {
                return false;
        }
@@ -5562,7 +5562,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
 
        torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
 
-       if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+       if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
                                    machine_credentials, &creds)) {
                return false;
        }

diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 39e43e5fcdbe61cbe8fd3993db5043815f61abc6..36eabdc488d9e7078ee52bcf978c662a366892a9 100644 (file)
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx,
                goto done;
        }
 
-       negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
        E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
 
        a.in.server_name = talloc_asprintf(
@@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx,
                E_md4hash(cli_credentials_get_password(user_creds),
                          pinfo.ntpassword.hash);
 
-               netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16);
-
                logon.password = &pinfo;
 
+               /*
+                * We don't use this here:
+                *
+                * netlogon_creds_encrypt_samlogon_logon(creds_state,
+                *                                       NetlogonInteractiveInformation,
+                *                                       &logon);
+                *
+                * in order to detect bugs
+                */
+               netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16);
+
                r.in.logon_level = NetlogonInteractiveInformation;
                r.in.logon = &logon;
                r.out.return_authenticator = &return_authenticator;