CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[This is 4.15 only]

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index a8315d965e8ecc4e20be44af93088c1bf42157ba..3796ac6f6df9d50c93071fa3279ebd292003563c 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -625,3 +625,9 @@
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rc4.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_lifetime_tgs.ad_dc
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.ad_dc_default:local
+#
+# LSA tests
+#
+^samba4.rpc.lsa.trusted.domains with .lsa.TrustedDomains.ad_dc_default
+^samba4.rpc.lsa.trusted.domains with bigendian.lsa.TrustedDomains.ad_dc_default
+^samba4.rpc.lsa.trusted.domains with validate.lsa.TrustedDomains.ad_dc_default

diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 453a55562bc4400eb17263394b54be28ddc94bdd..98444ce3678d782357b04efd77ff3427d9e071ba 100644 (file)
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -3217,8 +3217,8 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
        const char *error_string = NULL;
        const char *workstation = cli_credentials_get_workstation(credentials);
        const char *password = cli_credentials_get_password(credentials);
-       const struct samr_Password *nthash = NULL;
-       const struct samr_Password *old_nthash = NULL;
+       DATA_BLOB aes256_key;
+       const char *salt = NULL;
        const char *old_password = cli_credentials_get_old_password(credentials);
        int kvno = cli_credentials_get_kvno(credentials);
        int expected_kvno = 0;
@@ -3250,8 +3250,8 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
        realm = cli_credentials_get_realm(credentials);
        trusted_realm_name = strupper_talloc(tctx, trusted_dns_name);
 
-       nthash = cli_credentials_get_nt_hash(credentials, ctx);
-       old_nthash = cli_credentials_get_old_nt_hash(credentials, ctx);
+       salt = talloc_asprintf(ctx, "%skrbtgt%s", realm, trusted_realm_name);
+       torture_assert(tctx, salt != NULL, "Failed to create salt");
 
        k5ret = smb_krb5_init_context(ctx, tctx->lp_ctx, &ctx->smb_krb5_context);
        torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
@@ -3596,23 +3596,35 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
        }
        torture_assert_int_equal(tctx, t_kvno, expected_kvno, assertion_message);
 
-       if (old_nthash != NULL && expected_kvno != kvno) {
-               torture_comment(tctx, "old_nthash: %s\n", assertion_message);
-               k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context,
-                                                       ENCTYPE_ARCFOUR_HMAC,
-                                                       old_nthash->hash,
-                                                       sizeof(old_nthash->hash),
-                                                       &ctx->krbtgt_referral_keyblock);
-               torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+       if (old_password != NULL && expected_kvno != kvno) {
+               torture_comment(tctx, "old_password: %s\n", assertion_message);
+
+               k5ret = cli_credentials_get_aes256_key(credentials, ctx, tctx->lp_ctx,
+                                                      old_password, salt,
+                                                      &aes256_key);
+               torture_assert_int_equal(tctx, k5ret, 0, "cli_credentials_get_aes256_key failed");
        } else {
-               torture_comment(tctx, "nthash: %s\n", assertion_message);
-               k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context,
-                                                       ENCTYPE_ARCFOUR_HMAC,
-                                                       nthash->hash,
-                                                       sizeof(nthash->hash),
-                                                       &ctx->krbtgt_referral_keyblock);
-               torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+               torture_comment(tctx, "password: %s\n", assertion_message);
+
+               k5ret = cli_credentials_get_aes256_key(credentials, ctx, tctx->lp_ctx,
+                                                      password, salt,
+                                                      &aes256_key);
+               torture_assert_int_equal(tctx, k5ret, 0, "cli_credentials_get_aes256_key failed");
        }
+
+       k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context,
+                                               ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+                                               aes256_key.data,
+                                               aes256_key.length,
+                                               &ctx->krbtgt_referral_keyblock);
+       data_blob_free(&aes256_key);
+       torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+
+       torture_assert_int_equal(tctx,
+                                ctx->krbtgt_referral_keyblock.keytype,
+                                ctx->krbtgt_referral_ticket.enc_part.etype,
+                                "Key encryption type does not match enc-part encryption type");
+
        k5ret = krb5_decrypt_ticket(ctx->smb_krb5_context->krb5_context,
                                    &ctx->krbtgt_referral_ticket,
                                    &ctx->krbtgt_referral_keyblock,