samba/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch

From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 15 Jul 2023 17:25:05 +0200
Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
 netr_LogonGetCapabilities with different levels

The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 .../knownfail.d/netr_LogonGetCapabilities     |  3 +
 source4/torture/rpc/netlogon.c                | 77 ++++++++++++++++++-
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities

diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
new file mode 100644
index 00000000000..30aadf3bb9d
--- /dev/null
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
@@ -0,0 +1,3 @@
+^samba3.rpc.schannel.*\.schannel\(nt4_dc
+^samba3.rpc.schannel.*\.schannel\(ad_dc
+^samba4.rpc.schannel.*\.schannel\(ad_dc
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 1f068eb7826..a3d190f13dd 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 	r.out.capabilities = &capabilities;
 	r.out.return_authenticator = &return_auth;
 
-	torture_comment(tctx, "Testing LogonGetCapabilities\n");
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
 
+	r.in.query_level = 0;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+				      "LogonGetCapabilities query_level=0 failed");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
+
+	r.in.query_level = 3;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
+				      "LogonGetCapabilities query_level=0 failed");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
+
+	r.in.query_level = 1;
 	ZERO_STRUCT(return_auth);
 
 	/*
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
 
 	*creds = tmp_creds;
 
+	torture_assert(tctx, netlogon_creds_client_check(creds,
+							 &r.out.return_authenticator->cred),
+		       "Credential chaining failed");
+
+	torture_assert_int_equal(tctx, creds->negotiate_flags,
+				 capabilities.server_capabilities,
+				 "negotiate flags");
+
+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
+
+	r.in.query_level = 2;
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities with
+	 * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
+		/*
+		 * an server without KB5028166 returns
+		 * DCERPC_NCA_S_FAULT_INVALID_TAG =>
+		 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+		 */
+		return true;
+	}
+	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
+
+	*creds = tmp_creds;
+
 	torture_assert(tctx, netlogon_creds_client_check(creds,
 							 &r.out.return_authenticator->cred),
 		       "Credential chaining failed");
-- 
2.39.3
- Fix CVE-2023-3347 - netlogon: add support for netr_LogonGetCapabilities response level 2 2023-08-03 07:35:16 +00:00			`From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001`
			`From: Stefan Metzmacher <metze@samba.org>`
			`Date: Sat, 15 Jul 2023 17:25:05 +0200`
			`Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check`
			`netr_LogonGetCapabilities with different levels`

			`The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG`
			`for unsupported query_levels, we allow it to work with servers`
			`with or without support for query_level=2.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418`

			`Signed-off-by: Stefan Metzmacher <metze@samba.org>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`---`
			`.../knownfail.d/netr_LogonGetCapabilities \| 3 +`
			`source4/torture/rpc/netlogon.c \| 77 ++++++++++++++++++-`
			`2 files changed, 79 insertions(+), 1 deletion(-)`
			`create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities`

			`diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities`
			`new file mode 100644`
			`index 00000000000..30aadf3bb9d`
			`--- /dev/null`
			`+++ b/selftest/knownfail.d/netr_LogonGetCapabilities`
			`@@ -0,0 +1,3 @@`
			`+^samba3.rpc.schannel.*\.schannel\(nt4_dc`
			`+^samba3.rpc.schannel.*\.schannel\(ad_dc`
			`+^samba4.rpc.schannel.*\.schannel\(ad_dc`
			`diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c`
			`index 1f068eb7826..a3d190f13dd 100644`
			`--- a/source4/torture/rpc/netlogon.c`
			`+++ b/source4/torture/rpc/netlogon.c`
			`@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe p, struct torture_context t`
			`r.out.capabilities = &capabilities;`
			`r.out.return_authenticator = &return_auth;`

			`- torture_comment(tctx, "Testing LogonGetCapabilities\n");`
			`+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");`

			`+ r.in.query_level = 0;`
			`+ ZERO_STRUCT(return_auth);`
			`+`
			`+ /*`
			`+ * we need to operate on a temporary copy of creds`
			`+ * because dcerpc_netr_LogonGetCapabilities with`
			`+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG`
			`+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE`
			`+ * without looking a the authenticator.`
			`+ */`
			`+ tmp_creds = *creds;`
			`+ netlogon_creds_client_authenticator(&tmp_creds, &auth);`
			`+`
			`+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);`
			`+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,`
			`+ "LogonGetCapabilities query_level=0 failed");`
			`+`
			`+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");`
			`+`
			`+ r.in.query_level = 3;`
			`+ ZERO_STRUCT(return_auth);`
			`+`
			`+ /*`
			`+ * we need to operate on a temporary copy of creds`
			`+ * because dcerpc_netr_LogonGetCapabilities with`
			`+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG`
			`+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE`
			`+ * without looking a the authenticator.`
			`+ */`
			`+ tmp_creds = *creds;`
			`+ netlogon_creds_client_authenticator(&tmp_creds, &auth);`
			`+`
			`+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);`
			`+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,`
			`+ "LogonGetCapabilities query_level=0 failed");`
			`+`
			`+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");`
			`+`
			`+ r.in.query_level = 1;`
			`ZERO_STRUCT(return_auth);`

			`/*`
			`@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe p, struct torture_context t`

			`*creds = tmp_creds;`

			`+ torture_assert(tctx, netlogon_creds_client_check(creds,`
			`+ &r.out.return_authenticator->cred),`
			`+ "Credential chaining failed");`
			`+`
			`+ torture_assert_int_equal(tctx, creds->negotiate_flags,`
			`+ capabilities.server_capabilities,`
			`+ "negotiate flags");`
			`+`
			`+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");`
			`+`
			`+ r.in.query_level = 2;`
			`+ ZERO_STRUCT(return_auth);`
			`+`
			`+ /*`
			`+ * we need to operate on a temporary copy of creds`
			`+ * because dcerpc_netr_LogonGetCapabilities with`
			`+ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG`
			`+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE`
			`+ * without looking a the authenticator.`
			`+ */`
			`+ tmp_creds = *creds;`
			`+ netlogon_creds_client_authenticator(&tmp_creds, &auth);`
			`+`
			`+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);`
			`+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {`
			`+ /*`
			`+ * an server without KB5028166 returns`
			`+ * DCERPC_NCA_S_FAULT_INVALID_TAG =>`
			`+ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE`
			`+ */`
			`+ return true;`
			`+ }`
			`+ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");`
			`+`
			`+ *creds = tmp_creds;`
			`+`
			`torture_assert(tctx, netlogon_creds_client_check(creds,`
			`&r.out.return_authenticator->cred),`
			`"Credential chaining failed");`
			`--`
			`2.39.3`