samba/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch

From a9a2b182df738fd283f820e162d189d20010ad63 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 20 Jun 2023 12:46:31 +0200
Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory
 signing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow@samba.org>
---
 .../samba3.smb2.session-require-signing       |  1 +
 selftest/target/Samba3.pm                     |  1 +
 source3/selftest/tests.py                     |  2 +
 source4/torture/smb2/session.c                | 64 +++++++++++++++++++
 source4/torture/smb2/smb2.c                   |  1 +
 5 files changed, 69 insertions(+)
 create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing

diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
new file mode 100644
index 00000000000..53b7a7022a8
--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.session-require-signing
@@ -0,0 +1 @@
+^samba3.smb2.session-require-signing.bug15397
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index d9e17473615..b4c3c130e9a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid
 	# values required for tests to succeed
 	create krb5 conf = no
         map to guest = bad user
+	server signing = required
 ";
 
 	my $ret = $self->provision(
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index b069630605a..d2b5409d0a9 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1097,6 +1097,8 @@ for t in tests:
         # Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf,
         # ad_member_idmap_rid sets "create krb5.conf = no"
         plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
+    elif t == "smb2.session-require-signing":
+        plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD')
     elif t == "rpc.lsa":
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
         plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 51df51542d4..823304f190f 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -5498,3 +5498,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
 
 	return suite;
 }
+
+static bool test_session_require_sign_bug15397(struct torture_context *tctx,
+					       struct smb2_tree *_tree)
+{
+	const char *host = torture_setting_string(tctx, "host", NULL);
+	const char *share = torture_setting_string(tctx, "share", NULL);
+	struct cli_credentials *_creds = samba_cmdline_get_creds();
+	struct cli_credentials *creds = NULL;
+	struct smbcli_options options;
+	struct smb2_tree *tree = NULL;
+	uint8_t security_mode;
+	NTSTATUS status;
+	bool ok = true;
+
+	/*
+	 * Setup our own connection so we can control the signing flags
+	 */
+
+	creds = cli_credentials_shallow_copy(tctx, _creds);
+	torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
+
+	options = _tree->session->transport->options;
+	options.client_guid = GUID_random();
+	options.signing = SMB_SIGNING_IF_REQUIRED;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      creds,
+			      &tree,
+			      tctx->ev,
+			      &options,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
+	torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
+					"smb2_connect failed");
+
+	security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
+
+	torture_assert_int_equal_goto(
+		tctx,
+		security_mode,
+		SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
+		ok,
+		done,
+		"Signing not required");
+
+done:
+	return ok;
+}
+
+struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
+{
+	struct torture_suite *suite =
+	    torture_suite_create(ctx, "session-require-signing");
+
+	torture_suite_add_1smb2_test(suite, "bug15397",
+				     test_session_require_sign_bug15397);
+
+	suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
+	return suite;
+}
diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c
index c595b108ce8..5b6477e47bc 100644
--- a/source4/torture/smb2/smb2.c
+++ b/source4/torture/smb2/smb2.c
@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx)
 	torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite));
 	torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock);
 	torture_suite_add_suite(suite, torture_smb2_session_init(suite));
+	torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite));
 	torture_suite_add_suite(suite, torture_smb2_replay_init(suite));
 	torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode);
 	torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode);
-- 
2.39.3
- Fix CVE-2023-3347 - netlogon: add support for netr_LogonGetCapabilities response level 2 2023-08-03 07:35:16 +00:00			`From a9a2b182df738fd283f820e162d189d20010ad63 Mon Sep 17 00:00:00 2001`
			`From: Ralph Boehme <slow@samba.org>`
			`Date: Tue, 20 Jun 2023 12:46:31 +0200`
			`Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory`
			`signing`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397`

			`Signed-off-by: Ralph Boehme <slow@samba.org>`
			`---`
			`.../samba3.smb2.session-require-signing \| 1 +`
			`selftest/target/Samba3.pm \| 1 +`
			`source3/selftest/tests.py \| 2 +`
			`source4/torture/smb2/session.c \| 64 +++++++++++++++++++`
			`source4/torture/smb2/smb2.c \| 1 +`
			`5 files changed, 69 insertions(+)`
			`create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing`

			`diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing`
			`new file mode 100644`
			`index 00000000000..53b7a7022a8`
			`--- /dev/null`
			`+++ b/selftest/knownfail.d/samba3.smb2.session-require-signing`
			`@@ -0,0 +1 @@`
			`+^samba3.smb2.session-require-signing.bug15397`
			`diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm`
			`index d9e17473615..b4c3c130e9a 100755`
			`--- a/selftest/target/Samba3.pm`
			`+++ b/selftest/target/Samba3.pm`
			`@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid`
			`# values required for tests to succeed`
			`create krb5 conf = no`
			`map to guest = bad user`
			`+ server signing = required`
			`";`

			`my $ret = $self->provision(`
			`diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py`
			`index b069630605a..d2b5409d0a9 100755`
			`--- a/source3/selftest/tests.py`
			`+++ b/source3/selftest/tests.py`
			`@@ -1097,6 +1097,8 @@ for t in tests:`
			`# Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf,`
			`# ad_member_idmap_rid sets "create krb5.conf = no"`
			`plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')`
			`+ elif t == "smb2.session-require-signing":`
			`+ plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD')`
			`elif t == "rpc.lsa":`
			`plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')`
			`plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')`
			`diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c`
			`index 51df51542d4..823304f190f 100644`
			`--- a/source4/torture/smb2/session.c`
			`+++ b/source4/torture/smb2/session.c`
			`@@ -5498,3 +5498,67 @@ struct torture_suite torture_smb2_session_init(TALLOC_CTX ctx)`

			`return suite;`
			`}`
			`+`
			`+static bool test_session_require_sign_bug15397(struct torture_context *tctx,`
			`+ struct smb2_tree *_tree)`
			`+{`
			`+ const char *host = torture_setting_string(tctx, "host", NULL);`
			`+ const char *share = torture_setting_string(tctx, "share", NULL);`
			`+ struct cli_credentials *_creds = samba_cmdline_get_creds();`
			`+ struct cli_credentials *creds = NULL;`
			`+ struct smbcli_options options;`
			`+ struct smb2_tree *tree = NULL;`
			`+ uint8_t security_mode;`
			`+ NTSTATUS status;`
			`+ bool ok = true;`
			`+`
			`+ /*`
			`+ * Setup our own connection so we can control the signing flags`
			`+ */`
			`+`
			`+ creds = cli_credentials_shallow_copy(tctx, _creds);`
			`+ torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");`
			`+`
			`+ options = _tree->session->transport->options;`
			`+ options.client_guid = GUID_random();`
			`+ options.signing = SMB_SIGNING_IF_REQUIRED;`
			`+`
			`+ status = smb2_connect(tctx,`
			`+ host,`
			`+ lpcfg_smb_ports(tctx->lp_ctx),`
			`+ share,`
			`+ lpcfg_resolve_context(tctx->lp_ctx),`
			`+ creds,`
			`+ &tree,`
			`+ tctx->ev,`
			`+ &options,`
			`+ lpcfg_socket_options(tctx->lp_ctx),`
			`+ lpcfg_gensec_settings(tctx, tctx->lp_ctx));`
			`+ torture_assert_ntstatus_ok_goto(tctx, status, ok, done,`
			`+ "smb2_connect failed");`
			`+`
			`+ security_mode = smb2cli_session_security_mode(tree->session->smbXcli);`
			`+`
			`+ torture_assert_int_equal_goto(`
			`+ tctx,`
			`+ security_mode,`
			`+ SMB2_NEGOTIATE_SIGNING_REQUIRED \| SMB2_NEGOTIATE_SIGNING_ENABLED,`
			`+ ok,`
			`+ done,`
			`+ "Signing not required");`
			`+`
			`+done:`
			`+ return ok;`
			`+}`
			`+`
			`+struct torture_suite torture_smb2_session_req_sign_init(TALLOC_CTX ctx)`
			`+{`
			`+ struct torture_suite *suite =`
			`+ torture_suite_create(ctx, "session-require-signing");`
			`+`
			`+ torture_suite_add_1smb2_test(suite, "bug15397",`
			`+ test_session_require_sign_bug15397);`
			`+`
			`+ suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");`
			`+ return suite;`
			`+}`
			`diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c`
			`index c595b108ce8..5b6477e47bc 100644`
			`--- a/source4/torture/smb2/smb2.c`
			`+++ b/source4/torture/smb2/smb2.c`
			`@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx)`
			`torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite));`
			`torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock);`
			`torture_suite_add_suite(suite, torture_smb2_session_init(suite));`
			`+ torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite));`
			`torture_suite_add_suite(suite, torture_smb2_replay_init(suite));`
			`torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode);`
			`torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode);`
			`--`
			`2.39.3`