s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test

This demonstrates that an invalid av_pair in NTLMv2_CLIENT_CHALLENGE
should result in NT_STATUS_INVALID_PARAMETER at the NTLMSSP layer.

This is different from the netr_LogonSamLogon*() case, where it is
ignored instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/selftest/knownfail.d/smb2.session.tmp b/selftest/knownfail.d/smb2.session.tmp
new file mode 100644 (file)
index 0000000..ef6a0d5
--- /dev/null
+++ b/selftest/knownfail.d/smb2.session.tmp
@@ -0,0 +1,5 @@
+^samba3.smb2.session.plain.ntlmssp_bug14932\(nt4_dc\)
+^samba3.smb2.session.enc.ntlmssp_bug14932\(nt4_dc\)
+^samba3.smb2.session.ntlm.ntlmssp_bug14932\(ad_dc\)
+^samba3.smb2.session.krb5.ntlmssp_bug14932\(ad_dc\)
+^samba3.smb2.session.krb5.ntlmssp_bug14932\(ad_member_idmap_rid\)

diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 1bf8f83efcc8ffa849fc79c44378faebe63a5e70..fdfd947d5e3759ecf89b53b22f77a04381b7ec3a 100644 (file)
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -5371,6 +5371,56 @@ static bool test_session_encryption_aes_256_gcm(struct torture_context *tctx, st
        return ret;
 }
 
+static bool test_session_ntlmssp_bug14932(struct torture_context *tctx, struct smb2_tree *tree)
+{
+       struct cli_credentials *ntlm_creds =
+               cli_credentials_shallow_copy(tctx, samba_cmdline_get_creds());
+       NTSTATUS status;
+       bool ret = true;
+       /*
+        * This is a NTLMv2_RESPONSE with the strange
+        * NTLMv2_CLIENT_CHALLENGE used by the net diag
+        * tool.
+        *
+        * As we expect an error anyway we fill the
+        * Response part with 0xab...
+        */
+       static const char *netapp_magic =
+               "\xab\xab\xab\xab\xab\xab\xab\xab"
+               "\xab\xab\xab\xab\xab\xab\xab\xab"
+               "\x01\x01\x00\x00\x00\x00\x00\x00"
+               "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f"
+               "\xb8\x82\x3a\xf1\xb3\xdd\x08\x15"
+               "\x00\x00\x00\x00\x11\xa2\x08\x81"
+               "\x50\x38\x22\x78\x2b\x94\x47\xfe"
+               "\x54\x94\x7b\xff\x17\x27\x5a\xb4"
+               "\xf4\x18\xba\xdc\x2c\x38\xfd\x5b"
+               "\xfb\x0e\xc1\x85\x1e\xcc\x92\xbb"
+               "\x9b\xb1\xc4\xd5\x53\x14\xff\x8c"
+               "\x76\x49\xf5\x45\x90\x19\xa2";
+       DATA_BLOB lm_response = data_blob_talloc_zero(tctx, 24);
+       DATA_BLOB lm_session_key = data_blob_talloc_zero(tctx, 16);
+       DATA_BLOB nt_response = data_blob_const(netapp_magic, 95);
+       DATA_BLOB nt_session_key = data_blob_talloc_zero(tctx, 16);
+
+       cli_credentials_set_kerberos_state(ntlm_creds,
+                                          CRED_USE_KERBEROS_DISABLED,
+                                          CRED_SPECIFIED);
+       cli_credentials_set_ntlm_response(ntlm_creds,
+                                         &lm_response,
+                                         &lm_session_key,
+                                         &nt_response,
+                                         &nt_session_key,
+                                         CRED_SPECIFIED);
+       status = smb2_session_setup_spnego(tree->session,
+                                          ntlm_creds,
+                                          0 /* previous_session_id */);
+       torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
+                                     "smb2_session_setup_spnego failed");
+
+       return ret;
+}
+
 struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
 {
        struct torture_suite *suite =
@@ -5442,6 +5492,7 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
        torture_suite_add_1smb2_test(suite, "encryption-aes-128-gcm", test_session_encryption_aes_128_gcm);
        torture_suite_add_1smb2_test(suite, "encryption-aes-256-ccm", test_session_encryption_aes_256_ccm);
        torture_suite_add_1smb2_test(suite, "encryption-aes-256-gcm", test_session_encryption_aes_256_gcm);
+       torture_suite_add_1smb2_test(suite, "ntlmssp_bug14932", test_session_ntlmssp_bug14932);
 
        suite->description = talloc_strdup(suite, "SMB2-SESSION tests");