From 1666d1d74dec3978837ab49f8749d59c0abcf595 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Oct 2024 12:58:11 +0100 Subject: [PATCH] s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon() This will make it easier to catch all places where we need to implement the logic for netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall --- source4/torture/rpc/remote_pac.c | 42 ++++++++++++++++++++------------ source4/torture/rpc/samlogon.c | 20 +++++++++------ source4/torture/rpc/samr.c | 21 ++++++++-------- 3 files changed, 50 insertions(+), 33 deletions(-) diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 8f4ee2bbc44..66896218164 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -406,6 +406,9 @@ static bool netlogon_validate_pac(struct torture_context *tctx, struct dcerpc_binding_handle *b = NULL; enum ndr_err_code ndr_err; DATA_BLOB payload, pac_wrapped; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + NTSTATUS status; if (!test_SetupCredentials2(p1, tctx, negotiate_flags, server_creds, secure_channel_type, @@ -437,11 +440,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { - netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); - } else { - netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); - } generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -471,6 +469,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx, r.out.authoritative = &authoritative; r.out.return_authenticator = &return_authenticator; + dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); + status = netlogon_creds_encrypt_samlogon_logon(creds, + r.in.logon_level, + r.in.logon, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon"); + torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), "LogonSamLogon failed"); @@ -546,11 +552,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { - netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); - } else { - netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); - } generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -567,6 +568,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx, r.in.computer_name = cli_credentials_get_workstation(server_creds); r.in.validation_level = NetlogonValidationGenericInfo2; + dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); + status = netlogon_creds_encrypt_samlogon_logon(creds, + r.in.logon_level, + r.in.logon, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon"); + torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), "LogonSamLogon failed"); @@ -598,11 +607,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { - netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); - } else { - netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); - } generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -619,6 +623,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx, r.in.computer_name = cli_credentials_get_workstation(server_creds); r.in.validation_level = NetlogonValidationGenericInfo2; + dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); + status = netlogon_creds_encrypt_samlogon_logon(creds, + r.in.logon_level, + r.in.logon, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon"); + torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), "LogonSamLogon failed"); diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index a9f8ff5b5b6..57768aeb411 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -1551,6 +1551,10 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, union netr_Validation validation; uint8_t authoritative = 1; struct dcerpc_binding_handle *b = p->binding_handle; + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; + + dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); ZERO_STRUCT(a); ZERO_STRUCT(r); @@ -1586,13 +1590,15 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, } E_md4hash(plain_pass, pinfo.ntpassword.hash); - if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); - netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); - } else { - netlogon_creds_des_encrypt(creds, &pinfo.lmpassword); - netlogon_creds_des_encrypt(creds, &pinfo.ntpassword); - } + status = netlogon_creds_encrypt_samlogon_logon(creds, + r.in.logon_level, + r.in.logon, + auth_type, + auth_level); + torture_assert_ntstatus_ok_goto(tctx, + status, + ret, failed, + "netlogon_creds_encrypt_samlogon_logon"); torture_comment(tctx, "Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment); diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 302126e02c4..981196a8123 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -3607,6 +3607,8 @@ static bool test_SamLogon(struct torture_context *tctx, struct netlogon_creds_CredentialState *creds; struct netr_Authenticator a; struct dcerpc_binding_handle *b = p->binding_handle; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), ""); @@ -3636,17 +3638,6 @@ static bool test_SamLogon(struct torture_context *tctx, } E_md4hash(cli_credentials_get_password(test_credentials), pinfo.ntpassword.hash); - if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { - netlogon_creds_aes_encrypt(creds, pinfo.lmpassword.hash, 16); - netlogon_creds_aes_encrypt(creds, pinfo.ntpassword.hash, 16); - } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); - netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); - } else { - netlogon_creds_des_encrypt(creds, &pinfo.lmpassword); - netlogon_creds_des_encrypt(creds, &pinfo.ntpassword); - } - pinfo.identity_info = identity; logon.password = &pinfo; @@ -3693,6 +3684,14 @@ static bool test_SamLogon(struct torture_context *tctx, r.in.validation_level = 6; + dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); + status = netlogon_creds_encrypt_samlogon_logon(creds, + r.in.logon_level, + r.in.logon, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon"); + torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r), "netr_LogonSamLogonEx failed"); if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {