1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-20 14:03:59 +03:00

s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon()

This will make it easier to catch all places where we need to
implement the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Stefan Metzmacher 2024-10-28 12:58:11 +01:00 committed by Douglas Bagnall
parent e92d0509d6
commit 1666d1d74d
3 changed files with 50 additions and 33 deletions

View File

@ -406,6 +406,9 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
struct dcerpc_binding_handle *b = NULL; struct dcerpc_binding_handle *b = NULL;
enum ndr_err_code ndr_err; enum ndr_err_code ndr_err;
DATA_BLOB payload, pac_wrapped; DATA_BLOB payload, pac_wrapped;
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
NTSTATUS status;
if (!test_SetupCredentials2(p1, tctx, negotiate_flags, if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
server_creds, secure_channel_type, server_creds, secure_channel_type,
@ -437,11 +440,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
} else {
netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
}
generic.length = pac_wrapped.length; generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data; generic.data = pac_wrapped.data;
@ -471,6 +469,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
r.out.authoritative = &authoritative; r.out.authoritative = &authoritative;
r.out.return_authenticator = &return_authenticator; r.out.return_authenticator = &return_authenticator;
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samlogon_logon(creds,
r.in.logon_level,
r.in.logon,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon");
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
"LogonSamLogon failed"); "LogonSamLogon failed");
@ -546,11 +552,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
} else {
netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
}
generic.length = pac_wrapped.length; generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data; generic.data = pac_wrapped.data;
@ -567,6 +568,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
r.in.computer_name = cli_credentials_get_workstation(server_creds); r.in.computer_name = cli_credentials_get_workstation(server_creds);
r.in.validation_level = NetlogonValidationGenericInfo2; r.in.validation_level = NetlogonValidationGenericInfo2;
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samlogon_logon(creds,
r.in.logon_level,
r.in.logon,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon");
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
"LogonSamLogon failed"); "LogonSamLogon failed");
@ -598,11 +607,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
} else {
netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
}
generic.length = pac_wrapped.length; generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data; generic.data = pac_wrapped.data;
@ -619,6 +623,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
r.in.computer_name = cli_credentials_get_workstation(server_creds); r.in.computer_name = cli_credentials_get_workstation(server_creds);
r.in.validation_level = NetlogonValidationGenericInfo2; r.in.validation_level = NetlogonValidationGenericInfo2;
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samlogon_logon(creds,
r.in.logon_level,
r.in.logon,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon");
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
"LogonSamLogon failed"); "LogonSamLogon failed");

View File

@ -1551,6 +1551,10 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
union netr_Validation validation; union netr_Validation validation;
uint8_t authoritative = 1; uint8_t authoritative = 1;
struct dcerpc_binding_handle *b = p->binding_handle; struct dcerpc_binding_handle *b = p->binding_handle;
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
ZERO_STRUCT(a); ZERO_STRUCT(a);
ZERO_STRUCT(r); ZERO_STRUCT(r);
@ -1586,13 +1590,15 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
} }
E_md4hash(plain_pass, pinfo.ntpassword.hash); E_md4hash(plain_pass, pinfo.ntpassword.hash);
if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { status = netlogon_creds_encrypt_samlogon_logon(creds,
netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); r.in.logon_level,
netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); r.in.logon,
} else { auth_type,
netlogon_creds_des_encrypt(creds, &pinfo.lmpassword); auth_level);
netlogon_creds_des_encrypt(creds, &pinfo.ntpassword); torture_assert_ntstatus_ok_goto(tctx,
} status,
ret, failed,
"netlogon_creds_encrypt_samlogon_logon");
torture_comment(tctx, "Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment); torture_comment(tctx, "Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment);

View File

@ -3607,6 +3607,8 @@ static bool test_SamLogon(struct torture_context *tctx,
struct netlogon_creds_CredentialState *creds; struct netlogon_creds_CredentialState *creds;
struct netr_Authenticator a; struct netr_Authenticator a;
struct dcerpc_binding_handle *b = p->binding_handle; struct dcerpc_binding_handle *b = p->binding_handle;
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), ""); torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
@ -3636,17 +3638,6 @@ static bool test_SamLogon(struct torture_context *tctx,
} }
E_md4hash(cli_credentials_get_password(test_credentials), pinfo.ntpassword.hash); E_md4hash(cli_credentials_get_password(test_credentials), pinfo.ntpassword.hash);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, pinfo.lmpassword.hash, 16);
netlogon_creds_aes_encrypt(creds, pinfo.ntpassword.hash, 16);
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16);
netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16);
} else {
netlogon_creds_des_encrypt(creds, &pinfo.lmpassword);
netlogon_creds_des_encrypt(creds, &pinfo.ntpassword);
}
pinfo.identity_info = identity; pinfo.identity_info = identity;
logon.password = &pinfo; logon.password = &pinfo;
@ -3693,6 +3684,14 @@ static bool test_SamLogon(struct torture_context *tctx,
r.in.validation_level = 6; r.in.validation_level = 6;
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samlogon_logon(creds,
r.in.logon_level,
r.in.logon,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon");
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r), torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r),
"netr_LogonSamLogonEx failed"); "netr_LogonSamLogonEx failed");
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) { if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {