s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon()

This will make it easier to catch all places where we need to
implement the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

source4/torture/rpc/remote_pac.c

@@ -406,6 +406,9 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
 	struct dcerpc_binding_handle *b = NULL;
 	enum ndr_err_code ndr_err;
 	DATA_BLOB payload, pac_wrapped;
+	enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+	NTSTATUS status;
 
 	if (!test_SetupCredentials2(p1, tctx, negotiate_flags,
 				    server_creds, secure_channel_type,
@@ -437,11 +440,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
 	torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
 
 	torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
-	if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-		netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
-	} else {
-		netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
-	}
 
 	generic.length = pac_wrapped.length;
 	generic.data = pac_wrapped.data;
@@ -471,6 +469,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
 	r.out.authoritative = &authoritative;
 	r.out.return_authenticator = &return_authenticator;
 
+	dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
+	status = netlogon_creds_encrypt_samlogon_logon(creds,
+						       r.in.logon_level,
+						       r.in.logon,
+						       auth_type,
+						       auth_level);
+	torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon");
+
 	torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
 		"LogonSamLogon failed");
 
@@ -546,11 +552,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
 	torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
 
 	torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
-	if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-		netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
-	} else {
-		netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
-	}
 
 	generic.length = pac_wrapped.length;
 	generic.data = pac_wrapped.data;
@@ -567,6 +568,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
 	r.in.computer_name = cli_credentials_get_workstation(server_creds);
 	r.in.validation_level = NetlogonValidationGenericInfo2;
 
+	dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
+	status = netlogon_creds_encrypt_samlogon_logon(creds,
+						       r.in.logon_level,
+						       r.in.logon,
+						       auth_type,
+						       auth_level);
+	torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon");
+
 	torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
 		"LogonSamLogon failed");
 
@@ -598,11 +607,6 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
 	torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
 
 	torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
-	if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-		netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length);
-	} else {
-		netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
-	}
 
 	generic.length = pac_wrapped.length;
 	generic.data = pac_wrapped.data;
@@ -619,6 +623,14 @@ static bool netlogon_validate_pac(struct torture_context *tctx,
 	r.in.computer_name = cli_credentials_get_workstation(server_creds);
 	r.in.validation_level = NetlogonValidationGenericInfo2;
 
+	dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
+	status = netlogon_creds_encrypt_samlogon_logon(creds,
+						       r.in.logon_level,
+						       r.in.logon,
+						       auth_type,
+						       auth_level);
+	torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon");
+
 	torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r),
 		"LogonSamLogon failed");
 

source4/torture/rpc/samlogon.c

@@ -1551,6 +1551,10 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 	union netr_Validation validation;
 	uint8_t authoritative = 1;
 	struct dcerpc_binding_handle *b = p->binding_handle;
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
 
 	ZERO_STRUCT(a);
 	ZERO_STRUCT(r);
@@ -1586,13 +1590,15 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 	}
 	E_md4hash(plain_pass, pinfo.ntpassword.hash);
 
-	if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-		netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16);
-		netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16);
-	} else {
-		netlogon_creds_des_encrypt(creds, &pinfo.lmpassword);
-		netlogon_creds_des_encrypt(creds, &pinfo.ntpassword);
-	}
+	status = netlogon_creds_encrypt_samlogon_logon(creds,
+						       r.in.logon_level,
+						       r.in.logon,
+						       auth_type,
+						       auth_level);
+	torture_assert_ntstatus_ok_goto(tctx,
+		status,
+		ret, failed,
+		"netlogon_creds_encrypt_samlogon_logon");
 
 	torture_comment(tctx, "Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment);
 

source4/torture/rpc/samr.c

@@ -3607,6 +3607,8 @@ static bool test_SamLogon(struct torture_context *tctx,
 	struct netlogon_creds_CredentialState *creds;
 	struct netr_Authenticator a;
 	struct dcerpc_binding_handle *b = p->binding_handle;
+	enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
 
 	torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
 
@@ -3636,17 +3638,6 @@ static bool test_SamLogon(struct torture_context *tctx,
 		}
 		E_md4hash(cli_credentials_get_password(test_credentials), pinfo.ntpassword.hash);
 
-		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			netlogon_creds_aes_encrypt(creds, pinfo.lmpassword.hash, 16);
-			netlogon_creds_aes_encrypt(creds, pinfo.ntpassword.hash, 16);
-		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-			netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16);
-			netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16);
-		} else {
-			netlogon_creds_des_encrypt(creds, &pinfo.lmpassword);
-			netlogon_creds_des_encrypt(creds, &pinfo.ntpassword);
-		}
-
 		pinfo.identity_info = identity;
 		logon.password = &pinfo;
 
@@ -3693,6 +3684,14 @@ static bool test_SamLogon(struct torture_context *tctx,
 
 	r.in.validation_level = 6;
 
+	dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
+	status = netlogon_creds_encrypt_samlogon_logon(creds,
+						       r.in.logon_level,
+						       r.in.logon,
+						       auth_type,
+						       auth_level);
+	torture_assert_ntstatus_ok(tctx, status, "encrypt_samlogon_logon");
+
 	torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r),
 		"netr_LogonSamLogonEx failed");
 	if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {