From 5792c2ce9d45a5e2f0b454776ebadcad6aaf466a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Oct 2024 17:43:40 +0100 Subject: [PATCH] s4:torture/rpc: make use of netlogon_creds_{de,en}crypt_samr_Password BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall (cherry picked from commit 172ce406d48916c57f0742b6a0e064ac170ec8ff) --- source4/torture/rpc/forest_trust.c | 17 +++++++++++++-- source4/torture/rpc/netlogon.c | 35 +++++++++++++++++++++++++++--- source4/torture/rpc/samba3rpc.c | 11 +++++++++- source4/torture/rpc/schannel.c | 11 +++++++++- 4 files changed, 67 insertions(+), 7 deletions(-) diff --git a/source4/torture/rpc/forest_trust.c b/source4/torture/rpc/forest_trust.c index e7b641e161a..4a46382f32a 100644 --- a/source4/torture/rpc/forest_trust.c +++ b/source4/torture/rpc/forest_trust.c @@ -533,6 +533,8 @@ static bool test_validate_trust(struct torture_context *tctx, struct samr_Password *old_nt_hash; char *dummy; uint32_t trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; status = dcerpc_parse_binding(tctx, binding, &b); torture_assert_ntstatus_ok(tctx, status, "Bad binding string"); @@ -608,8 +610,19 @@ static bool test_validate_trust(struct torture_context *tctx, old_nt_hash = cli_credentials_get_old_nt_hash(credentials, tctx); torture_assert(tctx, old_nt_hash != NULL, "cli_credentials_get_old_nt_hash()"); - netlogon_creds_des_decrypt(creds, &new_owf_password); - netlogon_creds_des_decrypt(creds, &old_owf_password); + dcerpc_binding_handle_auth_info(p->binding_handle, + &auth_type, + &auth_level); + status = netlogon_creds_decrypt_samr_Password(creds, + &new_owf_password, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "decrypt_samr_Password"); + status = netlogon_creds_decrypt_samr_Password(creds, + &old_owf_password, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "decrypt_samr_Password"); dump_data(1, new_owf_password.hash, 16); dump_data(1, new_nt_hash->hash, 16); diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index c31f24eed16..c5a7929d703 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -932,6 +932,9 @@ static bool test_SetPassword(struct torture_context *tctx, struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; struct dcerpc_binding_handle *b = p->binding_handle; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + NTSTATUS status; if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { return false; @@ -948,7 +951,12 @@ static bool test_SetPassword(struct torture_context *tctx, password = generate_random_password(tctx, 8, 255); E_md4hash(password, new_password.hash); - netlogon_creds_des_encrypt(creds, &new_password); + dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); + status = netlogon_creds_encrypt_samr_Password(creds, + &new_password, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_Password"); torture_comment(tctx, "Testing ServerPasswordSet on machine account\n"); torture_comment(tctx, "Changing machine account password to '%s'\n", @@ -1007,6 +1015,9 @@ static bool test_SetPassword_flags(struct torture_context *tctx, struct samr_Password new_password; struct dcerpc_pipe *p = NULL; struct dcerpc_binding_handle *b = NULL; + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; + NTSTATUS status; if (!test_SetupCredentials2(p1, tctx, negotiate_flags, machine_credentials, @@ -1031,7 +1042,12 @@ static bool test_SetPassword_flags(struct torture_context *tctx, password = generate_random_password(tctx, 8, 255); E_md4hash(password, new_password.hash); - netlogon_creds_des_encrypt(creds, &new_password); + dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); + status = netlogon_creds_encrypt_samr_Password(creds, + &new_password, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_Password"); torture_comment(tctx, "Testing ServerPasswordSet on machine account\n"); torture_comment(tctx, "Changing machine account password to '%s'\n", @@ -5038,6 +5054,9 @@ static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx, struct dcerpc_binding_handle *b = NULL; struct samr_Password nt_hash; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + NTSTATUS status; if (!test_SetupCredentials3(p1, tctx, negotiate_flags, machine_credentials, &creds)) { @@ -5069,7 +5088,17 @@ static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx, E_md4hash(cli_credentials_get_password(machine_credentials), nt_hash.hash); - netlogon_creds_des_decrypt(creds, &new_owf_password); + dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level); + status = netlogon_creds_decrypt_samr_Password(creds, + &new_owf_password, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "decrypt_samr_Password"); + status = netlogon_creds_decrypt_samr_Password(creds, + &old_owf_password, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "decrypt_samr_Password"); dump_data(1, new_owf_password.hash, 16); dump_data(1, nt_hash.hash, 16); diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index 96ff34f5270..0ce948895bc 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -1305,6 +1305,8 @@ static bool schan(struct torture_context *tctx, struct netlogon_creds_CredentialState *creds_state; struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; s.in.server_name = talloc_asprintf( mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe)); @@ -1319,7 +1321,14 @@ static bool schan(struct torture_context *tctx, E_md4hash(password, new_password.hash); creds_state = cli_credentials_get_netlogon_creds(wks_creds); - netlogon_creds_des_encrypt(creds_state, &new_password); + dcerpc_binding_handle_auth_info(net_handle, + &auth_type, + &auth_level); + status = netlogon_creds_encrypt_samr_Password(creds_state, + &new_password, + auth_type, + auth_level); + torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_Password"); netlogon_creds_client_authenticator(creds_state, &credential); status = dcerpc_netr_ServerPasswordSet_r(net_handle, mem_ctx, &s); diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index cbd9e7ecac8..371a7871644 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -1286,6 +1286,8 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture) struct dcerpc_pipe *net_pipe; struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; status = dcerpc_pipe_connect_b(s, &net_pipe, s->b, &ndr_table_netlogon, @@ -1310,7 +1312,14 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture) creds_state = cli_credentials_get_netlogon_creds( s->wks_creds1); - netlogon_creds_des_encrypt(creds_state, &new_password); + dcerpc_binding_handle_auth_info(net_pipe->binding_handle, + &auth_type, + &auth_level); + status = netlogon_creds_encrypt_samr_Password(creds_state, + &new_password, + auth_type, + auth_level); + torture_assert_ntstatus_ok(torture, status, "encrypt_samr_Password"); netlogon_creds_client_authenticator(creds_state, &credential); torture_assert_ntstatus_ok(torture, dcerpc_netr_ServerPasswordSet_r(net_pipe->binding_handle, torture, &pwset),