mirror of
https://github.com/samba-team/samba.git
synced 2025-01-03 01:18:10 +03:00
s4:torture/rpc: make use of netlogon_creds_encrypt_samr_CryptPassword()
This will make it easier to implement netr_ServerAuthenticateKerberos() later...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2d7a47a175)
This commit is contained in:
Stefan Metzmacher
Jule Anger
parent
c944d1fc37
commit
a8e5bbb268
@ -4370,6 +4370,8 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
|
||||
struct tsocket_address *dest_addr;
|
||||
struct cldap_socket *cldap;
|
||||
struct cldap_netlogon cldap1;
|
||||
enum dcerpc_AuthType auth_type;
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
|
||||
incoming_creds = cli_credentials_init(tctx);
|
||||
torture_assert(tctx, incoming_creds, "cli_credentials_init");
|
||||
@ -4525,15 +4527,14 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
|
||||
netlogon_creds_client_authenticator(creds, &req_auth);
|
||||
ZERO_STRUCT(rep_auth);
|
||||
|
||||
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||
netlogon_creds_aes_encrypt(creds,
|
||||
samr_crypt_password.data,
|
||||
516);
|
||||
} else {
|
||||
netlogon_creds_arcfour_crypt(creds,
|
||||
samr_crypt_password.data,
|
||||
516);
|
||||
}
|
||||
dcerpc_binding_handle_auth_info(p2->binding_handle,
|
||||
&auth_type,
|
||||
&auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&samr_crypt_password,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
|
||||
memcpy(netr_crypt_password.data,
|
||||
samr_crypt_password.data, 512);
|
||||
|
||||
@ -1112,6 +1112,9 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
|
||||
struct netr_CryptPassword new_password;
|
||||
struct dcerpc_pipe *p = NULL;
|
||||
struct dcerpc_binding_handle *b = NULL;
|
||||
enum dcerpc_AuthType auth_type;
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!test_SetupCredentials2(p1, tctx, flags, machine_credentials,
|
||||
cli_credentials_get_secure_channel_type(machine_credentials),
|
||||
@ -1134,11 +1137,12 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
|
||||
|
||||
password = generate_random_password(tctx, 8, 255);
|
||||
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
|
||||
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
|
||||
} else {
|
||||
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
|
||||
}
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
@ -1168,11 +1172,12 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
|
||||
*/
|
||||
password = "";
|
||||
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
|
||||
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
|
||||
} else {
|
||||
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
|
||||
}
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
|
||||
@ -1195,11 +1200,12 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
|
||||
/* now try a random password */
|
||||
password = generate_random_password(tctx, 8, 255);
|
||||
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
|
||||
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
|
||||
} else {
|
||||
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
|
||||
}
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
|
||||
@ -1246,11 +1252,12 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
|
||||
/* now try a random stream of bytes for a password */
|
||||
set_pw_in_buffer(password_buf.data, &new_random_pass);
|
||||
|
||||
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
|
||||
} else {
|
||||
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
|
||||
}
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
@ -1299,6 +1306,9 @@ static bool test_SetPassword2_encrypted_to_all_zeros(
|
||||
struct netr_CryptPassword new_password;
|
||||
struct dcerpc_pipe *p = NULL;
|
||||
struct dcerpc_binding_handle *b = NULL;
|
||||
enum dcerpc_AuthType auth_type;
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!test_ServerAuthenticate2_encrypts_to_zero(
|
||||
tctx,
|
||||
@ -1338,7 +1348,12 @@ static bool test_SetPassword2_encrypted_to_all_zeros(
|
||||
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
|
||||
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
|
||||
}
|
||||
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
if(!all_zero(password_buf.data, 516)) {
|
||||
torture_fail(tctx, "Password did not encrypt to all zeros\n");
|
||||
}
|
||||
@ -1385,6 +1400,9 @@ static bool test_SetPassword2_password_encrypts_to_zero(
|
||||
struct netr_CryptPassword new_password;
|
||||
struct dcerpc_pipe *p = NULL;
|
||||
struct dcerpc_binding_handle *b = NULL;
|
||||
enum dcerpc_AuthType auth_type;
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!test_ServerAuthenticate2_encrypts_to_zero(
|
||||
tctx,
|
||||
@ -1425,7 +1443,12 @@ static bool test_SetPassword2_password_encrypts_to_zero(
|
||||
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
|
||||
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
|
||||
}
|
||||
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
@ -1461,6 +1484,9 @@ static bool test_SetPassword2_confounder(
|
||||
struct netr_CryptPassword new_password;
|
||||
struct dcerpc_pipe *p = NULL;
|
||||
struct dcerpc_binding_handle *b = NULL;
|
||||
enum dcerpc_AuthType auth_type;
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!test_ServerAuthenticate2_encrypts_to_zero(
|
||||
tctx,
|
||||
@ -1502,7 +1528,12 @@ static bool test_SetPassword2_confounder(
|
||||
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
|
||||
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
|
||||
}
|
||||
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
@ -1538,6 +1569,9 @@ static bool test_SetPassword2_all_zeros(
|
||||
struct dcerpc_pipe *p = NULL;
|
||||
struct dcerpc_binding_handle *b = NULL;
|
||||
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
|
||||
enum dcerpc_AuthType auth_type;
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!test_SetupCredentials2(
|
||||
p1,
|
||||
@ -1576,7 +1610,12 @@ static bool test_SetPassword2_all_zeros(
|
||||
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES enabled\n");
|
||||
}
|
||||
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
@ -1615,6 +1654,9 @@ static bool test_SetPassword2_maximum_length_password(
|
||||
struct dcerpc_binding_handle *b = NULL;
|
||||
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
||||
DATA_BLOB new_random_pass = data_blob_null;
|
||||
enum dcerpc_AuthType auth_type;
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!test_SetupCredentials2(
|
||||
p1,
|
||||
@ -1652,11 +1694,12 @@ static bool test_SetPassword2_maximum_length_password(
|
||||
new_random_pass = netlogon_very_rand_pass(tctx, 256);
|
||||
set_pw_in_buffer(password_buf.data, &new_random_pass);
|
||||
SIVAL(password_buf.data, 512, 512);
|
||||
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
|
||||
} else {
|
||||
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
|
||||
}
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
@ -1697,6 +1740,9 @@ static bool test_SetPassword2_all_zero_password(
|
||||
struct dcerpc_pipe *p = NULL;
|
||||
struct dcerpc_binding_handle *b = NULL;
|
||||
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
|
||||
enum dcerpc_AuthType auth_type;
|
||||
enum dcerpc_AuthLevel auth_level;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!test_SetupCredentials2(
|
||||
p1,
|
||||
@ -1736,7 +1782,12 @@ static bool test_SetPassword2_all_zero_password(
|
||||
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
||||
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES set");
|
||||
}
|
||||
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
|
||||
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
|
||||
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
|
||||
&password_buf,
|
||||
auth_type,
|
||||
auth_level);
|
||||
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
|
||||
|
||||
memcpy(new_password.data, password_buf.data, 512);
|
||||
new_password.length = IVAL(password_buf.data, 512);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user