1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-20 14:03:59 +03:00

s4:torture/rpc: make use of netlogon_creds_encrypt_samr_CryptPassword()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2d7a47a175337729f4c671d7a6223f6e0ea23ebe)
This commit is contained in:
Stefan Metzmacher 2024-10-28 16:22:36 +01:00 committed by Jule Anger
parent c944d1fc37
commit a8e5bbb268
2 changed files with 91 additions and 39 deletions

View File

@ -4370,6 +4370,8 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
struct tsocket_address *dest_addr;
struct cldap_socket *cldap;
struct cldap_netlogon cldap1;
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
incoming_creds = cli_credentials_init(tctx);
torture_assert(tctx, incoming_creds, "cli_credentials_init");
@ -4525,15 +4527,14 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
netlogon_creds_client_authenticator(creds, &req_auth);
ZERO_STRUCT(rep_auth);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds,
samr_crypt_password.data,
516);
} else {
netlogon_creds_arcfour_crypt(creds,
samr_crypt_password.data,
516);
}
dcerpc_binding_handle_auth_info(p2->binding_handle,
&auth_type,
&auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&samr_crypt_password,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(netr_crypt_password.data,
samr_crypt_password.data, 512);

View File

@ -1112,6 +1112,9 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
struct netr_CryptPassword new_password;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
NTSTATUS status;
if (!test_SetupCredentials2(p1, tctx, flags, machine_credentials,
cli_credentials_get_secure_channel_type(machine_credentials),
@ -1134,11 +1137,12 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
password = generate_random_password(tctx, 8, 255);
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
} else {
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
}
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@ -1168,11 +1172,12 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
*/
password = "";
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
} else {
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
}
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@ -1195,11 +1200,12 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
/* now try a random password */
password = generate_random_password(tctx, 8, 255);
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
} else {
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
}
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@ -1246,11 +1252,12 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx,
/* now try a random stream of bytes for a password */
set_pw_in_buffer(password_buf.data, &new_random_pass);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
} else {
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
}
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@ -1299,6 +1306,9 @@ static bool test_SetPassword2_encrypted_to_all_zeros(
struct netr_CryptPassword new_password;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
NTSTATUS status;
if (!test_ServerAuthenticate2_encrypts_to_zero(
tctx,
@ -1338,7 +1348,12 @@ static bool test_SetPassword2_encrypted_to_all_zeros(
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
}
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
if(!all_zero(password_buf.data, 516)) {
torture_fail(tctx, "Password did not encrypt to all zeros\n");
}
@ -1385,6 +1400,9 @@ static bool test_SetPassword2_password_encrypts_to_zero(
struct netr_CryptPassword new_password;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
NTSTATUS status;
if (!test_ServerAuthenticate2_encrypts_to_zero(
tctx,
@ -1425,7 +1443,12 @@ static bool test_SetPassword2_password_encrypts_to_zero(
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
}
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@ -1461,6 +1484,9 @@ static bool test_SetPassword2_confounder(
struct netr_CryptPassword new_password;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
NTSTATUS status;
if (!test_ServerAuthenticate2_encrypts_to_zero(
tctx,
@ -1502,7 +1528,12 @@ static bool test_SetPassword2_confounder(
if (!(creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES not set");
}
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@ -1538,6 +1569,9 @@ static bool test_SetPassword2_all_zeros(
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
NTSTATUS status;
if (!test_SetupCredentials2(
p1,
@ -1576,7 +1610,12 @@ static bool test_SetPassword2_all_zeros(
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES enabled\n");
}
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@ -1615,6 +1654,9 @@ static bool test_SetPassword2_maximum_length_password(
struct dcerpc_binding_handle *b = NULL;
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
DATA_BLOB new_random_pass = data_blob_null;
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
NTSTATUS status;
if (!test_SetupCredentials2(
p1,
@ -1652,11 +1694,12 @@ static bool test_SetPassword2_maximum_length_password(
new_random_pass = netlogon_very_rand_pass(tctx, 256);
set_pw_in_buffer(password_buf.data, &new_random_pass);
SIVAL(password_buf.data, 512, 512);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_encrypt(creds, password_buf.data, 516);
} else {
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
}
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@ -1697,6 +1740,9 @@ static bool test_SetPassword2_all_zero_password(
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
NTSTATUS status;
if (!test_SetupCredentials2(
p1,
@ -1736,7 +1782,12 @@ static bool test_SetPassword2_all_zero_password(
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
torture_fail(tctx, "NETLOGON_NEG_SUPPORTS_AES set");
}
netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
status = netlogon_creds_encrypt_samr_CryptPassword(creds,
&password_buf,
auth_type,
auth_level);
torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);