diff options
| author | Günther Deschner <gd@samba.org> | 2007-11-29 22:22:19 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2007-12-21 05:46:53 +0100 |
| commit | 91da59fe0f4a2434ab35470651d38f2e530be971 (patch) | |
| tree | efa7d5dbd3b1ecd80370fecfa5558440b5d23fc7 /source4 | |
| parent | a3ced8817267a17b05875a2ffbcf87fc55fffe08 (diff) | |
| download | samba-91da59fe0f4a2434ab35470651d38f2e530be971.tar.gz samba-91da59fe0f4a2434ab35470651d38f2e530be971.tar.bz2 samba-91da59fe0f4a2434ab35470651d38f2e530be971.zip | |
r26210: w00t!
Solved the nasty crypto problem of the 524 byte wkssvc_PasswordBuffer for
wkssvc_JoinDomain()/wkssvc_UnjoinDomain().
Very soon we will be able to remotely join windows workstations into AD domains
using smbtorture :-)
Guenther
(This used to be commit 37469ed34c5ee031dc8cf31ea7efbfacf279878a)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/torture/rpc/wkssvc.c | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c index 6f43caebf5..861c1051c6 100644 --- a/source4/torture/rpc/wkssvc.c +++ b/source4/torture/rpc/wkssvc.c @@ -25,6 +25,8 @@ #include "torture/rpc/rpc.h" #include "lib/cmdline/popt_common.h" #include "param/param.h" +#include "lib/crypto/crypto.h" +#include "libcli/auth/libcli_auth.h" #define SMBTORTURE_MACHINE_NAME "smbtrt_name" #define SMBTORTURE_ALTERNATE_NAME "smbtrt_altname" @@ -1115,6 +1117,48 @@ static bool test_NetrJoinDomain(struct torture_context *tctx, return true; } +/* encode a wkssvc_PasswordBuffer for remote joining/unjoining: + * + * similar to samr_CryptPasswordEx. Different: 8byte confounder (instead of + * 16byte), confounder at the beginning of the 516 byte buffer (instead of at + * the end), MD5Update() reordering of session_key and confounder - Guenther */ + +static bool encode_wkssvc_join_password_buffer(struct torture_context *tctx, + struct dcerpc_pipe *p, + const char *pwd, + struct wkssvc_PasswordBuffer *pwd_buf) +{ + NTSTATUS status; + uint8_t buffer[516]; + struct MD5Context ctx; + + DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16); + DATA_BLOB session_key; + + int confounder_len = 8; + uint8_t confounder[8]; + + encode_pw_buffer(buffer, pwd, STR_UNICODE); + + status = dcerpc_fetch_session_key(p, &session_key); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + generate_random_buffer((uint8_t *)confounder, confounder_len); + + MD5Init(&ctx); + MD5Update(&ctx, session_key.data, session_key.length); + MD5Update(&ctx, confounder, confounder_len); + MD5Final(confounded_session_key.data, &ctx); + + arcfour_crypt_blob(buffer, 516, &confounded_session_key); + + memcpy(&pwd_buf->data[0], confounder, confounder_len); + memcpy(&pwd_buf->data[8], buffer, 516); + + return true; +} struct torture_suite *torture_rpc_wkssvc(TALLOC_CTX *mem_ctx) { |