diff options
Diffstat (limited to 'source4/torture')
-rw-r--r-- | source4/torture/config.mk | 2 | ||||
-rw-r--r-- | source4/torture/rpc/dssync.c | 125 | ||||
-rw-r--r-- | source4/torture/rpc/netlogon.c | 173 | ||||
-rw-r--r-- | source4/torture/rpc/netlogon.h | 2 | ||||
-rw-r--r-- | source4/torture/rpc/remote_pac.c | 27 | ||||
-rw-r--r-- | source4/torture/rpc/samba3rpc.c | 51 | ||||
-rw-r--r-- | source4/torture/rpc/samlogon.c | 34 | ||||
-rw-r--r-- | source4/torture/rpc/samr.c | 8 | ||||
-rw-r--r-- | source4/torture/rpc/samsync.c | 30 | ||||
-rw-r--r-- | source4/torture/rpc/schannel.c | 12 | ||||
-rw-r--r-- | source4/torture/rpc/wkssvc.c | 45 |
11 files changed, 188 insertions, 321 deletions
diff --git a/source4/torture/config.mk b/source4/torture/config.mk index 895fef6174..bec2a064dc 100644 --- a/source4/torture/config.mk +++ b/source4/torture/config.mk @@ -111,7 +111,7 @@ PRIVATE_DEPENDENCIES = \ RPC_NDR_SRVSVC RPC_NDR_WKSSVC RPC_NDR_ROT RPC_NDR_DSSETUP \ RPC_NDR_REMACT RPC_NDR_OXIDRESOLVER RPC_NDR_NTSVCS WB_HELPER LIBSAMBA-NET \ LIBCLI_AUTH POPT_CREDENTIALS TORTURE_LDAP TORTURE_LDB TORTURE_UTIL TORTURE_RAP \ - dcerpc_server service process_model ntvfs SERVICE_SMB RPC_NDR_BROWSER + dcerpc_server service process_model ntvfs SERVICE_SMB RPC_NDR_BROWSER LIBCLI_DRSUAPI torture_rpc_OBJ_FILES = $(addprefix $(torturesrcdir)/rpc/, \ join.o lsa.o lsa_lookup.o session_key.o echo.o dfs.o drsuapi.o \ diff --git a/source4/torture/rpc/dssync.c b/source4/torture/rpc/dssync.c index 1aaf914ceb..b47564cc91 100644 --- a/source4/torture/rpc/dssync.c +++ b/source4/torture/rpc/dssync.c @@ -30,6 +30,7 @@ #include "torture/ldap/proto.h" #include "libcli/auth/libcli_auth.h" #include "../lib/crypto/crypto.h" +#include "../libcli/drsuapi/drsuapi.h" #include "auth/credentials/credentials.h" #include "libcli/auth/libcli_auth.h" #include "auth/gensec/gensec.h" @@ -338,119 +339,6 @@ static bool test_GetInfo(struct torture_context *tctx, struct DsSyncTest *ctx) return ret; } -static DATA_BLOB decrypt_blob(TALLOC_CTX *mem_ctx, - const DATA_BLOB *gensec_skey, - bool rcrypt, - struct drsuapi_DsReplicaObjectIdentifier *id, - uint32_t rid, - const DATA_BLOB *buffer) -{ - DATA_BLOB confounder; - DATA_BLOB enc_buffer; - - struct MD5Context md5; - uint8_t _enc_key[16]; - DATA_BLOB enc_key; - - DATA_BLOB dec_buffer; - - uint32_t crc32_given; - uint32_t crc32_calc; - DATA_BLOB checked_buffer; - - DATA_BLOB plain_buffer; - - /* - * the combination "c[3] s[1] e[1] d[0]..." - * was successful!!!!!!!!!!!!!!!!!!!!!!!!!! - */ - - /* - * the first 16 bytes at the beginning are the confounder - * followed by the 4 byte crc32 checksum - */ - if (buffer->length < 20) { - return data_blob_const(NULL, 0); - } - confounder = data_blob_const(buffer->data, 16); - enc_buffer = data_blob_const(buffer->data + 16, buffer->length - 16); - - /* - * build the encryption key md5 over the session key followed - * by the confounder - * - * here the gensec session key is used and - * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key! - */ - enc_key = data_blob_const(_enc_key, sizeof(_enc_key)); - MD5Init(&md5); - MD5Update(&md5, gensec_skey->data, gensec_skey->length); - MD5Update(&md5, confounder.data, confounder.length); - MD5Final(enc_key.data, &md5); - - /* - * copy the encrypted buffer part and - * decrypt it using the created encryption key using arcfour - */ - dec_buffer = data_blob_talloc(mem_ctx, enc_buffer.data, enc_buffer.length); - if (!dec_buffer.data) { - return data_blob_const(NULL, 0); - } - arcfour_crypt_blob(dec_buffer.data, dec_buffer.length, &enc_key); - - /* - * the first 4 byte are the crc32 checksum - * of the remaining bytes - */ - crc32_given = IVAL(dec_buffer.data, 0); - crc32_calc = crc32_calc_buffer(dec_buffer.data + 4 , dec_buffer.length - 4); - if (crc32_given != crc32_calc) { - DEBUG(0,("CRC32: given[0x%08X] calc[0x%08X]\n", - crc32_given, crc32_calc)); - return data_blob_const(NULL, 0); - } - checked_buffer = data_blob_talloc(mem_ctx, dec_buffer.data + 4, dec_buffer.length - 4); - if (!checked_buffer.data) { - return data_blob_const(NULL, 0); - } - - /* - * some attributes seem to be in a usable form after this decryption - * (supplementalCredentials, priorValue, currentValue, trustAuthOutgoing, - * trustAuthIncoming, initialAuthOutgoing, initialAuthIncoming) - * At least supplementalCredentials contains plaintext - * like "Primary:Kerberos" (in unicode form) - * - * some attributes seem to have some additional encryption - * dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory - * - * it's the sam_rid_crypt() function, as the value is constant, - * so it doesn't depend on sessionkeys. - */ - if (rcrypt) { - uint32_t i, num_hashes; - - if ((checked_buffer.length % 16) != 0) { - return data_blob_const(NULL, 0); - } - - plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length); - if (!plain_buffer.data) { - return data_blob_const(NULL, 0); - } - - num_hashes = plain_buffer.length / 16; - for (i = 0; i < num_hashes; i++) { - uint32_t offset = i * 16; - sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0); - } - } else { - plain_buffer = checked_buffer; - } - - return plain_buffer; -} - static void test_analyse_objects(struct torture_context *tctx, struct DsSyncTest *ctx, const DATA_BLOB *gensec_skey, @@ -481,6 +369,7 @@ static void test_analyse_objects(struct torture_context *tctx, } for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) { + WERROR werr; const char *name = NULL; bool rcrypt = false; DATA_BLOB *enc_data = NULL; @@ -549,9 +438,13 @@ static void test_analyse_objects(struct torture_context *tctx, enc_data = attr->value_ctr.values[0].blob; ZERO_STRUCT(plain_data); - plain_data = decrypt_blob(ctx, gensec_skey, rcrypt, - cur->object.identifier, rid, - enc_data); + werr = drsuapi_decrypt_attribute_value(ctx, gensec_skey, rcrypt, + rid, + enc_data, &plain_data); + if (!W_ERROR_IS_OK(werr)) { + DEBUG(0, ("Failed to decrypt %s\n", name)); + continue; + } if (!dn_printed) { object_id++; DEBUG(0,("DN[%u] %s\n", object_id, dn)); diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index ad94add071..23443cc9d1 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -77,13 +77,13 @@ static bool test_LogonUasLogoff(struct torture_context *tctx, bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, struct cli_credentials *credentials, - struct creds_CredentialState **creds_out) + struct netlogon_creds_CredentialState **creds_out) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate a; struct netr_Credential credentials1, credentials2, credentials3; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; const struct samr_Password *mach_password; const char *machine_name; @@ -92,9 +92,6 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, torture_comment(tctx, "Testing ServerReqChallenge\n"); - creds = talloc(tctx, struct creds_CredentialState); - torture_assert(tctx, creds != NULL, "memory allocation"); - r.in.server_name = NULL; r.in.computer_name = machine_name; r.in.credentials = &credentials1; @@ -112,9 +109,13 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, a.in.credentials = &credentials3; a.out.return_credentials = &credentials3; - creds_client_init(creds, &credentials1, &credentials2, - mach_password, &credentials3, - 0); + creds = netlogon_creds_client_init(tctx, a.in.account_name, + a.in.computer_name, + &credentials1, &credentials2, + mach_password, &credentials3, + 0); + torture_assert(tctx, creds != NULL, "memory allocation"); + torture_comment(tctx, "Testing ServerAuthenticate\n"); @@ -128,7 +129,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate"); - torture_assert(tctx, creds_client_check(creds, &credentials3), + torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); *creds_out = creds; @@ -139,13 +140,13 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, uint32_t negotiate_flags, struct cli_credentials *machine_credentials, int sec_chan_type, - struct creds_CredentialState **creds_out) + struct netlogon_creds_CredentialState **creds_out) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate2 a; struct netr_Credential credentials1, credentials2, credentials3; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; const struct samr_Password *mach_password; const char *machine_name; @@ -154,8 +155,6 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, torture_comment(tctx, "Testing ServerReqChallenge\n"); - creds = talloc(tctx, struct creds_CredentialState); - torture_assert(tctx, creds != NULL, "memory allocation"); r.in.server_name = NULL; r.in.computer_name = machine_name; @@ -176,16 +175,20 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, a.in.credentials = &credentials3; a.out.return_credentials = &credentials3; - creds_client_init(creds, &credentials1, &credentials2, - mach_password, &credentials3, - negotiate_flags); + creds = netlogon_creds_client_init(tctx, a.in.account_name, + a.in.computer_name, + &credentials1, &credentials2, + mach_password, &credentials3, + negotiate_flags); + + torture_assert(tctx, creds != NULL, "memory allocation"); torture_comment(tctx, "Testing ServerAuthenticate2\n"); status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a); torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2"); - torture_assert(tctx, creds_client_check(creds, &credentials3), + torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags); @@ -198,13 +201,13 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, uint32_t negotiate_flags, struct cli_credentials *machine_credentials, - struct creds_CredentialState **creds_out) + struct netlogon_creds_CredentialState **creds_out) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate3 a; struct netr_Credential credentials1, credentials2, credentials3; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct samr_Password mach_password; uint32_t rid; const char *machine_name; @@ -215,9 +218,6 @@ static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context torture_comment(tctx, "Testing ServerReqChallenge\n"); - creds = talloc(tctx, struct creds_CredentialState); - torture_assert(tctx, creds != NULL, "memory allocation"); - r.in.server_name = NULL; r.in.computer_name = machine_name; r.in.credentials = &credentials1; @@ -240,15 +240,19 @@ static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context a.out.negotiate_flags = &negotiate_flags; a.out.rid = &rid; - creds_client_init(creds, &credentials1, &credentials2, - &mach_password, &credentials3, - negotiate_flags); + creds = netlogon_creds_client_init(tctx, a.in.account_name, + a.in.computer_name, + &credentials1, &credentials2, + &mach_password, &credentials3, + negotiate_flags); + + torture_assert(tctx, creds != NULL, "memory allocation"); torture_comment(tctx, "Testing ServerAuthenticate3\n"); status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a); torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3"); - torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags); @@ -270,7 +274,7 @@ static bool test_SetPassword(struct torture_context *tctx, NTSTATUS status; struct netr_ServerPasswordSet r; const char *password; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; @@ -289,18 +293,18 @@ static bool test_SetPassword(struct torture_context *tctx, password = generate_random_str(tctx, 8); E_md4hash(password, new_password.hash); - creds_des_encrypt(creds, &new_password); + netlogon_creds_des_encrypt(creds, &new_password); torture_comment(tctx, "Testing ServerPasswordSet on machine account\n"); torture_comment(tctx, "Changing machine account password to '%s'\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -313,12 +317,12 @@ static bool test_SetPassword(struct torture_context *tctx, torture_comment(tctx, "Changing machine account password to '%s' (same as previous run)\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -360,7 +364,7 @@ static bool test_SetPassword2(struct torture_context *tctx, struct netr_ServerPasswordSet2 r; const char *password; DATA_BLOB new_random_pass; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct samr_CryptPassword password_buf; struct samr_Password nt_hash; struct netr_Authenticator credential, return_authenticator; @@ -380,7 +384,7 @@ static bool test_SetPassword2(struct torture_context *tctx, password = generate_random_str(tctx, 8); encode_pw_buffer(password_buf.data, password, STR_UNICODE); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -388,12 +392,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n"); torture_comment(tctx, "Changing machine account password to '%s'\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -410,7 +414,7 @@ static bool test_SetPassword2(struct torture_context *tctx, */ password = ""; encode_pw_buffer(password_buf.data, password, STR_UNICODE); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -420,12 +424,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Changing machine account password to '%s'\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -438,7 +442,7 @@ static bool test_SetPassword2(struct torture_context *tctx, /* now try a random password */ password = generate_random_str(tctx, 8); encode_pw_buffer(password_buf.data, password, STR_UNICODE); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -446,12 +450,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n"); torture_comment(tctx, "Changing machine account password to '%s'\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -464,12 +468,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Changing machine account password to '%s' (same as previous run)\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -484,7 +488,7 @@ static bool test_SetPassword2(struct torture_context *tctx, /* now try a random stream of bytes for a password */ set_pw_in_buffer(password_buf.data, &new_random_pass); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -492,12 +496,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n"); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -518,7 +522,7 @@ static bool test_GetPassword(struct torture_context *tctx, struct cli_credentials *machine_credentials) { struct netr_ServerPasswordGet r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential; NTSTATUS status; struct netr_Authenticator return_authenticator; @@ -528,7 +532,7 @@ static bool test_GetPassword(struct torture_context *tctx, return false; } - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); @@ -549,7 +553,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx, struct cli_credentials *machine_credentials) { struct netr_ServerTrustPasswordsGet r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential; NTSTATUS status; struct netr_Authenticator return_authenticator; @@ -559,7 +563,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx, return false; } - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); @@ -581,7 +585,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx, */ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx, struct cli_credentials *credentials, - struct creds_CredentialState *creds) + struct netlogon_creds_CredentialState *creds) { NTSTATUS status; struct netr_LogonSamLogon r; @@ -647,14 +651,15 @@ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx, for (i=2;i<3;i++) { ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.validation_level = i; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), "Credential chaining failed"); } @@ -682,7 +687,7 @@ static bool test_SamLogon(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials) { - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; if (!test_SetupCredentials(p, tctx, credentials, &creds)) { return false; @@ -703,7 +708,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, { NTSTATUS status; struct netr_DatabaseSync r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; int i; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; @@ -733,7 +738,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id); do { - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.credential = &credential; @@ -747,7 +752,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, } torture_assert_ntstatus_ok(tctx, status, "DatabaseSync"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -777,7 +782,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, { NTSTATUS status; struct netr_DatabaseDeltas r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential; struct netr_Authenticator return_authenticator; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; @@ -807,7 +812,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, r.in.database_id, (unsigned long long)*r.in.sequence_num); do { - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_DatabaseDeltas(p, tctx, &r); if (NT_STATUS_EQUAL(status, @@ -821,7 +826,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas"); - if (!creds_client_check(creds, &return_authenticator.cred)) { + if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -838,7 +843,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx, { NTSTATUS status; struct netr_DatabaseRedo r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential; struct netr_Authenticator return_authenticator; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; @@ -1300,7 +1305,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx, continue; } - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.credential = &credential; @@ -1352,7 +1357,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx, } } - if (!creds_client_check(creds, &return_authenticator.cred)) { + if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) { torture_comment(tctx, "Credential chaining failed\n"); if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { return false; @@ -1374,7 +1379,7 @@ static bool test_AccountDeltas(struct torture_context *tctx, { NTSTATUS status; struct netr_AccountDeltas r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_AccountBuffer buffer; uint32_t count_returned = 0; @@ -1391,7 +1396,7 @@ static bool test_AccountDeltas(struct torture_context *tctx, r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computername = TEST_MACHINE_NAME; r.in.return_authenticator = &return_authenticator; - creds_client_authenticator(creds, &r.in.credential); + netlogon_creds_client_authenticator(creds, &r.in.credential); ZERO_STRUCT(r.in.uas); r.in.count=10; r.in.level=0; @@ -1417,7 +1422,7 @@ static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p { NTSTATUS status; struct netr_AccountSync r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_AccountBuffer buffer; uint32_t count_returned = 0; @@ -1436,7 +1441,7 @@ static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computername = TEST_MACHINE_NAME; r.in.return_authenticator = &return_authenticator; - creds_client_authenticator(creds, &r.in.credential); + netlogon_creds_client_authenticator(creds, &r.in.credential); r.in.recordid = &recordid; r.in.reference=0; r.in.level=0; @@ -1622,7 +1627,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; struct netr_Authenticator return_authenticator, credential; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; const uint32_t database_ids[] = {0, 1, 2}; int i; @@ -1653,7 +1658,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id); do { - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.credential = &credential; @@ -1668,7 +1673,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -2072,14 +2077,14 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, struct samr_Password old_owf_password; struct netr_TrustInfo *trust_info; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, machine_credentials, &creds)) { return false; } - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); @@ -2094,7 +2099,7 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "failed"); - torture_assert(tctx, creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed"); return true; } @@ -2108,7 +2113,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, struct netr_LogonGetDomainInfo r; struct netr_DomainQuery1 q1; struct netr_Authenticator a; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; union netr_DomainInfo info; if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, @@ -2118,7 +2123,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, ZERO_STRUCT(r); - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = TEST_MACHINE_NAME; @@ -2143,14 +2148,14 @@ static bool test_GetDomainInfo(struct torture_context *tctx, status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo"); - torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed"); torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n"); - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo"); - torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed"); return true; } @@ -2173,8 +2178,8 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, struct netr_DomainQuery1 q1; struct netr_Authenticator a; #define ASYNC_COUNT 100 - struct creds_CredentialState *creds; - struct creds_CredentialState *creds_async[ASYNC_COUNT]; + struct netlogon_creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT]; struct rpc_request *req[ASYNC_COUNT]; int i; int *async_counter = talloc(tctx, int); @@ -2210,9 +2215,9 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, *async_counter = 0; for (i=0;i<ASYNC_COUNT;i++) { - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); - creds_async[i] = (struct creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds)); + creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds)); req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r); req[i]->async.callback = async_callback; @@ -2230,7 +2235,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async"); torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async"); - torture_assert(tctx, creds_client_check(creds_async[i], &a.cred), + torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred), "Credential chaining failed at async"); } diff --git a/source4/torture/rpc/netlogon.h b/source4/torture/rpc/netlogon.h index 92d366b46a..9038286ded 100644 --- a/source4/torture/rpc/netlogon.h +++ b/source4/torture/rpc/netlogon.h @@ -3,4 +3,4 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, uint32_t negotiate_flags, struct cli_credentials *machine_credentials, int sec_chan_type, - struct creds_CredentialState **creds_out); + struct netlogon_creds_CredentialState **creds_out); diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 53754e02af..6d638d1868 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -57,7 +57,7 @@ static bool test_PACVerify(struct torture_context *tctx, struct netr_Authenticator auth, auth2; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct gensec_security *gensec_client_context; struct gensec_security *gensec_server_context; @@ -149,7 +149,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -168,7 +168,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon = &logon; @@ -190,7 +190,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; @@ -203,7 +203,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */ @@ -212,7 +212,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; @@ -225,7 +225,8 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; @@ -251,7 +252,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -259,7 +260,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; @@ -272,7 +273,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; @@ -298,7 +299,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -306,7 +307,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; @@ -319,7 +320,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); return true; } diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index fe128fea52..e31135c0de 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -904,7 +904,7 @@ static bool auth2(struct smbcli_state *cli, struct netr_Credential netr_srv_creds; uint32_t negotiate_flags; struct netr_ServerAuthenticate2 a; - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Credential netr_cred; struct samr_Password mach_pw; @@ -958,11 +958,6 @@ static bool auth2(struct smbcli_state *cli, negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS; E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash); - creds_state = talloc(mem_ctx, struct creds_CredentialState); - creds_client_init(creds_state, r.in.credentials, - r.out.return_credentials, &mach_pw, - &netr_cred, negotiate_flags); - a.in.server_name = talloc_asprintf( mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe)); a.in.account_name = talloc_asprintf( @@ -974,6 +969,13 @@ static bool auth2(struct smbcli_state *cli, a.in.credentials = &netr_cred; a.out.return_credentials = &netr_cred; + creds_state = netlogon_creds_client_init(mem_ctx, + a.in.account_name, + a.in.computer_name, + r.in.credentials, + r.out.return_credentials, &mach_pw, + &netr_cred, negotiate_flags); + status = dcerpc_netr_ServerAuthenticate2(net_pipe, mem_ctx, &a); if (!NT_STATUS_IS_OK(status)) { d_printf("netr_ServerServerAuthenticate2 failed: %s\n", @@ -981,7 +983,7 @@ static bool auth2(struct smbcli_state *cli, goto done; } - if (!creds_client_check(creds_state, a.out.return_credentials)) { + if (!netlogon_creds_client_check(creds_state, a.out.return_credentials)) { d_printf("creds_client_check failed\n"); goto done; } @@ -1054,7 +1056,7 @@ static bool schan(struct smbcli_state *cli, for (i=2; i<4; i++) { int flags; DATA_BLOB chal, nt_resp, lm_resp, names_blob, session_key; - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Authenticator netr_auth, netr_auth2; struct netr_NetworkInfo ninfo; struct netr_PasswordInfo pinfo; @@ -1088,7 +1090,7 @@ static bool schan(struct smbcli_state *cli, } creds_state = cli_credentials_get_netlogon_creds(wks_creds); - creds_client_authenticator(creds_state, &netr_auth); + netlogon_creds_client_authenticator(creds_state, &netr_auth); ninfo.identity_info.account_name.string = cli_credentials_get_username(user_creds); @@ -1129,13 +1131,13 @@ static bool schan(struct smbcli_state *cli, } if ((r.out.return_authenticator == NULL) || - (!creds_client_check(creds_state, + (!netlogon_creds_client_check(creds_state, &r.out.return_authenticator->cred))) { d_printf("Credentials check failed!\n"); goto done; } - creds_client_authenticator(creds_state, &netr_auth); + netlogon_creds_client_authenticator(creds_state, &netr_auth); pinfo.identity_info = ninfo.identity_info; ZERO_STRUCT(pinfo.lmpassword.hash); @@ -1161,7 +1163,7 @@ static bool schan(struct smbcli_state *cli, } if ((r.out.return_authenticator == NULL) || - (!creds_client_check(creds_state, + (!netlogon_creds_client_check(creds_state, &r.out.return_authenticator->cred))) { d_printf("Credentials check failed!\n"); goto done; @@ -1171,7 +1173,7 @@ static bool schan(struct smbcli_state *cli, { struct netr_ServerPasswordSet s; char *password = generate_random_str(wks_creds, 8); - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; @@ -1188,8 +1190,8 @@ static bool schan(struct smbcli_state *cli, E_md4hash(password, new_password.hash); creds_state = cli_credentials_get_netlogon_creds(wks_creds); - creds_des_encrypt(creds_state, &new_password); - creds_client_authenticator(creds_state, &credential); + netlogon_creds_des_encrypt(creds_state, &new_password); + netlogon_creds_client_authenticator(creds_state, &credential); status = dcerpc_netr_ServerPasswordSet(net_pipe, mem_ctx, &s); if (!NT_STATUS_IS_OK(status)) { @@ -1197,8 +1199,8 @@ static bool schan(struct smbcli_state *cli, goto done; } - if (!creds_client_check(creds_state, - &s.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds_state, + &s.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } @@ -2088,7 +2090,7 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture) struct netr_Credential netr_srv_creds; uint32_t negotiate_flags; struct netr_ServerAuthenticate2 a; - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Credential netr_cred; struct samr_Password mach_pw; struct smbcli_state *cli; @@ -2155,11 +2157,6 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture) negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS; E_md4hash("foobar", mach_pw.hash); - creds_state = talloc(mem_ctx, struct creds_CredentialState); - creds_client_init(creds_state, r.in.credentials, - r.out.return_credentials, &mach_pw, - &netr_cred, negotiate_flags); - a.in.server_name = talloc_asprintf( mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe)); a.in.account_name = talloc_asprintf( @@ -2171,6 +2168,14 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture) a.in.credentials = &netr_cred; a.out.return_credentials = &netr_cred; + creds_state = netlogon_creds_client_init(mem_ctx, + a.in.account_name, + a.in.computer_name, + r.in.credentials, + r.out.return_credentials, &mach_pw, + &netr_cred, negotiate_flags); + + status = dcerpc_netr_ServerAuthenticate2(net_pipe, mem_ctx, &a); if (!NT_STATUS_EQUAL(status, NT_STATUS_NO_TRUST_SAM_ACCOUNT)) { diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index ce9bf5ea6e..8318930989 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -63,7 +63,7 @@ struct samlogon_state { struct netr_LogonSamLogonEx r_ex; struct netr_LogonSamLogonWithFlags r_flags; struct netr_Authenticator auth, auth2; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; NTSTATUS expected_error; bool old_password; /* Allow an old password to be accepted or rejected without error, as well as session key bugs */ DATA_BLOB chall; @@ -153,12 +153,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, switch (samlogon_state->function_level) { case NDR_NETR_LOGONSAMLOGON: ZERO_STRUCT(samlogon_state->auth2); - creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); + netlogon_creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); r->out.return_authenticator = NULL; status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r); if (!r->out.return_authenticator || - !creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) { + !netlogon_creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) { d_printf("Credential chaining failed\n"); } if (!NT_STATUS_IS_OK(status)) { @@ -170,7 +170,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r->in.validation_level; - creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation); + netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation); switch (validation_level) { case 2: @@ -195,7 +195,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r_ex->in.validation_level; - creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation); + netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation); switch (validation_level) { case 2: @@ -211,12 +211,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, break; case NDR_NETR_LOGONSAMLOGONWITHFLAGS: ZERO_STRUCT(samlogon_state->auth2); - creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); + netlogon_creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); r_flags->out.return_authenticator = NULL; status = dcerpc_netr_LogonSamLogonWithFlags(samlogon_state->p, samlogon_state->mem_ctx, r_flags); if (!r_flags->out.return_authenticator || - !creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) { + !netlogon_creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) { d_printf("Credential chaining failed\n"); } if (!NT_STATUS_IS_OK(status)) { @@ -228,7 +228,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r_flags->in.validation_level; - creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation); + netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation); switch (validation_level) { case 2: @@ -1314,7 +1314,7 @@ static const struct ntlm_tests { */ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct torture_context *tctx, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, const char *comment, const char *account_domain, const char *account_name, const char *plain_pass, uint32_t parameter_control, @@ -1429,7 +1429,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, test an ADS style interactive domain logon */ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, const char *comment, const char *workstation_name, const char *account_domain, const char *account_name, @@ -1454,7 +1454,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, ZERO_STRUCT(logon); ZERO_STRUCT(validation); - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); logon.password = &pinfo; @@ -1483,18 +1483,18 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, E_md4hash(plain_pass, pinfo.ntpassword.hash); if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); - creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); + netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); + netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); } else { - creds_des_encrypt(creds, &pinfo.lmpassword); - creds_des_encrypt(creds, &pinfo.ntpassword); + netlogon_creds_des_encrypt(creds, &pinfo.lmpassword); + netlogon_creds_des_encrypt(creds, &pinfo.ntpassword); } d_printf("Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment); status = dcerpc_netr_LogonSamLogonWithFlags(p, fn_ctx, &r); if (!r.out.return_authenticator - || !creds_client_check(creds, &r.out.return_authenticator->cred)) { + || !netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { d_printf("Credential chaining failed\n"); talloc_free(fn_ctx); return false; @@ -1540,7 +1540,7 @@ bool torture_rpc_samlogon(struct torture_context *torture) 0 /* yes, this is a valid flag, causes the use of DES */ }; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; test_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); /* We only need to join as a workstation here, and in future, diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 8af9867528..7b4e85195b 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -2632,7 +2632,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_pipe *p, static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *tctx, struct cli_credentials *machine_credentials, struct cli_credentials *test_credentials, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, NTSTATUS expected_result) { NTSTATUS status; @@ -2700,7 +2700,7 @@ static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *t d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string); ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.validation_level = 2; @@ -2712,7 +2712,7 @@ static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *t torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed"); } - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); return true; @@ -2724,7 +2724,7 @@ static bool test_SamLogon(struct torture_context *tctx, struct cli_credentials *test_credentials, NTSTATUS expected_result) { - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { return false; diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index 00798214f3..ee11ede83f 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -47,7 +47,7 @@ try a netlogon SamLogon */ static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, const char *domain, const char *account_name, const char *workstation, struct samr_Password *lm_hash, @@ -100,13 +100,13 @@ static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.out.authoritative = &authoritative; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.validation_level = 3; status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } @@ -123,8 +123,8 @@ struct samsync_state { const char *domain_name[2]; struct samsync_secret *secrets; struct samsync_trusted_domain *trusted_domains; - struct creds_CredentialState *creds; - struct creds_CredentialState *creds_netlogon_wksta; + struct netlogon_creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds_netlogon_wksta; struct policy_handle *connect_handle; struct policy_handle *domain_handle[2]; struct dom_sid *sid[2]; @@ -578,7 +578,7 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct enum ndr_err_code ndr_err; data.data = user->user_private_info.SensitiveData; data.length = user->user_private_info.DataLength; - creds_arcfour_crypt(samsync_state->creds, data.data, data.length); + netlogon_creds_arcfour_crypt(samsync_state->creds, data.data, data.length); ndr_err = ndr_pull_struct_blob(&data, mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS); if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { if (keys.keys.keys2.lmpassword.length == 16) { @@ -843,10 +843,10 @@ static bool samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *sam DATA_BLOB lsa_blob1, lsa_blob_out, session_key; NTSTATUS status; - creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data, + netlogon_creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data, secret->current_cipher.maxlen); - creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data, + netlogon_creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data, secret->old_cipher.maxlen); nsec->name = talloc_reference(nsec, name); @@ -1182,7 +1182,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, do { loop_ctx = talloc_named(mem_ctx, 0, "DatabaseSync loop context"); - creds_client_authenticator(samsync_state->creds, &credential); + netlogon_creds_client_authenticator(samsync_state->creds, &credential); r.in.credential = &credential; @@ -1194,7 +1194,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, break; } - if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(samsync_state->creds, &r.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } @@ -1395,7 +1395,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX do { loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseDeltas loop context"); - creds_client_authenticator(samsync_state->creds, &credential); + netlogon_creds_client_authenticator(samsync_state->creds, &credential); status = dcerpc_netr_DatabaseDeltas(samsync_state->p, loop_ctx, &r); if (!NT_STATUS_IS_OK(status) && @@ -1405,7 +1405,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX ret = false; } - if (!creds_client_check(samsync_state->creds, &return_authenticator.cred)) { + if (!netlogon_creds_client_check(samsync_state->creds, &return_authenticator.cred)) { printf("Credential chaining failed\n"); } @@ -1422,7 +1422,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX try a netlogon DatabaseSync2 */ static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) + struct netlogon_creds_CredentialState *creds) { NTSTATUS status; TALLOC_CTX *loop_ctx; @@ -1455,7 +1455,7 @@ static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, do { loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseSync2 loop context"); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.credential = &credential; @@ -1466,7 +1466,7 @@ static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, ret = false; } - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index bc3cbeac3b..fc0087e4d3 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -43,7 +43,7 @@ */ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, struct cli_credentials *credentials, - struct creds_CredentialState *creds) + struct netlogon_creds_CredentialState *creds) { NTSTATUS status; struct netr_LogonSamLogonEx r; @@ -259,7 +259,7 @@ static bool test_schannel(struct torture_context *tctx, struct dcerpc_pipe *p_netlogon3 = NULL; struct dcerpc_pipe *p_samr2 = NULL; struct dcerpc_pipe *p_lsa = NULL; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct cli_credentials *credentials; join_ctx = torture_join_domain(tctx, @@ -765,7 +765,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture) { struct netr_ServerPasswordSet pwset; char *password = generate_random_str(s->join_ctx1, 8); - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct dcerpc_pipe *net_pipe; struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; @@ -793,14 +793,14 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture) creds_state = cli_credentials_get_netlogon_creds( s->wks_creds1); - creds_des_encrypt(creds_state, &new_password); - creds_client_authenticator(creds_state, &credential); + netlogon_creds_des_encrypt(creds_state, &new_password); + netlogon_creds_client_authenticator(creds_state, &credential); status = dcerpc_netr_ServerPasswordSet(net_pipe, torture, &pwset); torture_assert_ntstatus_ok(torture, status, "ServerPasswordSet failed"); - if (!creds_client_check(creds_state, + if (!netlogon_creds_client_check(creds_state, &pwset.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c index 3c34229dff..06b1d05ee4 100644 --- a/source4/torture/rpc/wkssvc.c +++ b/source4/torture/rpc/wkssvc.c @@ -1148,43 +1148,6 @@ static bool test_NetrJoinDomain(struct torture_context *tctx, return true; } -/* encode a wkssvc_PasswordBuffer for remote joining/unjoining: - * - * similar to samr_CryptPasswordEx. Different: 8byte confounder (instead of - * 16byte), confounder in front of the 516 byte buffer (instead of after that - * buffer), calling MD5Update() first with session_key and then with confounder - * (vice versa in samr) - Guenther */ - -static void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx, - const char *pwd, - DATA_BLOB *session_key, - struct wkssvc_PasswordBuffer *pwd_buf) -{ - uint8_t buffer[516]; - struct MD5Context ctx; - - DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16); - - int confounder_len = 8; - uint8_t confounder[8]; - - encode_pw_buffer(buffer, pwd, STR_UNICODE); - - generate_random_buffer((uint8_t *)confounder, confounder_len); - - MD5Init(&ctx); - MD5Update(&ctx, session_key->data, session_key->length); - MD5Update(&ctx, confounder, confounder_len); - MD5Final(confounded_session_key.data, &ctx); - - arcfour_crypt_blob(buffer, 516, &confounded_session_key); - - memcpy(&pwd_buf->data[0], confounder, confounder_len); - memcpy(&pwd_buf->data[8], buffer, 516); - - data_blob_free(&confounded_session_key); -} - /* * prerequisites for remotely joining an unjoined XP SP2 workstation: * - firewall needs to be disabled (or open for ncacn_np access) @@ -1202,7 +1165,7 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx, const char *domain_admin_account = NULL; const char *domain_admin_password = NULL; const char *domain_name = NULL; - struct wkssvc_PasswordBuffer pwd_buf; + struct wkssvc_PasswordBuffer *pwd_buf; enum wkssvc_NetJoinStatus join_status; const char *join_name = NULL; WERROR expected_err; @@ -1253,7 +1216,7 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx, r.in.domain_name = domain_name; r.in.account_ou = NULL; r.in.admin_account = domain_admin_account; - r.in.encrypted_password = &pwd_buf; + r.in.encrypted_password = pwd_buf; r.in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; @@ -1286,7 +1249,7 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx, struct wkssvc_NetrUnjoinDomain2 r; const char *domain_admin_account = NULL; const char *domain_admin_password = NULL; - struct wkssvc_PasswordBuffer pwd_buf; + struct wkssvc_PasswordBuffer *pwd_buf; enum wkssvc_NetJoinStatus join_status; const char *join_name = NULL; WERROR expected_err; @@ -1332,7 +1295,7 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx, r.in.server_name = dcerpc_server_name(p); r.in.account = domain_admin_account; - r.in.encrypted_password = &pwd_buf; + r.in.encrypted_password = pwd_buf; r.in.unjoin_flags = 0; torture_comment(tctx, "testing NetrUnjoinDomain2 (assuming non-DC)\n"); |