summaryrefslogtreecommitdiff
path: root/source4/torture
diff options
context:
space:
mode:
Diffstat (limited to 'source4/torture')
-rw-r--r--source4/torture/config.mk2
-rw-r--r--source4/torture/rpc/dssync.c125
-rw-r--r--source4/torture/rpc/netlogon.c173
-rw-r--r--source4/torture/rpc/netlogon.h2
-rw-r--r--source4/torture/rpc/remote_pac.c27
-rw-r--r--source4/torture/rpc/samba3rpc.c51
-rw-r--r--source4/torture/rpc/samlogon.c34
-rw-r--r--source4/torture/rpc/samr.c8
-rw-r--r--source4/torture/rpc/samsync.c30
-rw-r--r--source4/torture/rpc/schannel.c12
-rw-r--r--source4/torture/rpc/wkssvc.c45
11 files changed, 188 insertions, 321 deletions
diff --git a/source4/torture/config.mk b/source4/torture/config.mk
index 895fef6174..bec2a064dc 100644
--- a/source4/torture/config.mk
+++ b/source4/torture/config.mk
@@ -111,7 +111,7 @@ PRIVATE_DEPENDENCIES = \
RPC_NDR_SRVSVC RPC_NDR_WKSSVC RPC_NDR_ROT RPC_NDR_DSSETUP \
RPC_NDR_REMACT RPC_NDR_OXIDRESOLVER RPC_NDR_NTSVCS WB_HELPER LIBSAMBA-NET \
LIBCLI_AUTH POPT_CREDENTIALS TORTURE_LDAP TORTURE_LDB TORTURE_UTIL TORTURE_RAP \
- dcerpc_server service process_model ntvfs SERVICE_SMB RPC_NDR_BROWSER
+ dcerpc_server service process_model ntvfs SERVICE_SMB RPC_NDR_BROWSER LIBCLI_DRSUAPI
torture_rpc_OBJ_FILES = $(addprefix $(torturesrcdir)/rpc/, \
join.o lsa.o lsa_lookup.o session_key.o echo.o dfs.o drsuapi.o \
diff --git a/source4/torture/rpc/dssync.c b/source4/torture/rpc/dssync.c
index 1aaf914ceb..b47564cc91 100644
--- a/source4/torture/rpc/dssync.c
+++ b/source4/torture/rpc/dssync.c
@@ -30,6 +30,7 @@
#include "torture/ldap/proto.h"
#include "libcli/auth/libcli_auth.h"
#include "../lib/crypto/crypto.h"
+#include "../libcli/drsuapi/drsuapi.h"
#include "auth/credentials/credentials.h"
#include "libcli/auth/libcli_auth.h"
#include "auth/gensec/gensec.h"
@@ -338,119 +339,6 @@ static bool test_GetInfo(struct torture_context *tctx, struct DsSyncTest *ctx)
return ret;
}
-static DATA_BLOB decrypt_blob(TALLOC_CTX *mem_ctx,
- const DATA_BLOB *gensec_skey,
- bool rcrypt,
- struct drsuapi_DsReplicaObjectIdentifier *id,
- uint32_t rid,
- const DATA_BLOB *buffer)
-{
- DATA_BLOB confounder;
- DATA_BLOB enc_buffer;
-
- struct MD5Context md5;
- uint8_t _enc_key[16];
- DATA_BLOB enc_key;
-
- DATA_BLOB dec_buffer;
-
- uint32_t crc32_given;
- uint32_t crc32_calc;
- DATA_BLOB checked_buffer;
-
- DATA_BLOB plain_buffer;
-
- /*
- * the combination "c[3] s[1] e[1] d[0]..."
- * was successful!!!!!!!!!!!!!!!!!!!!!!!!!!
- */
-
- /*
- * the first 16 bytes at the beginning are the confounder
- * followed by the 4 byte crc32 checksum
- */
- if (buffer->length < 20) {
- return data_blob_const(NULL, 0);
- }
- confounder = data_blob_const(buffer->data, 16);
- enc_buffer = data_blob_const(buffer->data + 16, buffer->length - 16);
-
- /*
- * build the encryption key md5 over the session key followed
- * by the confounder
- *
- * here the gensec session key is used and
- * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
- */
- enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
- MD5Init(&md5);
- MD5Update(&md5, gensec_skey->data, gensec_skey->length);
- MD5Update(&md5, confounder.data, confounder.length);
- MD5Final(enc_key.data, &md5);
-
- /*
- * copy the encrypted buffer part and
- * decrypt it using the created encryption key using arcfour
- */
- dec_buffer = data_blob_talloc(mem_ctx, enc_buffer.data, enc_buffer.length);
- if (!dec_buffer.data) {
- return data_blob_const(NULL, 0);
- }
- arcfour_crypt_blob(dec_buffer.data, dec_buffer.length, &enc_key);
-
- /*
- * the first 4 byte are the crc32 checksum
- * of the remaining bytes
- */
- crc32_given = IVAL(dec_buffer.data, 0);
- crc32_calc = crc32_calc_buffer(dec_buffer.data + 4 , dec_buffer.length - 4);
- if (crc32_given != crc32_calc) {
- DEBUG(0,("CRC32: given[0x%08X] calc[0x%08X]\n",
- crc32_given, crc32_calc));
- return data_blob_const(NULL, 0);
- }
- checked_buffer = data_blob_talloc(mem_ctx, dec_buffer.data + 4, dec_buffer.length - 4);
- if (!checked_buffer.data) {
- return data_blob_const(NULL, 0);
- }
-
- /*
- * some attributes seem to be in a usable form after this decryption
- * (supplementalCredentials, priorValue, currentValue, trustAuthOutgoing,
- * trustAuthIncoming, initialAuthOutgoing, initialAuthIncoming)
- * At least supplementalCredentials contains plaintext
- * like "Primary:Kerberos" (in unicode form)
- *
- * some attributes seem to have some additional encryption
- * dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory
- *
- * it's the sam_rid_crypt() function, as the value is constant,
- * so it doesn't depend on sessionkeys.
- */
- if (rcrypt) {
- uint32_t i, num_hashes;
-
- if ((checked_buffer.length % 16) != 0) {
- return data_blob_const(NULL, 0);
- }
-
- plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
- if (!plain_buffer.data) {
- return data_blob_const(NULL, 0);
- }
-
- num_hashes = plain_buffer.length / 16;
- for (i = 0; i < num_hashes; i++) {
- uint32_t offset = i * 16;
- sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
- }
- } else {
- plain_buffer = checked_buffer;
- }
-
- return plain_buffer;
-}
-
static void test_analyse_objects(struct torture_context *tctx,
struct DsSyncTest *ctx,
const DATA_BLOB *gensec_skey,
@@ -481,6 +369,7 @@ static void test_analyse_objects(struct torture_context *tctx,
}
for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
+ WERROR werr;
const char *name = NULL;
bool rcrypt = false;
DATA_BLOB *enc_data = NULL;
@@ -549,9 +438,13 @@ static void test_analyse_objects(struct torture_context *tctx,
enc_data = attr->value_ctr.values[0].blob;
ZERO_STRUCT(plain_data);
- plain_data = decrypt_blob(ctx, gensec_skey, rcrypt,
- cur->object.identifier, rid,
- enc_data);
+ werr = drsuapi_decrypt_attribute_value(ctx, gensec_skey, rcrypt,
+ rid,
+ enc_data, &plain_data);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0, ("Failed to decrypt %s\n", name));
+ continue;
+ }
if (!dn_printed) {
object_id++;
DEBUG(0,("DN[%u] %s\n", object_id, dn));
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index ad94add071..23443cc9d1 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -77,13 +77,13 @@ static bool test_LogonUasLogoff(struct torture_context *tctx,
bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
struct cli_credentials *credentials,
- struct creds_CredentialState **creds_out)
+ struct netlogon_creds_CredentialState **creds_out)
{
NTSTATUS status;
struct netr_ServerReqChallenge r;
struct netr_ServerAuthenticate a;
struct netr_Credential credentials1, credentials2, credentials3;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
const struct samr_Password *mach_password;
const char *machine_name;
@@ -92,9 +92,6 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
torture_comment(tctx, "Testing ServerReqChallenge\n");
- creds = talloc(tctx, struct creds_CredentialState);
- torture_assert(tctx, creds != NULL, "memory allocation");
-
r.in.server_name = NULL;
r.in.computer_name = machine_name;
r.in.credentials = &credentials1;
@@ -112,9 +109,13 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
a.in.credentials = &credentials3;
a.out.return_credentials = &credentials3;
- creds_client_init(creds, &credentials1, &credentials2,
- mach_password, &credentials3,
- 0);
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ &credentials1, &credentials2,
+ mach_password, &credentials3,
+ 0);
+ torture_assert(tctx, creds != NULL, "memory allocation");
+
torture_comment(tctx, "Testing ServerAuthenticate\n");
@@ -128,7 +129,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate");
- torture_assert(tctx, creds_client_check(creds, &credentials3),
+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
"Credential chaining failed");
*creds_out = creds;
@@ -139,13 +140,13 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
uint32_t negotiate_flags,
struct cli_credentials *machine_credentials,
int sec_chan_type,
- struct creds_CredentialState **creds_out)
+ struct netlogon_creds_CredentialState **creds_out)
{
NTSTATUS status;
struct netr_ServerReqChallenge r;
struct netr_ServerAuthenticate2 a;
struct netr_Credential credentials1, credentials2, credentials3;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
const struct samr_Password *mach_password;
const char *machine_name;
@@ -154,8 +155,6 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
torture_comment(tctx, "Testing ServerReqChallenge\n");
- creds = talloc(tctx, struct creds_CredentialState);
- torture_assert(tctx, creds != NULL, "memory allocation");
r.in.server_name = NULL;
r.in.computer_name = machine_name;
@@ -176,16 +175,20 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
a.in.credentials = &credentials3;
a.out.return_credentials = &credentials3;
- creds_client_init(creds, &credentials1, &credentials2,
- mach_password, &credentials3,
- negotiate_flags);
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ &credentials1, &credentials2,
+ mach_password, &credentials3,
+ negotiate_flags);
+
+ torture_assert(tctx, creds != NULL, "memory allocation");
torture_comment(tctx, "Testing ServerAuthenticate2\n");
status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a);
torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2");
- torture_assert(tctx, creds_client_check(creds, &credentials3),
+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3),
"Credential chaining failed");
torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
@@ -198,13 +201,13 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx,
uint32_t negotiate_flags,
struct cli_credentials *machine_credentials,
- struct creds_CredentialState **creds_out)
+ struct netlogon_creds_CredentialState **creds_out)
{
NTSTATUS status;
struct netr_ServerReqChallenge r;
struct netr_ServerAuthenticate3 a;
struct netr_Credential credentials1, credentials2, credentials3;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct samr_Password mach_password;
uint32_t rid;
const char *machine_name;
@@ -215,9 +218,6 @@ static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context
torture_comment(tctx, "Testing ServerReqChallenge\n");
- creds = talloc(tctx, struct creds_CredentialState);
- torture_assert(tctx, creds != NULL, "memory allocation");
-
r.in.server_name = NULL;
r.in.computer_name = machine_name;
r.in.credentials = &credentials1;
@@ -240,15 +240,19 @@ static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context
a.out.negotiate_flags = &negotiate_flags;
a.out.rid = &rid;
- creds_client_init(creds, &credentials1, &credentials2,
- &mach_password, &credentials3,
- negotiate_flags);
+ creds = netlogon_creds_client_init(tctx, a.in.account_name,
+ a.in.computer_name,
+ &credentials1, &credentials2,
+ &mach_password, &credentials3,
+ negotiate_flags);
+
+ torture_assert(tctx, creds != NULL, "memory allocation");
torture_comment(tctx, "Testing ServerAuthenticate3\n");
status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
- torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed");
+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags);
@@ -270,7 +274,7 @@ static bool test_SetPassword(struct torture_context *tctx,
NTSTATUS status;
struct netr_ServerPasswordSet r;
const char *password;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct netr_Authenticator credential, return_authenticator;
struct samr_Password new_password;
@@ -289,18 +293,18 @@ static bool test_SetPassword(struct torture_context *tctx,
password = generate_random_str(tctx, 8);
E_md4hash(password, new_password.hash);
- creds_des_encrypt(creds, &new_password);
+ netlogon_creds_des_encrypt(creds, &new_password);
torture_comment(tctx, "Testing ServerPasswordSet on machine account\n");
torture_comment(tctx, "Changing machine account password to '%s'\n",
password);
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -313,12 +317,12 @@ static bool test_SetPassword(struct torture_context *tctx,
torture_comment(tctx,
"Changing machine account password to '%s' (same as previous run)\n", password);
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
status = dcerpc_netr_ServerPasswordSet(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -360,7 +364,7 @@ static bool test_SetPassword2(struct torture_context *tctx,
struct netr_ServerPasswordSet2 r;
const char *password;
DATA_BLOB new_random_pass;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct samr_CryptPassword password_buf;
struct samr_Password nt_hash;
struct netr_Authenticator credential, return_authenticator;
@@ -380,7 +384,7 @@ static bool test_SetPassword2(struct torture_context *tctx,
password = generate_random_str(tctx, 8);
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
- creds_arcfour_crypt(creds, password_buf.data, 516);
+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@@ -388,12 +392,12 @@ static bool test_SetPassword2(struct torture_context *tctx,
torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n");
torture_comment(tctx, "Changing machine account password to '%s'\n", password);
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -410,7 +414,7 @@ static bool test_SetPassword2(struct torture_context *tctx,
*/
password = "";
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
- creds_arcfour_crypt(creds, password_buf.data, 516);
+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@@ -420,12 +424,12 @@ static bool test_SetPassword2(struct torture_context *tctx,
torture_comment(tctx,
"Changing machine account password to '%s'\n", password);
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -438,7 +442,7 @@ static bool test_SetPassword2(struct torture_context *tctx,
/* now try a random password */
password = generate_random_str(tctx, 8);
encode_pw_buffer(password_buf.data, password, STR_UNICODE);
- creds_arcfour_crypt(creds, password_buf.data, 516);
+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@@ -446,12 +450,12 @@ static bool test_SetPassword2(struct torture_context *tctx,
torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n");
torture_comment(tctx, "Changing machine account password to '%s'\n", password);
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -464,12 +468,12 @@ static bool test_SetPassword2(struct torture_context *tctx,
torture_comment(tctx,
"Changing machine account password to '%s' (same as previous run)\n", password);
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -484,7 +488,7 @@ static bool test_SetPassword2(struct torture_context *tctx,
/* now try a random stream of bytes for a password */
set_pw_in_buffer(password_buf.data, &new_random_pass);
- creds_arcfour_crypt(creds, password_buf.data, 516);
+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
memcpy(new_password.data, password_buf.data, 512);
new_password.length = IVAL(password_buf.data, 512);
@@ -492,12 +496,12 @@ static bool test_SetPassword2(struct torture_context *tctx,
torture_comment(tctx,
"Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n");
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -518,7 +522,7 @@ static bool test_GetPassword(struct torture_context *tctx,
struct cli_credentials *machine_credentials)
{
struct netr_ServerPasswordGet r;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct netr_Authenticator credential;
NTSTATUS status;
struct netr_Authenticator return_authenticator;
@@ -528,7 +532,7 @@ static bool test_GetPassword(struct torture_context *tctx,
return false;
}
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
@@ -549,7 +553,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx,
struct cli_credentials *machine_credentials)
{
struct netr_ServerTrustPasswordsGet r;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct netr_Authenticator credential;
NTSTATUS status;
struct netr_Authenticator return_authenticator;
@@ -559,7 +563,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx,
return false;
}
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
@@ -581,7 +585,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx,
*/
bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
struct cli_credentials *credentials,
- struct creds_CredentialState *creds)
+ struct netlogon_creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_LogonSamLogon r;
@@ -647,14 +651,15 @@ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
for (i=2;i<3;i++) {
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.validation_level = i;
status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
- torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
+ torture_assert(tctx, netlogon_creds_client_check(creds,
+ &r.out.return_authenticator->cred),
"Credential chaining failed");
}
@@ -682,7 +687,7 @@ static bool test_SamLogon(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct cli_credentials *credentials)
{
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
if (!test_SetupCredentials(p, tctx, credentials, &creds)) {
return false;
@@ -703,7 +708,7 @@ static bool test_DatabaseSync(struct torture_context *tctx,
{
NTSTATUS status;
struct netr_DatabaseSync r;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
int i;
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
@@ -733,7 +738,7 @@ static bool test_DatabaseSync(struct torture_context *tctx,
torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id);
do {
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
r.in.credential = &credential;
@@ -747,7 +752,7 @@ static bool test_DatabaseSync(struct torture_context *tctx,
}
torture_assert_ntstatus_ok(tctx, status, "DatabaseSync");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -777,7 +782,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx,
{
NTSTATUS status;
struct netr_DatabaseDeltas r;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct netr_Authenticator credential;
struct netr_Authenticator return_authenticator;
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
@@ -807,7 +812,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx,
r.in.database_id, (unsigned long long)*r.in.sequence_num);
do {
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
status = dcerpc_netr_DatabaseDeltas(p, tctx, &r);
if (NT_STATUS_EQUAL(status,
@@ -821,7 +826,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx,
torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas");
- if (!creds_client_check(creds, &return_authenticator.cred)) {
+ if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -838,7 +843,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx,
{
NTSTATUS status;
struct netr_DatabaseRedo r;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct netr_Authenticator credential;
struct netr_Authenticator return_authenticator;
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
@@ -1300,7 +1305,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx,
continue;
}
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
r.in.credential = &credential;
@@ -1352,7 +1357,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx,
}
}
- if (!creds_client_check(creds, &return_authenticator.cred)) {
+ if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) {
torture_comment(tctx, "Credential chaining failed\n");
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
return false;
@@ -1374,7 +1379,7 @@ static bool test_AccountDeltas(struct torture_context *tctx,
{
NTSTATUS status;
struct netr_AccountDeltas r;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct netr_AccountBuffer buffer;
uint32_t count_returned = 0;
@@ -1391,7 +1396,7 @@ static bool test_AccountDeltas(struct torture_context *tctx,
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computername = TEST_MACHINE_NAME;
r.in.return_authenticator = &return_authenticator;
- creds_client_authenticator(creds, &r.in.credential);
+ netlogon_creds_client_authenticator(creds, &r.in.credential);
ZERO_STRUCT(r.in.uas);
r.in.count=10;
r.in.level=0;
@@ -1417,7 +1422,7 @@ static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p
{
NTSTATUS status;
struct netr_AccountSync r;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct netr_AccountBuffer buffer;
uint32_t count_returned = 0;
@@ -1436,7 +1441,7 @@ static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p
r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computername = TEST_MACHINE_NAME;
r.in.return_authenticator = &return_authenticator;
- creds_client_authenticator(creds, &r.in.credential);
+ netlogon_creds_client_authenticator(creds, &r.in.credential);
r.in.recordid = &recordid;
r.in.reference=0;
r.in.level=0;
@@ -1622,7 +1627,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx,
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
struct netr_Authenticator return_authenticator, credential;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
const uint32_t database_ids[] = {0, 1, 2};
int i;
@@ -1653,7 +1658,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx,
torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id);
do {
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
r.in.credential = &credential;
@@ -1668,7 +1673,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx,
torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2");
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
torture_comment(tctx, "Credential chaining failed\n");
}
@@ -2072,14 +2077,14 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
struct samr_Password old_owf_password;
struct netr_TrustInfo *trust_info;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
machine_credentials, &creds)) {
return false;
}
- creds_client_authenticator(creds, &a);
+ netlogon_creds_client_authenticator(creds, &a);
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME);
@@ -2094,7 +2099,7 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx,
status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "failed");
- torture_assert(tctx, creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
+ torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed");
return true;
}
@@ -2108,7 +2113,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
struct netr_LogonGetDomainInfo r;
struct netr_DomainQuery1 q1;
struct netr_Authenticator a;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
union netr_DomainInfo info;
if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
@@ -2118,7 +2123,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
ZERO_STRUCT(r);
- creds_client_authenticator(creds, &a);
+ netlogon_creds_client_authenticator(creds, &a);
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = TEST_MACHINE_NAME;
@@ -2143,14 +2148,14 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
- torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
+ torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n");
- creds_client_authenticator(creds, &a);
+ netlogon_creds_client_authenticator(creds, &a);
status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo");
- torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed");
+ torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed");
return true;
}
@@ -2173,8 +2178,8 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
struct netr_DomainQuery1 q1;
struct netr_Authenticator a;
#define ASYNC_COUNT 100
- struct creds_CredentialState *creds;
- struct creds_CredentialState *creds_async[ASYNC_COUNT];
+ struct netlogon_creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT];
struct rpc_request *req[ASYNC_COUNT];
int i;
int *async_counter = talloc(tctx, int);
@@ -2210,9 +2215,9 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
*async_counter = 0;
for (i=0;i<ASYNC_COUNT;i++) {
- creds_client_authenticator(creds, &a);
+ netlogon_creds_client_authenticator(creds, &a);
- creds_async[i] = (struct creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
+ creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds));
req[i] = dcerpc_netr_LogonGetDomainInfo_send(p, tctx, &r);
req[i]->async.callback = async_callback;
@@ -2230,7 +2235,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async");
torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async");
- torture_assert(tctx, creds_client_check(creds_async[i], &a.cred),
+ torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred),
"Credential chaining failed at async");
}
diff --git a/source4/torture/rpc/netlogon.h b/source4/torture/rpc/netlogon.h
index 92d366b46a..9038286ded 100644
--- a/source4/torture/rpc/netlogon.h
+++ b/source4/torture/rpc/netlogon.h
@@ -3,4 +3,4 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx,
uint32_t negotiate_flags,
struct cli_credentials *machine_credentials,
int sec_chan_type,
- struct creds_CredentialState **creds_out);
+ struct netlogon_creds_CredentialState **creds_out);
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 53754e02af..6d638d1868 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -57,7 +57,7 @@ static bool test_PACVerify(struct torture_context *tctx,
struct netr_Authenticator auth, auth2;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct gensec_security *gensec_client_context;
struct gensec_security *gensec_server_context;
@@ -149,7 +149,7 @@ static bool test_PACVerify(struct torture_context *tctx,
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
- creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
+ netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data;
@@ -168,7 +168,7 @@ static bool test_PACVerify(struct torture_context *tctx,
logon.generic = &generic;
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon = &logon;
@@ -190,7 +190,7 @@ static bool test_PACVerify(struct torture_context *tctx,
logon.generic = &generic;
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = NetlogonGenericInformation;
@@ -203,7 +203,7 @@ static bool test_PACVerify(struct torture_context *tctx,
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
- torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
+ torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
"Credential chaining failed");
/* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */
@@ -212,7 +212,7 @@ static bool test_PACVerify(struct torture_context *tctx,
logon.generic = &generic;
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = NetlogonGenericInformation;
@@ -225,7 +225,8 @@ static bool test_PACVerify(struct torture_context *tctx,
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
- torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
+ torture_assert(tctx, netlogon_creds_client_check(creds,
+ &r.out.return_authenticator->cred),
"Credential chaining failed");
pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
@@ -251,7 +252,7 @@ static bool test_PACVerify(struct torture_context *tctx,
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
- creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
+ netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data;
@@ -259,7 +260,7 @@ static bool test_PACVerify(struct torture_context *tctx,
logon.generic = &generic;
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = NetlogonGenericInformation;
@@ -272,7 +273,7 @@ static bool test_PACVerify(struct torture_context *tctx,
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
- torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
+ torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
"Credential chaining failed");
pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
@@ -298,7 +299,7 @@ static bool test_PACVerify(struct torture_context *tctx,
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
- creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
+ netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data;
@@ -306,7 +307,7 @@ static bool test_PACVerify(struct torture_context *tctx,
logon.generic = &generic;
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = NetlogonGenericInformation;
@@ -319,7 +320,7 @@ static bool test_PACVerify(struct torture_context *tctx,
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
- torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
+ torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
"Credential chaining failed");
return true;
}
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index fe128fea52..e31135c0de 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -904,7 +904,7 @@ static bool auth2(struct smbcli_state *cli,
struct netr_Credential netr_srv_creds;
uint32_t negotiate_flags;
struct netr_ServerAuthenticate2 a;
- struct creds_CredentialState *creds_state;
+ struct netlogon_creds_CredentialState *creds_state;
struct netr_Credential netr_cred;
struct samr_Password mach_pw;
@@ -958,11 +958,6 @@ static bool auth2(struct smbcli_state *cli,
negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
- creds_state = talloc(mem_ctx, struct creds_CredentialState);
- creds_client_init(creds_state, r.in.credentials,
- r.out.return_credentials, &mach_pw,
- &netr_cred, negotiate_flags);
-
a.in.server_name = talloc_asprintf(
mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
a.in.account_name = talloc_asprintf(
@@ -974,6 +969,13 @@ static bool auth2(struct smbcli_state *cli,
a.in.credentials = &netr_cred;
a.out.return_credentials = &netr_cred;
+ creds_state = netlogon_creds_client_init(mem_ctx,
+ a.in.account_name,
+ a.in.computer_name,
+ r.in.credentials,
+ r.out.return_credentials, &mach_pw,
+ &netr_cred, negotiate_flags);
+
status = dcerpc_netr_ServerAuthenticate2(net_pipe, mem_ctx, &a);
if (!NT_STATUS_IS_OK(status)) {
d_printf("netr_ServerServerAuthenticate2 failed: %s\n",
@@ -981,7 +983,7 @@ static bool auth2(struct smbcli_state *cli,
goto done;
}
- if (!creds_client_check(creds_state, a.out.return_credentials)) {
+ if (!netlogon_creds_client_check(creds_state, a.out.return_credentials)) {
d_printf("creds_client_check failed\n");
goto done;
}
@@ -1054,7 +1056,7 @@ static bool schan(struct smbcli_state *cli,
for (i=2; i<4; i++) {
int flags;
DATA_BLOB chal, nt_resp, lm_resp, names_blob, session_key;
- struct creds_CredentialState *creds_state;
+ struct netlogon_creds_CredentialState *creds_state;
struct netr_Authenticator netr_auth, netr_auth2;
struct netr_NetworkInfo ninfo;
struct netr_PasswordInfo pinfo;
@@ -1088,7 +1090,7 @@ static bool schan(struct smbcli_state *cli,
}
creds_state = cli_credentials_get_netlogon_creds(wks_creds);
- creds_client_authenticator(creds_state, &netr_auth);
+ netlogon_creds_client_authenticator(creds_state, &netr_auth);
ninfo.identity_info.account_name.string =
cli_credentials_get_username(user_creds);
@@ -1129,13 +1131,13 @@ static bool schan(struct smbcli_state *cli,
}
if ((r.out.return_authenticator == NULL) ||
- (!creds_client_check(creds_state,
+ (!netlogon_creds_client_check(creds_state,
&r.out.return_authenticator->cred))) {
d_printf("Credentials check failed!\n");
goto done;
}
- creds_client_authenticator(creds_state, &netr_auth);
+ netlogon_creds_client_authenticator(creds_state, &netr_auth);
pinfo.identity_info = ninfo.identity_info;
ZERO_STRUCT(pinfo.lmpassword.hash);
@@ -1161,7 +1163,7 @@ static bool schan(struct smbcli_state *cli,
}
if ((r.out.return_authenticator == NULL) ||
- (!creds_client_check(creds_state,
+ (!netlogon_creds_client_check(creds_state,
&r.out.return_authenticator->cred))) {
d_printf("Credentials check failed!\n");
goto done;
@@ -1171,7 +1173,7 @@ static bool schan(struct smbcli_state *cli,
{
struct netr_ServerPasswordSet s;
char *password = generate_random_str(wks_creds, 8);
- struct creds_CredentialState *creds_state;
+ struct netlogon_creds_CredentialState *creds_state;
struct netr_Authenticator credential, return_authenticator;
struct samr_Password new_password;
@@ -1188,8 +1190,8 @@ static bool schan(struct smbcli_state *cli,
E_md4hash(password, new_password.hash);
creds_state = cli_credentials_get_netlogon_creds(wks_creds);
- creds_des_encrypt(creds_state, &new_password);
- creds_client_authenticator(creds_state, &credential);
+ netlogon_creds_des_encrypt(creds_state, &new_password);
+ netlogon_creds_client_authenticator(creds_state, &credential);
status = dcerpc_netr_ServerPasswordSet(net_pipe, mem_ctx, &s);
if (!NT_STATUS_IS_OK(status)) {
@@ -1197,8 +1199,8 @@ static bool schan(struct smbcli_state *cli,
goto done;
}
- if (!creds_client_check(creds_state,
- &s.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds_state,
+ &s.out.return_authenticator->cred)) {
printf("Credential chaining failed\n");
}
@@ -2088,7 +2090,7 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture)
struct netr_Credential netr_srv_creds;
uint32_t negotiate_flags;
struct netr_ServerAuthenticate2 a;
- struct creds_CredentialState *creds_state;
+ struct netlogon_creds_CredentialState *creds_state;
struct netr_Credential netr_cred;
struct samr_Password mach_pw;
struct smbcli_state *cli;
@@ -2155,11 +2157,6 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture)
negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
E_md4hash("foobar", mach_pw.hash);
- creds_state = talloc(mem_ctx, struct creds_CredentialState);
- creds_client_init(creds_state, r.in.credentials,
- r.out.return_credentials, &mach_pw,
- &netr_cred, negotiate_flags);
-
a.in.server_name = talloc_asprintf(
mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe));
a.in.account_name = talloc_asprintf(
@@ -2171,6 +2168,14 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture)
a.in.credentials = &netr_cred;
a.out.return_credentials = &netr_cred;
+ creds_state = netlogon_creds_client_init(mem_ctx,
+ a.in.account_name,
+ a.in.computer_name,
+ r.in.credentials,
+ r.out.return_credentials, &mach_pw,
+ &netr_cred, negotiate_flags);
+
+
status = dcerpc_netr_ServerAuthenticate2(net_pipe, mem_ctx, &a);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NO_TRUST_SAM_ACCOUNT)) {
diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index ce9bf5ea6e..8318930989 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -63,7 +63,7 @@ struct samlogon_state {
struct netr_LogonSamLogonEx r_ex;
struct netr_LogonSamLogonWithFlags r_flags;
struct netr_Authenticator auth, auth2;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
NTSTATUS expected_error;
bool old_password; /* Allow an old password to be accepted or rejected without error, as well as session key bugs */
DATA_BLOB chall;
@@ -153,12 +153,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
switch (samlogon_state->function_level) {
case NDR_NETR_LOGONSAMLOGON:
ZERO_STRUCT(samlogon_state->auth2);
- creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth);
+ netlogon_creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth);
r->out.return_authenticator = NULL;
status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r);
if (!r->out.return_authenticator ||
- !creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) {
+ !netlogon_creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) {
d_printf("Credential chaining failed\n");
}
if (!NT_STATUS_IS_OK(status)) {
@@ -170,7 +170,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r->in.validation_level;
- creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation);
+ netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation);
switch (validation_level) {
case 2:
@@ -195,7 +195,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r_ex->in.validation_level;
- creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation);
+ netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation);
switch (validation_level) {
case 2:
@@ -211,12 +211,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
break;
case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
ZERO_STRUCT(samlogon_state->auth2);
- creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth);
+ netlogon_creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth);
r_flags->out.return_authenticator = NULL;
status = dcerpc_netr_LogonSamLogonWithFlags(samlogon_state->p, samlogon_state->mem_ctx, r_flags);
if (!r_flags->out.return_authenticator ||
- !creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) {
+ !netlogon_creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) {
d_printf("Credential chaining failed\n");
}
if (!NT_STATUS_IS_OK(status)) {
@@ -228,7 +228,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
validation_level = r_flags->in.validation_level;
- creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation);
+ netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation);
switch (validation_level) {
case 2:
@@ -1314,7 +1314,7 @@ static const struct ntlm_tests {
*/
static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct torture_context *tctx,
- struct creds_CredentialState *creds,
+ struct netlogon_creds_CredentialState *creds,
const char *comment,
const char *account_domain, const char *account_name,
const char *plain_pass, uint32_t parameter_control,
@@ -1429,7 +1429,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
test an ADS style interactive domain logon
*/
bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds,
+ struct netlogon_creds_CredentialState *creds,
const char *comment,
const char *workstation_name,
const char *account_domain, const char *account_name,
@@ -1454,7 +1454,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
ZERO_STRUCT(logon);
ZERO_STRUCT(validation);
- creds_client_authenticator(creds, &a);
+ netlogon_creds_client_authenticator(creds, &a);
logon.password = &pinfo;
@@ -1483,18 +1483,18 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
E_md4hash(plain_pass, pinfo.ntpassword.hash);
if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16);
- creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16);
+ netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16);
+ netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16);
} else {
- creds_des_encrypt(creds, &pinfo.lmpassword);
- creds_des_encrypt(creds, &pinfo.ntpassword);
+ netlogon_creds_des_encrypt(creds, &pinfo.lmpassword);
+ netlogon_creds_des_encrypt(creds, &pinfo.ntpassword);
}
d_printf("Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment);
status = dcerpc_netr_LogonSamLogonWithFlags(p, fn_ctx, &r);
if (!r.out.return_authenticator
- || !creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ || !netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
d_printf("Credential chaining failed\n");
talloc_free(fn_ctx);
return false;
@@ -1540,7 +1540,7 @@ bool torture_rpc_samlogon(struct torture_context *torture)
0 /* yes, this is a valid flag, causes the use of DES */
};
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
test_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME);
/* We only need to join as a workstation here, and in future,
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 8af9867528..7b4e85195b 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2632,7 +2632,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_pipe *p,
static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *tctx,
struct cli_credentials *machine_credentials,
struct cli_credentials *test_credentials,
- struct creds_CredentialState *creds,
+ struct netlogon_creds_CredentialState *creds,
NTSTATUS expected_result)
{
NTSTATUS status;
@@ -2700,7 +2700,7 @@ static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *t
d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.validation_level = 2;
@@ -2712,7 +2712,7 @@ static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *t
torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
}
- torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred),
+ torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
"Credential chaining failed");
return true;
@@ -2724,7 +2724,7 @@ static bool test_SamLogon(struct torture_context *tctx,
struct cli_credentials *test_credentials,
NTSTATUS expected_result)
{
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
return false;
diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
index 00798214f3..ee11ede83f 100644
--- a/source4/torture/rpc/samsync.c
+++ b/source4/torture/rpc/samsync.c
@@ -47,7 +47,7 @@
try a netlogon SamLogon
*/
static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds,
+ struct netlogon_creds_CredentialState *creds,
const char *domain, const char *account_name,
const char *workstation,
struct samr_Password *lm_hash,
@@ -100,13 +100,13 @@ static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
r.out.authoritative = &authoritative;
ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
+ netlogon_creds_client_authenticator(creds, &auth);
r.in.validation_level = 3;
status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
printf("Credential chaining failed\n");
}
@@ -123,8 +123,8 @@ struct samsync_state {
const char *domain_name[2];
struct samsync_secret *secrets;
struct samsync_trusted_domain *trusted_domains;
- struct creds_CredentialState *creds;
- struct creds_CredentialState *creds_netlogon_wksta;
+ struct netlogon_creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds_netlogon_wksta;
struct policy_handle *connect_handle;
struct policy_handle *domain_handle[2];
struct dom_sid *sid[2];
@@ -578,7 +578,7 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct
enum ndr_err_code ndr_err;
data.data = user->user_private_info.SensitiveData;
data.length = user->user_private_info.DataLength;
- creds_arcfour_crypt(samsync_state->creds, data.data, data.length);
+ netlogon_creds_arcfour_crypt(samsync_state->creds, data.data, data.length);
ndr_err = ndr_pull_struct_blob(&data, mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
if (keys.keys.keys2.lmpassword.length == 16) {
@@ -843,10 +843,10 @@ static bool samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *sam
DATA_BLOB lsa_blob1, lsa_blob_out, session_key;
NTSTATUS status;
- creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data,
+ netlogon_creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data,
secret->current_cipher.maxlen);
- creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data,
+ netlogon_creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data,
secret->old_cipher.maxlen);
nsec->name = talloc_reference(nsec, name);
@@ -1182,7 +1182,7 @@ static bool test_DatabaseSync(struct torture_context *tctx,
do {
loop_ctx = talloc_named(mem_ctx, 0, "DatabaseSync loop context");
- creds_client_authenticator(samsync_state->creds, &credential);
+ netlogon_creds_client_authenticator(samsync_state->creds, &credential);
r.in.credential = &credential;
@@ -1194,7 +1194,7 @@ static bool test_DatabaseSync(struct torture_context *tctx,
break;
}
- if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(samsync_state->creds, &r.out.return_authenticator->cred)) {
printf("Credential chaining failed\n");
}
@@ -1395,7 +1395,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX
do {
loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseDeltas loop context");
- creds_client_authenticator(samsync_state->creds, &credential);
+ netlogon_creds_client_authenticator(samsync_state->creds, &credential);
status = dcerpc_netr_DatabaseDeltas(samsync_state->p, loop_ctx, &r);
if (!NT_STATUS_IS_OK(status) &&
@@ -1405,7 +1405,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX
ret = false;
}
- if (!creds_client_check(samsync_state->creds, &return_authenticator.cred)) {
+ if (!netlogon_creds_client_check(samsync_state->creds, &return_authenticator.cred)) {
printf("Credential chaining failed\n");
}
@@ -1422,7 +1422,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX
try a netlogon DatabaseSync2
*/
static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds)
+ struct netlogon_creds_CredentialState *creds)
{
NTSTATUS status;
TALLOC_CTX *loop_ctx;
@@ -1455,7 +1455,7 @@ static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
do {
loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseSync2 loop context");
- creds_client_authenticator(creds, &credential);
+ netlogon_creds_client_authenticator(creds, &credential);
r.in.credential = &credential;
@@ -1466,7 +1466,7 @@ static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
ret = false;
}
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
+ if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) {
printf("Credential chaining failed\n");
}
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index bc3cbeac3b..fc0087e4d3 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -43,7 +43,7 @@
*/
bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
struct cli_credentials *credentials,
- struct creds_CredentialState *creds)
+ struct netlogon_creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_LogonSamLogonEx r;
@@ -259,7 +259,7 @@ static bool test_schannel(struct torture_context *tctx,
struct dcerpc_pipe *p_netlogon3 = NULL;
struct dcerpc_pipe *p_samr2 = NULL;
struct dcerpc_pipe *p_lsa = NULL;
- struct creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds;
struct cli_credentials *credentials;
join_ctx = torture_join_domain(tctx,
@@ -765,7 +765,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
{
struct netr_ServerPasswordSet pwset;
char *password = generate_random_str(s->join_ctx1, 8);
- struct creds_CredentialState *creds_state;
+ struct netlogon_creds_CredentialState *creds_state;
struct dcerpc_pipe *net_pipe;
struct netr_Authenticator credential, return_authenticator;
struct samr_Password new_password;
@@ -793,14 +793,14 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
creds_state = cli_credentials_get_netlogon_creds(
s->wks_creds1);
- creds_des_encrypt(creds_state, &new_password);
- creds_client_authenticator(creds_state, &credential);
+ netlogon_creds_des_encrypt(creds_state, &new_password);
+ netlogon_creds_client_authenticator(creds_state, &credential);
status = dcerpc_netr_ServerPasswordSet(net_pipe, torture, &pwset);
torture_assert_ntstatus_ok(torture, status,
"ServerPasswordSet failed");
- if (!creds_client_check(creds_state,
+ if (!netlogon_creds_client_check(creds_state,
&pwset.out.return_authenticator->cred)) {
printf("Credential chaining failed\n");
}
diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c
index 3c34229dff..06b1d05ee4 100644
--- a/source4/torture/rpc/wkssvc.c
+++ b/source4/torture/rpc/wkssvc.c
@@ -1148,43 +1148,6 @@ static bool test_NetrJoinDomain(struct torture_context *tctx,
return true;
}
-/* encode a wkssvc_PasswordBuffer for remote joining/unjoining:
- *
- * similar to samr_CryptPasswordEx. Different: 8byte confounder (instead of
- * 16byte), confounder in front of the 516 byte buffer (instead of after that
- * buffer), calling MD5Update() first with session_key and then with confounder
- * (vice versa in samr) - Guenther */
-
-static void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
- const char *pwd,
- DATA_BLOB *session_key,
- struct wkssvc_PasswordBuffer *pwd_buf)
-{
- uint8_t buffer[516];
- struct MD5Context ctx;
-
- DATA_BLOB confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-
- int confounder_len = 8;
- uint8_t confounder[8];
-
- encode_pw_buffer(buffer, pwd, STR_UNICODE);
-
- generate_random_buffer((uint8_t *)confounder, confounder_len);
-
- MD5Init(&ctx);
- MD5Update(&ctx, session_key->data, session_key->length);
- MD5Update(&ctx, confounder, confounder_len);
- MD5Final(confounded_session_key.data, &ctx);
-
- arcfour_crypt_blob(buffer, 516, &confounded_session_key);
-
- memcpy(&pwd_buf->data[0], confounder, confounder_len);
- memcpy(&pwd_buf->data[8], buffer, 516);
-
- data_blob_free(&confounded_session_key);
-}
-
/*
* prerequisites for remotely joining an unjoined XP SP2 workstation:
* - firewall needs to be disabled (or open for ncacn_np access)
@@ -1202,7 +1165,7 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx,
const char *domain_admin_account = NULL;
const char *domain_admin_password = NULL;
const char *domain_name = NULL;
- struct wkssvc_PasswordBuffer pwd_buf;
+ struct wkssvc_PasswordBuffer *pwd_buf;
enum wkssvc_NetJoinStatus join_status;
const char *join_name = NULL;
WERROR expected_err;
@@ -1253,7 +1216,7 @@ static bool test_NetrJoinDomain2(struct torture_context *tctx,
r.in.domain_name = domain_name;
r.in.account_ou = NULL;
r.in.admin_account = domain_admin_account;
- r.in.encrypted_password = &pwd_buf;
+ r.in.encrypted_password = pwd_buf;
r.in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
@@ -1286,7 +1249,7 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx,
struct wkssvc_NetrUnjoinDomain2 r;
const char *domain_admin_account = NULL;
const char *domain_admin_password = NULL;
- struct wkssvc_PasswordBuffer pwd_buf;
+ struct wkssvc_PasswordBuffer *pwd_buf;
enum wkssvc_NetJoinStatus join_status;
const char *join_name = NULL;
WERROR expected_err;
@@ -1332,7 +1295,7 @@ static bool test_NetrUnjoinDomain2(struct torture_context *tctx,
r.in.server_name = dcerpc_server_name(p);
r.in.account = domain_admin_account;
- r.in.encrypted_password = &pwd_buf;
+ r.in.encrypted_password = pwd_buf;
r.in.unjoin_flags = 0;
torture_comment(tctx, "testing NetrUnjoinDomain2 (assuming non-DC)\n");