diff options
Diffstat (limited to 'source4/torture')
-rw-r--r-- | source4/torture/auth/pac.c | 97 | ||||
-rw-r--r-- | source4/torture/nbt/winsreplication.c | 12 | ||||
-rw-r--r-- | source4/torture/raw/open.c | 44 | ||||
-rw-r--r-- | source4/torture/smb2/create.c | 101 |
4 files changed, 187 insertions, 67 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 7fdd7e58bf..4e51c66950 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -279,7 +279,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) struct auth_serversupplied_info *server_info_out; krb5_keyblock server_keyblock; - krb5_keyblock krbtgt_keyblock; + krb5_keyblock krbtgt_keyblock, *krbtgt_keyblock_p; struct samr_Password *krbtgt_bytes, *krbsrv_bytes; krb5_error_code ret; @@ -309,9 +309,13 @@ static bool torture_pac_saved_check(struct torture_context *tctx) /* The krbtgt key in use when the above PAC was generated. * This is an arcfour-hmac-md5 key, extracted with our 'net * samdump' tool. */ - krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key); - if (!krbtgt_bytes) { - torture_fail(tctx, "(saved test) Could not interpret krbtgt key"); + if (*pac_kdc_key == 0) { + krbtgt_bytes = NULL; + } else { + krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key); + if (!krbtgt_bytes) { + torture_fail(tctx, "(saved test) Could not interpret krbtgt key"); + } } krbsrv_bytes = smbpasswd_gethexpwd(mem_ctx, pac_member_key); @@ -329,18 +333,23 @@ static bool torture_pac_saved_check(struct torture_context *tctx) smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); - ret = krb5_keyblock_init(smb_krb5_context->krb5_context, - ENCTYPE_ARCFOUR_HMAC, - krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash), - &krbtgt_keyblock); - if (ret) { - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &server_keyblock); - torture_fail(tctx, - talloc_asprintf(tctx, - "(saved test) Server Keyblock encoding failed: %s", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); + if (krbtgt_bytes) { + ret = krb5_keyblock_init(smb_krb5_context->krb5_context, + ENCTYPE_ARCFOUR_HMAC, + krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash), + &krbtgt_keyblock); + if (ret) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) Server Keyblock encoding failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); + } + krbtgt_keyblock_p = &krbtgt_keyblock; + } else { + krbtgt_keyblock_p = NULL; } pac_file = torture_setting_string(tctx, "pac_file", NULL); @@ -363,7 +372,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &client_principal); if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, @@ -379,12 +388,12 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &pac_data, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -400,13 +409,13 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &logon_info, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -424,7 +433,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &server_info_out); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -440,7 +449,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) "S-1-5-21-3048156945-3961193616-3706469200-1005"), server_info_out->account_sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -452,17 +461,25 @@ static bool torture_pac_saved_check(struct torture_context *tctx) dom_sid_string(mem_ctx, server_info_out->account_sid))); } + if (krbtgt_bytes == NULL) { + torture_comment(tctx, "skipping PAC encoding tests as non kdc key\n"); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + return true; + } + ret = kerberos_encode_pac(mem_ctx, lp_iconv_convenience(tctx->lp_ctx), pac_data, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, &validate_blob); if (ret != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -478,7 +495,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) */ if (tmp_blob.length != validate_blob.length) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -491,7 +508,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -508,14 +525,14 @@ static bool torture_pac_saved_check(struct torture_context *tctx) lp_iconv_convenience(tctx->lp_ctx), server_info_out, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, &validate_blob); if (ret != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -541,7 +558,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) NDR_PRINT_DEBUG(PAC_DATA, &pac_data2); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -563,7 +580,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) NDR_PRINT_DEBUG(PAC_DATA, &pac_data2); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -583,14 +600,14 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &pac_data, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime + 1, NULL); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); @@ -608,7 +625,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, talloc_asprintf(tctx, @@ -621,13 +638,13 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &pac_data, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, NULL); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on modified principal"); @@ -641,20 +658,20 @@ static bool torture_pac_saved_check(struct torture_context *tctx) &pac_data, tmp_blob, smb_krb5_context->krb5_context, - &krbtgt_keyblock, + krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, NULL); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken checksum"); } krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); + krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); return true; @@ -666,9 +683,7 @@ struct torture_suite *torture_pac(TALLOC_CTX *mem_ctx) torture_suite_add_simple_test(suite, "self check", torture_pac_self_check); - torture_suite_add_simple_test(suite, "saved check", torture_pac_saved_check); - return suite; } diff --git a/source4/torture/nbt/winsreplication.c b/source4/torture/nbt/winsreplication.c index ee7a1510d5..6b600bd7cd 100644 --- a/source4/torture/nbt/winsreplication.c +++ b/source4/torture/nbt/winsreplication.c @@ -6701,7 +6701,6 @@ static bool test_conflict_owned_active_vs_replica(struct torture_context *tctx, /* * unique vs. unique section */ -#if METZE_NEEDS_TO_LOOK_AT_THIS_ONE /* * unique,active vs. unique,active with same ip(s), unchecked */ @@ -6728,7 +6727,6 @@ static bool test_conflict_owned_active_vs_replica(struct torture_context *tctx, .apply_expected = true }, }, -#endif /* * unique,active vs. unique,active with different ip(s), positive response */ @@ -8967,7 +8965,6 @@ static bool test_conflict_owned_active_vs_replica(struct torture_context *tctx, .sgroup_merge = true }, }, -#if 0 /* * sgroup,active vs. sgroup,active with same ip(s) */ @@ -9157,7 +9154,6 @@ static bool test_conflict_owned_active_vs_replica(struct torture_context *tctx, .apply_expected = false }, }, -#endif }; if (!ctx->nbtsock_srv) { @@ -9543,7 +9539,9 @@ static void test_conflict_owned_active_vs_replica_handler_query(struct nbt_name_ talloc_free(rep_packet); /* make sure we push the reply to the wire */ - event_loop_once(nbtsock->event_ctx); + while (nbtsock->send_queue) { + event_loop_once(nbtsock->event_ctx); + } msleep(1000); rec->defend.timeout = 0; @@ -9598,7 +9596,9 @@ static void test_conflict_owned_active_vs_replica_handler_release( talloc_free(rep_packet); /* make sure we push the reply to the wire */ - event_loop_once(nbtsock->event_ctx); + while (nbtsock->send_queue) { + event_loop_once(nbtsock->event_ctx); + } msleep(1000); rec->defend.timeout = 0; diff --git a/source4/torture/raw/open.c b/source4/torture/raw/open.c index b6979fa0d9..f3494ea3d0 100644 --- a/source4/torture/raw/open.c +++ b/source4/torture/raw/open.c @@ -844,6 +844,8 @@ static bool test_nttrans_create(struct smbcli_state *cli, struct torture_context int fnum = -1; bool ret = true; int i; + uint32_t ok_mask, not_supported_mask, invalid_parameter_mask; + uint32_t not_a_directory_mask, unexpected_mask; struct { uint32_t open_disp; bool with_file; @@ -982,6 +984,10 @@ static bool test_nttrans_create(struct smbcli_state *cli, struct torture_context } io.ntcreatex.in.create_options = create_option; status = smb_raw_open(cli->tree, tctx, &io); + if (!NT_STATUS_IS_OK(status)) { + printf("ntcreatex create option 0x%08x gave %s - should give NT_STATUS_OK\n", + create_option, nt_errstr(status)); + } CHECK_STATUS(status, NT_STATUS_OK); fnum = io.ntcreatex.out.file.fnum; @@ -999,6 +1005,44 @@ static bool test_nttrans_create(struct smbcli_state *cli, struct torture_context smbcli_close(cli->tree, fnum); } + io.ntcreatex.in.file_attr = 0; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF; + io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + + /* Check for options that should return NOT_SUPPORTED, OK or INVALID_PARAMETER */ + ok_mask = 0; + not_supported_mask = 0; + invalid_parameter_mask = 0; + not_a_directory_mask = 0; + unexpected_mask = 0; + for (i=0; i < 32; i++) { + uint32_t create_option = 1<<i; + if (create_option & NTCREATEX_OPTIONS_DELETE_ON_CLOSE) { + continue; + } + io.ntcreatex.in.create_options = create_option; + status = smb_raw_open(cli->tree, tctx, &io); + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { + not_supported_mask |= create_option; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_OK)) { + ok_mask |= create_option; + smbcli_close(cli->tree, io.ntcreatex.out.file.fnum); + } else if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + invalid_parameter_mask |= create_option; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_A_DIRECTORY)) { + not_a_directory_mask |= 1<<i; + } else { + unexpected_mask |= 1<<i; + printf("create option 0x%08x returned %s\n", create_option, nt_errstr(status)); + } + } + + CHECK_VAL(ok_mask, 0x00efcfce); + CHECK_VAL(not_a_directory_mask, 0x00000001); + CHECK_VAL(not_supported_mask, 0x00002000); + CHECK_VAL(invalid_parameter_mask, 0xff100030); + CHECK_VAL(unexpected_mask, 0x00000000); + smbcli_unlink(cli->tree, fname); diff --git a/source4/torture/smb2/create.c b/source4/torture/smb2/create.c index c23ff8b8ce..4d1b4a7ed0 100644 --- a/source4/torture/smb2/create.c +++ b/source4/torture/smb2/create.c @@ -52,7 +52,9 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre struct smb2_create io; NTSTATUS status; TALLOC_CTX *tmp_ctx = talloc_new(tree); - uint32_t access_mask, file_attributes, file_attributes_set, denied_mask; + uint32_t access_mask, file_attributes_set; + uint32_t ok_mask, not_supported_mask, invalid_parameter_mask; + uint32_t not_a_directory_mask, unexpected_mask; union smb_fileinfo q; ZERO_STRUCT(io); @@ -76,14 +78,6 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre status = smb2_create(tree, tmp_ctx, &io); CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); - io.in.create_options = 0x00100000; - status = smb2_create(tree, tmp_ctx, &io); - CHECK_STATUS(status, NT_STATUS_NOT_SUPPORTED); - - io.in.create_options = 0xF0100000; - status = smb2_create(tree, tmp_ctx, &io); - CHECK_STATUS(status, NT_STATUS_NOT_SUPPORTED); - io.in.create_options = 0; io.in.file_attributes = FILE_ATTRIBUTE_DEVICE; @@ -108,6 +102,46 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre status = smb2_create(tree, tmp_ctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); + io.in.file_attributes = 0; + io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; + io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; + ok_mask = 0; + not_supported_mask = 0; + invalid_parameter_mask = 0; + not_a_directory_mask = 0; + unexpected_mask = 0; + { + int i; + for (i=0;i<32;i++) { + io.in.create_options = 1<<i; + if (io.in.create_options & NTCREATEX_OPTIONS_DELETE_ON_CLOSE) { + continue; + } + status = smb2_create(tree, tmp_ctx, &io); + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { + not_supported_mask |= 1<<i; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + invalid_parameter_mask |= 1<<i; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_A_DIRECTORY)) { + not_a_directory_mask |= 1<<i; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_OK)) { + ok_mask |= 1<<i; + status = smb2_util_close(tree, io.out.file.handle); + CHECK_STATUS(status, NT_STATUS_OK); + } else { + unexpected_mask |= 1<<i; + printf("create option 0x%08x returned %s\n", 1<<i, nt_errstr(status)); + } + } + } + io.in.create_options = 0; + + CHECK_EQUAL(ok_mask, 0x00efcf7e); + CHECK_EQUAL(not_a_directory_mask, 0x00000001); + CHECK_EQUAL(not_supported_mask, 0x00102080); + CHECK_EQUAL(invalid_parameter_mask, 0xff000000); + CHECK_EQUAL(unexpected_mask, 0x00000000); + io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; io.in.file_attributes = 0; access_mask = 0; @@ -132,31 +166,58 @@ static bool test_create_gentest(struct torture_context *torture, struct smb2_tre io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; io.in.file_attributes = 0; - file_attributes = 0; + ok_mask = 0; + invalid_parameter_mask = 0; + unexpected_mask = 0; file_attributes_set = 0; - denied_mask = 0; { int i; for (i=0;i<32;i++) { io.in.file_attributes = 1<<i; + if (io.in.file_attributes & FILE_ATTRIBUTE_ENCRYPTED) { + continue; + } smb2_deltree(tree, FNAME); status = smb2_create(tree, tmp_ctx, &io); if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - file_attributes |= io.in.file_attributes; - } else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { - denied_mask |= io.in.file_attributes; - } else { - CHECK_STATUS(status, NT_STATUS_OK); + invalid_parameter_mask |= 1<<i; + } else if (NT_STATUS_IS_OK(status)) { + uint32_t expected; + ok_mask |= 1<<i; + + expected = (io.in.file_attributes | FILE_ATTRIBUTE_ARCHIVE) & 0x00005127; + CHECK_EQUAL(io.out.file_attr, expected); + file_attributes_set |= io.out.file_attr; + status = smb2_util_close(tree, io.out.file.handle); CHECK_STATUS(status, NT_STATUS_OK); - file_attributes_set |= io.out.file_attr; + } else { + unexpected_mask |= 1<<i; + printf("file attribute 0x%08x returned %s\n", 1<<i, nt_errstr(status)); } } } - CHECK_EQUAL(file_attributes, 0xffff8048); - CHECK_EQUAL(denied_mask, 0x4000); - CHECK_EQUAL(file_attributes_set, 0x00001127); + CHECK_EQUAL(ok_mask, 0x00003fb7); + CHECK_EQUAL(invalid_parameter_mask, 0xffff8048); + CHECK_EQUAL(unexpected_mask, 0x00000000); + CHECK_EQUAL(file_attributes_set, 0x00001127); + + smb2_deltree(tree, FNAME); + + /* + * Standalone servers doesn't support encryption + */ + io.in.file_attributes = FILE_ATTRIBUTE_ENCRYPTED; + status = smb2_create(tree, tmp_ctx, &io); + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + printf("FILE_ATTRIBUTE_ENCRYPTED returned %s\n", nt_errstr(status)); + } else { + CHECK_STATUS(status, NT_STATUS_OK); + CHECK_EQUAL(io.out.file_attr, (FILE_ATTRIBUTE_ENCRYPTED | FILE_ATTRIBUTE_ARCHIVE)); + status = smb2_util_close(tree, io.out.file.handle); + CHECK_STATUS(status, NT_STATUS_OK); + } smb2_deltree(tree, FNAME); |