summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/librpc/rpc/dcerpc.h3
-rw-r--r--source4/librpc/rpc/dcerpc_smb.c16
-rw-r--r--source4/librpc/rpc/dcerpc_tcp.c13
-rw-r--r--source4/librpc/rpc/dcerpc_util.c16
-rw-r--r--source4/torture/rpc/lsa.c150
5 files changed, 33 insertions, 165 deletions
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 9083bfb795..16bf52cec2 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -63,6 +63,9 @@ struct dcerpc_pipe {
/* a callback to the dcerpc code when a full fragment
has been received */
void (*recv_data)(struct dcerpc_pipe *, DATA_BLOB *, NTSTATUS status);
+
+ /* get the transport level session key */
+ NTSTATUS (*session_key)(struct dcerpc_pipe *, DATA_BLOB *);
} transport;
/* the last fault code from a DCERPC fault */
diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c
index deef2232bf..fa9101bbd6 100644
--- a/source4/librpc/rpc/dcerpc_smb.c
+++ b/source4/librpc/rpc/dcerpc_smb.c
@@ -348,6 +348,21 @@ static const char *smb_peer_name(struct dcerpc_pipe *p)
return smb->tree->session->transport->called.name;
}
+/*
+ fetch the user session key
+*/
+NTSTATUS smb_session_key(struct dcerpc_pipe *p, DATA_BLOB *session_key)
+{
+ struct smb_private *smb = p->transport.private;
+
+ if (smb->tree->session->user_session_key.data) {
+ *session_key = smb->tree->session->user_session_key;
+ return NT_STATUS_OK;
+ }
+
+ return NT_STATUS_NO_USER_SESSION_KEY;
+}
+
/*
open a rpc connection to a named pipe
*/
@@ -410,6 +425,7 @@ NTSTATUS dcerpc_pipe_open_smb(struct dcerpc_pipe **p,
(*p)->transport.private = NULL;
(*p)->transport.shutdown_pipe = smb_shutdown_pipe;
(*p)->transport.peer_name = smb_peer_name;
+ (*p)->transport.session_key = smb_session_key;
(*p)->transport.send_request = smb_send_request;
(*p)->transport.send_read = send_read_request;
diff --git a/source4/librpc/rpc/dcerpc_tcp.c b/source4/librpc/rpc/dcerpc_tcp.c
index 896675a7f8..c290891b61 100644
--- a/source4/librpc/rpc/dcerpc_tcp.c
+++ b/source4/librpc/rpc/dcerpc_tcp.c
@@ -272,6 +272,18 @@ static const char *tcp_peer_name(struct dcerpc_pipe *p)
}
+/*
+ fetch the user session key
+*/
+NTSTATUS tcp_session_key(struct dcerpc_pipe *p, DATA_BLOB *session_key)
+{
+ /* this took quite a few CPU cycles to find ... */
+ session_key->data = "SystemLibraryDTC";
+ session_key->length = 16;
+
+ return NT_STATUS_OK;
+}
+
/*
open a rpc connection to a named pipe
*/
@@ -319,6 +331,7 @@ NTSTATUS dcerpc_pipe_open_tcp(struct dcerpc_pipe **p,
(*p)->transport.shutdown_pipe = tcp_shutdown_pipe;
(*p)->transport.peer_name = tcp_peer_name;
+ (*p)->transport.session_key = tcp_session_key;
tcp = talloc((*p), sizeof(*tcp));
if (!tcp) {
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index c04937353c..fc9f6c847d 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -699,21 +699,7 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe *
NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p,
DATA_BLOB *session_key)
{
- struct smbcli_tree *tree;
-
- if (p->security_state.generic_state) {
- return gensec_session_key(p->security_state.generic_state, session_key);
- }
-
- tree = dcerpc_smb_tree(p);
- if (tree) {
- if (tree->session->user_session_key.data) {
- *session_key = tree->session->user_session_key;
- return NT_STATUS_OK;
- }
- }
-
- return NT_STATUS_NO_USER_SESSION_KEY;
+ return p->transport.session_key(p, session_key);
}
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 1ef6145abc..022c5a85b1 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -497,152 +497,6 @@ static BOOL test_CreateSecret(struct dcerpc_pipe *p,
}
-static BOOL test_lsakey_puzzle(struct dcerpc_pipe *p_smb,
- TALLOC_CTX *mem_ctx,
- struct policy_handle *handle_smb)
-{
- NTSTATUS status;
- struct dcerpc_pipe *p_tcp;
- struct policy_handle handle_tcp, sec_handle, sec_handle2;
- struct lsa_CreateSecret cr;
- struct lsa_OpenSecret or;
- struct lsa_SetSecret sr;
- struct lsa_QuerySecret qr;
- char *secname;
- const char *secret1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
- DATA_BLOB session_key, blob1, blob2;
- DATA_BLOB enc_key;
- NTTIME old_mtime, new_mtime;
- struct lsa_DATA_BUF buf1;
- struct lsa_DATA_BUF_PTR bufp1;
-
- status = torture_rpc_connection_transport(&p_tcp,
- DCERPC_LSARPC_NAME,
- DCERPC_LSARPC_UUID,
- DCERPC_LSARPC_VERSION,
- NCACN_IP_TCP);
- if (!NT_STATUS_IS_OK(status)) {
- return False;
- }
-
- if (!test_OpenPolicy2(p_tcp, mem_ctx, &handle_tcp)) {
- return False;
- }
-
- asprintf(&secname, "torturesecret-%u", (uint_t)random());
-
- printf("calling CreateSecret on %s\n", secname);
-
- init_lsa_Name(&cr.in.name, secname);
-
- cr.in.handle = handle_smb;
- cr.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
- cr.out.sec_handle = &sec_handle;
-
- status = dcerpc_lsa_CreateSecret(p_smb, mem_ctx, &cr);
- if (!NT_STATUS_IS_OK(status)) {
- printf("CreateSecret failed - %s\n", nt_errstr(status));
- return False;
- }
-
- status = dcerpc_fetch_session_key(p_smb, &session_key);
- if (!NT_STATUS_IS_OK(status)) {
- printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
- return False;
- }
-
- printf("SMB session key:\n");
- dump_data(0, session_key.data, session_key.length);
-
- enc_key = sess_encrypt_string(secret1, &session_key);
-
- blob1 = data_blob_talloc(mem_ctx, enc_key.data, enc_key.length);
- sess_crypt_blob(&blob1, &enc_key, &session_key, False);
-
- printf("Plain-text:\n");
- dump_data(0, blob1.data, blob1.length);
-
- printf("SMB encrypted:\n");
- dump_data(0, enc_key.data, enc_key.length);
-
- sr.in.handle = &sec_handle;
- sr.in.new_val = &buf1;
- sr.in.old_val = NULL;
- sr.in.new_val->data = enc_key.data;
- sr.in.new_val->length = enc_key.length;
- sr.in.new_val->size = enc_key.length;
-
- printf("calling SetSecret\n");
-
- status = dcerpc_lsa_SetSecret(p_smb, mem_ctx, &sr);
- if (!NT_STATUS_IS_OK(status)) {
- printf("SetSecret failed - %s\n", nt_errstr(status));
- return False;
- }
-
- or.in.handle = &handle_tcp;
- or.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
- or.in.name = cr.in.name;
- or.out.sec_handle = &sec_handle2;
-
- printf("Calling OpenSecret\n");
-
- status = dcerpc_lsa_OpenSecret(p_tcp, mem_ctx, &or);
- if (!NT_STATUS_IS_OK(status)) {
- printf("OpenSecret failed - %s\n", nt_errstr(status));
- return False;
- }
-
- ZERO_STRUCT(new_mtime);
- ZERO_STRUCT(old_mtime);
-
- /* fetch the secret back again */
- qr.in.handle = &sec_handle2;
- qr.in.new_val = &bufp1;
- qr.in.new_mtime = &new_mtime;
- qr.in.old_val = NULL;
- qr.in.old_mtime = NULL;
-
- bufp1.buf = NULL;
-
- status = dcerpc_lsa_QuerySecret(p_tcp, mem_ctx, &qr);
- if (!NT_STATUS_IS_OK(status)) {
- printf("QuerySecret failed - %s\n", nt_errstr(status));
- return False;
- }
-
- status = dcerpc_fetch_session_key(p_tcp, &session_key);
- if (!NT_STATUS_IS_OK(status)) {
- printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
- return False;
- }
-
- printf("TCP session key:\n");
- dump_data(0, session_key.data, session_key.length);
-
- blob1.data = qr.out.new_val->buf->data;
- blob1.length = qr.out.new_val->buf->length;
-
- printf("Encrypted blob:\n");
- dump_data(0, blob1.data, blob1.length);
-
- session_key.length = 16;
- blob2 = data_blob_talloc(mem_ctx, blob1.data, blob1.length);
-
- /* try a zero session key to decrypt. */
- data_blob_clear(&session_key);
- sess_crypt_blob(&blob2, &blob1, &session_key, False);
- printf("Test-text:\n");
- dump_data(0, blob2.data, blob2.length);
-
- torture_rpc_close(p_tcp);
-
- test_Delete(p_smb, mem_ctx, &sec_handle);
-
- return True;
-}
-
-
static BOOL test_EnumAccountRights(struct dcerpc_pipe *p,
TALLOC_CTX *mem_ctx,
struct policy_handle *acct_handle,
@@ -1040,10 +894,6 @@ BOOL torture_rpc_lsa(int dummy)
ret = False;
}
- if (!test_lsakey_puzzle(p, mem_ctx, &handle)) {
- ret = False;
- }
-
if (!test_many_LookupSids(p, mem_ctx, &handle)) {
ret = False;
}