From 22275a4c2f80b69828ffa89424476baa28fa3fa9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 9 Sep 2004 14:31:27 +0000 Subject: r2266: yay! LSA session keys on TCP now work! (This used to be commit f6ea24296acaaadcd2d59740bc88ef1a93fb1c28) --- source4/librpc/rpc/dcerpc.h | 3 + source4/librpc/rpc/dcerpc_smb.c | 16 +++++ source4/librpc/rpc/dcerpc_tcp.c | 13 ++++ source4/librpc/rpc/dcerpc_util.c | 16 +---- source4/torture/rpc/lsa.c | 150 --------------------------------------- 5 files changed, 33 insertions(+), 165 deletions(-) diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index 9083bfb795..16bf52cec2 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -63,6 +63,9 @@ struct dcerpc_pipe { /* a callback to the dcerpc code when a full fragment has been received */ void (*recv_data)(struct dcerpc_pipe *, DATA_BLOB *, NTSTATUS status); + + /* get the transport level session key */ + NTSTATUS (*session_key)(struct dcerpc_pipe *, DATA_BLOB *); } transport; /* the last fault code from a DCERPC fault */ diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c index deef2232bf..fa9101bbd6 100644 --- a/source4/librpc/rpc/dcerpc_smb.c +++ b/source4/librpc/rpc/dcerpc_smb.c @@ -348,6 +348,21 @@ static const char *smb_peer_name(struct dcerpc_pipe *p) return smb->tree->session->transport->called.name; } +/* + fetch the user session key +*/ +NTSTATUS smb_session_key(struct dcerpc_pipe *p, DATA_BLOB *session_key) +{ + struct smb_private *smb = p->transport.private; + + if (smb->tree->session->user_session_key.data) { + *session_key = smb->tree->session->user_session_key; + return NT_STATUS_OK; + } + + return NT_STATUS_NO_USER_SESSION_KEY; +} + /* open a rpc connection to a named pipe */ @@ -410,6 +425,7 @@ NTSTATUS dcerpc_pipe_open_smb(struct dcerpc_pipe **p, (*p)->transport.private = NULL; (*p)->transport.shutdown_pipe = smb_shutdown_pipe; (*p)->transport.peer_name = smb_peer_name; + (*p)->transport.session_key = smb_session_key; (*p)->transport.send_request = smb_send_request; (*p)->transport.send_read = send_read_request; diff --git a/source4/librpc/rpc/dcerpc_tcp.c b/source4/librpc/rpc/dcerpc_tcp.c index 896675a7f8..c290891b61 100644 --- a/source4/librpc/rpc/dcerpc_tcp.c +++ b/source4/librpc/rpc/dcerpc_tcp.c @@ -272,6 +272,18 @@ static const char *tcp_peer_name(struct dcerpc_pipe *p) } +/* + fetch the user session key +*/ +NTSTATUS tcp_session_key(struct dcerpc_pipe *p, DATA_BLOB *session_key) +{ + /* this took quite a few CPU cycles to find ... */ + session_key->data = "SystemLibraryDTC"; + session_key->length = 16; + + return NT_STATUS_OK; +} + /* open a rpc connection to a named pipe */ @@ -319,6 +331,7 @@ NTSTATUS dcerpc_pipe_open_tcp(struct dcerpc_pipe **p, (*p)->transport.shutdown_pipe = tcp_shutdown_pipe; (*p)->transport.peer_name = tcp_peer_name; + (*p)->transport.session_key = tcp_session_key; tcp = talloc((*p), sizeof(*tcp)); if (!tcp) { diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index c04937353c..fc9f6c847d 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -699,21 +699,7 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe * NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p, DATA_BLOB *session_key) { - struct smbcli_tree *tree; - - if (p->security_state.generic_state) { - return gensec_session_key(p->security_state.generic_state, session_key); - } - - tree = dcerpc_smb_tree(p); - if (tree) { - if (tree->session->user_session_key.data) { - *session_key = tree->session->user_session_key; - return NT_STATUS_OK; - } - } - - return NT_STATUS_NO_USER_SESSION_KEY; + return p->transport.session_key(p, session_key); } diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 1ef6145abc..022c5a85b1 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -497,152 +497,6 @@ static BOOL test_CreateSecret(struct dcerpc_pipe *p, } -static BOOL test_lsakey_puzzle(struct dcerpc_pipe *p_smb, - TALLOC_CTX *mem_ctx, - struct policy_handle *handle_smb) -{ - NTSTATUS status; - struct dcerpc_pipe *p_tcp; - struct policy_handle handle_tcp, sec_handle, sec_handle2; - struct lsa_CreateSecret cr; - struct lsa_OpenSecret or; - struct lsa_SetSecret sr; - struct lsa_QuerySecret qr; - char *secname; - const char *secret1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; - DATA_BLOB session_key, blob1, blob2; - DATA_BLOB enc_key; - NTTIME old_mtime, new_mtime; - struct lsa_DATA_BUF buf1; - struct lsa_DATA_BUF_PTR bufp1; - - status = torture_rpc_connection_transport(&p_tcp, - DCERPC_LSARPC_NAME, - DCERPC_LSARPC_UUID, - DCERPC_LSARPC_VERSION, - NCACN_IP_TCP); - if (!NT_STATUS_IS_OK(status)) { - return False; - } - - if (!test_OpenPolicy2(p_tcp, mem_ctx, &handle_tcp)) { - return False; - } - - asprintf(&secname, "torturesecret-%u", (uint_t)random()); - - printf("calling CreateSecret on %s\n", secname); - - init_lsa_Name(&cr.in.name, secname); - - cr.in.handle = handle_smb; - cr.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; - cr.out.sec_handle = &sec_handle; - - status = dcerpc_lsa_CreateSecret(p_smb, mem_ctx, &cr); - if (!NT_STATUS_IS_OK(status)) { - printf("CreateSecret failed - %s\n", nt_errstr(status)); - return False; - } - - status = dcerpc_fetch_session_key(p_smb, &session_key); - if (!NT_STATUS_IS_OK(status)) { - printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status)); - return False; - } - - printf("SMB session key:\n"); - dump_data(0, session_key.data, session_key.length); - - enc_key = sess_encrypt_string(secret1, &session_key); - - blob1 = data_blob_talloc(mem_ctx, enc_key.data, enc_key.length); - sess_crypt_blob(&blob1, &enc_key, &session_key, False); - - printf("Plain-text:\n"); - dump_data(0, blob1.data, blob1.length); - - printf("SMB encrypted:\n"); - dump_data(0, enc_key.data, enc_key.length); - - sr.in.handle = &sec_handle; - sr.in.new_val = &buf1; - sr.in.old_val = NULL; - sr.in.new_val->data = enc_key.data; - sr.in.new_val->length = enc_key.length; - sr.in.new_val->size = enc_key.length; - - printf("calling SetSecret\n"); - - status = dcerpc_lsa_SetSecret(p_smb, mem_ctx, &sr); - if (!NT_STATUS_IS_OK(status)) { - printf("SetSecret failed - %s\n", nt_errstr(status)); - return False; - } - - or.in.handle = &handle_tcp; - or.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED; - or.in.name = cr.in.name; - or.out.sec_handle = &sec_handle2; - - printf("Calling OpenSecret\n"); - - status = dcerpc_lsa_OpenSecret(p_tcp, mem_ctx, &or); - if (!NT_STATUS_IS_OK(status)) { - printf("OpenSecret failed - %s\n", nt_errstr(status)); - return False; - } - - ZERO_STRUCT(new_mtime); - ZERO_STRUCT(old_mtime); - - /* fetch the secret back again */ - qr.in.handle = &sec_handle2; - qr.in.new_val = &bufp1; - qr.in.new_mtime = &new_mtime; - qr.in.old_val = NULL; - qr.in.old_mtime = NULL; - - bufp1.buf = NULL; - - status = dcerpc_lsa_QuerySecret(p_tcp, mem_ctx, &qr); - if (!NT_STATUS_IS_OK(status)) { - printf("QuerySecret failed - %s\n", nt_errstr(status)); - return False; - } - - status = dcerpc_fetch_session_key(p_tcp, &session_key); - if (!NT_STATUS_IS_OK(status)) { - printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status)); - return False; - } - - printf("TCP session key:\n"); - dump_data(0, session_key.data, session_key.length); - - blob1.data = qr.out.new_val->buf->data; - blob1.length = qr.out.new_val->buf->length; - - printf("Encrypted blob:\n"); - dump_data(0, blob1.data, blob1.length); - - session_key.length = 16; - blob2 = data_blob_talloc(mem_ctx, blob1.data, blob1.length); - - /* try a zero session key to decrypt. */ - data_blob_clear(&session_key); - sess_crypt_blob(&blob2, &blob1, &session_key, False); - printf("Test-text:\n"); - dump_data(0, blob2.data, blob2.length); - - torture_rpc_close(p_tcp); - - test_Delete(p_smb, mem_ctx, &sec_handle); - - return True; -} - - static BOOL test_EnumAccountRights(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct policy_handle *acct_handle, @@ -1040,10 +894,6 @@ BOOL torture_rpc_lsa(int dummy) ret = False; } - if (!test_lsakey_puzzle(p, mem_ctx, &handle)) { - ret = False; - } - if (!test_many_LookupSids(p, mem_ctx, &handle)) { ret = False; } -- cgit