From 50fb2b9a7f6557ca6ee8fcdddb2fdf0b79f68f4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 29 Nov 2012 21:23:30 +0100 Subject: [PATCH 01/28] libcli/auth: add netlogon_creds_aes_{en|de}crypt routines. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 429600c5f3079c8433d5a542383908d6ff61fe60) --- libcli/auth/credentials.c | 28 ++++++++++++++++++++++++++++ libcli/auth/proto.h | 2 ++ 2 files changed, 30 insertions(+) diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index dfbfdb3..be43c95 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -222,6 +222,34 @@ void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, data_blob_free(&session_key); } +/* + AES encrypt a password buffer using the session key +*/ +void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) +{ + AES_KEY key; + uint8_t iv[AES_BLOCK_SIZE]; + + AES_set_encrypt_key(creds->session_key, 128, &key); + ZERO_STRUCT(iv); + + aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT); +} + +/* + AES decrypt a password buffer using the session key +*/ +void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) +{ + AES_KEY key; + uint8_t iv[AES_BLOCK_SIZE]; + + AES_set_encrypt_key(creds->session_key, 128, &key); + ZERO_STRUCT(iv); + + aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT); +} + /***************************************************************** The above functions are common to the client and server interface next comes the client specific functions diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 37c87b4..b9d91d0 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -16,6 +16,8 @@ void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *cre void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); +void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); +void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); /***************************************************************** The above functions are common to the client and server interface -- 1.7.9.5 From bb25ca0b0aceec28bf7949350daf7bcbe126f59a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 29 Nov 2012 21:30:24 +0100 Subject: [PATCH 02/28] s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit ec06c81db313f2862544c972cbf582a07bb844c2) --- source3/rpc_client/cli_netlogon.c | 2 +- source3/rpc_client/init_netlogon.c | 6 +++--- source3/rpc_client/init_netlogon.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index bbcca06..463741a 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -628,7 +628,7 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, uint32_t old_timeout; init_netr_CryptPassword(new_trust_pwd_cleartext, - cli->dc->session_key, + cli->dc, &new_password); old_timeout = dcerpc_binding_handle_set_timeout(b, 600000); diff --git a/source3/rpc_client/init_netlogon.c b/source3/rpc_client/init_netlogon.c index 445108a..0d33d6f 100644 --- a/source3/rpc_client/init_netlogon.c +++ b/source3/rpc_client/init_netlogon.c @@ -1,7 +1,7 @@ /* * Unix SMB/CIFS implementation. * RPC Pipe client / server routines - * Copyright (C) Guenther Deschner 2008. + * Copyright (C) Guenther Deschner 2008,2012 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,14 +27,14 @@ *************************************************************************/ void init_netr_CryptPassword(const char *pwd, - unsigned char session_key[16], + struct netlogon_creds_CredentialState *creds, struct netr_CryptPassword *pwd_buf) { struct samr_CryptPassword password_buf; encode_pw_buffer(password_buf.data, pwd, STR_UNICODE); - arcfour_crypt(password_buf.data, session_key, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(pwd_buf->data, password_buf.data, 512); pwd_buf->length = IVAL(password_buf.data, 512); } diff --git a/source3/rpc_client/init_netlogon.h b/source3/rpc_client/init_netlogon.h index 826d0c5..bb4496b 100644 --- a/source3/rpc_client/init_netlogon.h +++ b/source3/rpc_client/init_netlogon.h @@ -23,7 +23,7 @@ /* The following definitions come from rpc_client/init_netlogon.c */ void init_netr_CryptPassword(const char *pwd, - unsigned char session_key[16], + struct netlogon_creds_CredentialState *creds, struct netr_CryptPassword *pwd_buf); #endif /* _RPC_CLIENT_INIT_NETLOGON_H_ */ -- 1.7.9.5 From 2ed45a1c9864a09e740346a86561687e18922d79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 29 Nov 2012 21:34:36 +0100 Subject: [PATCH 03/28] s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 64345018cda744d16b123d6ef5c4a982340484dc) --- source3/rpc_client/init_netlogon.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/source3/rpc_client/init_netlogon.c b/source3/rpc_client/init_netlogon.c index 0d33d6f..4d9157b 100644 --- a/source3/rpc_client/init_netlogon.c +++ b/source3/rpc_client/init_netlogon.c @@ -19,7 +19,7 @@ #include "includes.h" #include "../libcli/auth/libcli_auth.h" -#include "../lib/crypto/arcfour.h" +#include "../lib/crypto/crypto.h" #include "rpc_client/init_netlogon.h" /************************************************************************* @@ -34,7 +34,11 @@ void init_netr_CryptPassword(const char *pwd, encode_pw_buffer(password_buf.data, pwd, STR_UNICODE); - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, password_buf.data, 516); + } else { + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + } memcpy(pwd_buf->data, password_buf.data, 512); pwd_buf->length = IVAL(password_buf.data, 512); } -- 1.7.9.5 From 9d2276fb39e180018f90ce2b73da7883b6a3341a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 29 Nov 2012 21:35:04 +0100 Subject: [PATCH 04/28] s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 1362d542df715aa31e9b818ee8783b5ee35f8870) --- source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index d992a65..5fc2756 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1332,7 +1332,12 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, memcpy(password_buf.data, r->in.new_password->data, 512); SIVAL(password_buf.data, 512, r->in.new_password->length); - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_decrypt(creds, password_buf.data, 516); + } else { + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + } if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) { TALLOC_FREE(creds); -- 1.7.9.5 From 5e95422806f0a83fda02c1b2eac1fb1043344657 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 29 Nov 2012 22:24:37 +0100 Subject: [PATCH 05/28] s4-torture: remove trailing whitespace from netlogon test. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit d1f481ffe17ce84ffddbedf1bd7efb0654e2807e) --- source4/torture/rpc/netlogon.c | 210 ++++++++++++++++++++-------------------- 1 file changed, 105 insertions(+), 105 deletions(-) diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index f1d605c..e5de0e8 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. test suite for netlogon rpc operations @@ -7,17 +7,17 @@ Copyright (C) Andrew Bartlett 2003-2004 Copyright (C) Tim Potter 2003 Copyright (C) Matthias Dieter Wallnöfer 2009-2010 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ @@ -98,7 +98,7 @@ static bool test_netr_broken_binding_handle(struct torture_context *tctx, return true; } -static bool test_LogonUasLogon(struct torture_context *tctx, +static bool test_LogonUasLogon(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; @@ -173,8 +173,8 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, creds = netlogon_creds_client_init(tctx, a.in.account_name, a.in.computer_name, - &credentials1, &credentials2, - mach_password, &credentials3, + &credentials1, &credentials2, + mach_password, &credentials3, 0); torture_assert(tctx, creds != NULL, "memory allocation"); @@ -186,7 +186,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, /* This allows the tests to continue against the more fussy windows 2008 */ if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) { - return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, credentials, cli_credentials_get_secure_channel_type(credentials), creds_out); @@ -194,7 +194,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate"); - torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), + torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); *creds_out = creds; @@ -242,9 +242,9 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, a.out.return_credentials = &credentials3; creds = netlogon_creds_client_init(tctx, a.in.account_name, - a.in.computer_name, - &credentials1, &credentials2, - mach_password, &credentials3, + a.in.computer_name, + &credentials1, &credentials2, + mach_password, &credentials3, negotiate_flags); torture_assert(tctx, creds != NULL, "memory allocation"); @@ -255,7 +255,7 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, "ServerAuthenticate2 failed"); torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate2 failed"); - torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), + torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags); @@ -310,10 +310,10 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, creds = netlogon_creds_client_init(tctx, a.in.account_name, a.in.computer_name, - &credentials1, &credentials2, + &credentials1, &credentials2, &mach_password, &credentials3, negotiate_flags); - + torture_assert(tctx, creds != NULL, "memory allocation"); torture_comment(tctx, "Testing ServerAuthenticate3\n"); @@ -324,7 +324,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags); - + /* Prove that requesting a challenge again won't break it */ torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), "ServerReqChallenge failed"); @@ -337,7 +337,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, /* try a change password for our machine account */ -static bool test_SetPassword(struct torture_context *tctx, +static bool test_SetPassword(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { @@ -366,7 +366,7 @@ static bool test_SetPassword(struct torture_context *tctx, netlogon_creds_des_encrypt(creds, &new_password); torture_comment(tctx, "Testing ServerPasswordSet on machine account\n"); - torture_comment(tctx, "Changing machine account password to '%s'\n", + torture_comment(tctx, "Changing machine account password to '%s'\n", password); netlogon_creds_client_authenticator(creds, &credential); @@ -383,9 +383,9 @@ static bool test_SetPassword(struct torture_context *tctx, credentials chaining fully, and we verify that the server allows the password to be set to the same value twice in a row (match win2k3) */ - torture_comment(tctx, + torture_comment(tctx, "Testing a second ServerPasswordSet on machine account\n"); - torture_comment(tctx, + torture_comment(tctx, "Changing machine account password to '%s' (same as previous run)\n", password); netlogon_creds_client_authenticator(creds, &credential); @@ -400,8 +400,8 @@ static bool test_SetPassword(struct torture_context *tctx, cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); - torture_assert(tctx, - test_SetupCredentials(p, tctx, machine_credentials, &creds), + torture_assert(tctx, + test_SetupCredentials(p, tctx, machine_credentials, &creds), "ServerPasswordSet failed to actually change the password"); return true; @@ -506,8 +506,8 @@ static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len) /* try a change password for our machine account */ -static bool test_SetPassword2(struct torture_context *tctx, - struct dcerpc_pipe *p, +static bool test_SetPassword2(struct torture_context *tctx, + struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { struct netr_ServerPasswordSet2 r; @@ -555,7 +555,7 @@ static bool test_SetPassword2(struct torture_context *tctx, cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); if (!torture_setting_bool(tctx, "dangerous", false)) { - torture_comment(tctx, + torture_comment(tctx, "Not testing ability to set password to '', enable dangerous tests to perform this test\n"); } else { /* by changing the machine password to "" @@ -566,29 +566,29 @@ static bool test_SetPassword2(struct torture_context *tctx, password = ""; encode_pw_buffer(password_buf.data, password, STR_UNICODE); netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); - + memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); - - torture_comment(tctx, + + torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n"); - torture_comment(tctx, + torture_comment(tctx, "Changing machine account password to '%s'\n", password); - + netlogon_creds_client_authenticator(creds, &credential); - + torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), "ServerPasswordSet2 failed"); torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed"); - + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } - + cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); } - torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds), + torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds), "ServerPasswordSet failed to actually change the password"); /* now try a random password */ @@ -616,9 +616,9 @@ static bool test_SetPassword2(struct torture_context *tctx, credentials chaining fully, and we verify that the server allows the password to be set to the same value twice in a row (match win2k3) */ - torture_comment(tctx, + torture_comment(tctx, "Testing a second ServerPasswordSet2 on machine account\n"); - torture_comment(tctx, + torture_comment(tctx, "Changing machine account password to '%s' (same as previous run)\n", password); netlogon_creds_client_authenticator(creds, &credential); @@ -633,8 +633,8 @@ static bool test_SetPassword2(struct torture_context *tctx, cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); - torture_assert (tctx, - test_SetupCredentials(p, tctx, machine_credentials, &creds), + torture_assert (tctx, + test_SetupCredentials(p, tctx, machine_credentials, &creds), "ServerPasswordSet failed to actually change the password"); new_random_pass = netlogon_very_rand_pass(tctx, 128); @@ -647,7 +647,7 @@ static bool test_SetPassword2(struct torture_context *tctx, memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); - torture_comment(tctx, + torture_comment(tctx, "Testing a third ServerPasswordSet2 on machine account, with a completely random password\n"); netlogon_creds_client_authenticator(creds, &credential); @@ -665,8 +665,8 @@ static bool test_SetPassword2(struct torture_context *tctx, cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED); cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED); - torture_assert (tctx, - test_SetupCredentials(p, tctx, machine_credentials, &creds), + torture_assert (tctx, + test_SetupCredentials(p, tctx, machine_credentials, &creds), "ServerPasswordSet failed to actually change the password"); return true; @@ -765,7 +765,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context flags |= CLI_CRED_NTLMv2_AUTH; } - cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx, + cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx, &ninfo.identity_info.account_name.string, &ninfo.identity_info.domain_name.string); @@ -773,16 +773,16 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context ninfo.identity_info.domain_name.string = NULL; } - generate_random_buffer(ninfo.challenge, + generate_random_buffer(ninfo.challenge, sizeof(ninfo.challenge)); - chal = data_blob_const(ninfo.challenge, + chal = data_blob_const(ninfo.challenge, sizeof(ninfo.challenge)); - names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials), + names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials), cli_credentials_get_domain(credentials)); - status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, - &flags, + status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, + &flags, chal, names_blob, &lm_resp, &nt_resp, @@ -812,19 +812,19 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context r.out.authoritative = &authoritative; d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string); - + for (i=2;i<=3;i++) { ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); - + r.in.validation_level = i; - + torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), "LogonSamLogon failed"); torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed"); - - torture_assert(tctx, netlogon_creds_client_check(creds, - &r.out.return_authenticator->cred), + + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), "Credential chaining failed"); torture_assert_int_equal(tctx, *r.out.authoritative, 1, "LogonSamLogon invalid *r.out.authoritative"); @@ -999,7 +999,7 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t /* try a netlogon SamLogon */ -static bool test_SamLogon(struct torture_context *tctx, +static bool test_SamLogon(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials) { @@ -1031,13 +1031,13 @@ static uint64_t sequence_nums[3]; /* try a netlogon DatabaseSync */ -static bool test_DatabaseSync(struct torture_context *tctx, +static bool test_DatabaseSync(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { struct netr_DatabaseSync r; struct netlogon_creds_CredentialState *creds; - const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; + const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; int i; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; struct netr_Authenticator credential, return_authenticator; @@ -1090,10 +1090,10 @@ static bool test_DatabaseSync(struct torture_context *tctx, delta_enum_array->num_deltas > 0 && delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN && delta_enum_array->delta_enum[0].delta_union.domain) { - sequence_nums[r.in.database_id] = + sequence_nums[r.in.database_id] = delta_enum_array->delta_enum[0].delta_union.domain->sequence_num; torture_comment(tctx, "\tsequence_nums[%d]=%llu\n", - r.in.database_id, + r.in.database_id, (unsigned long long)sequence_nums[r.in.database_id]); } } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES)); @@ -1106,7 +1106,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, /* try a netlogon DatabaseDeltas */ -static bool test_DatabaseDeltas(struct torture_context *tctx, +static bool test_DatabaseDeltas(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { @@ -1115,7 +1115,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, struct netr_Authenticator credential; struct netr_Authenticator return_authenticator; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; - const uint32_t database_ids[] = {0, 1, 2}; + const uint32_t database_ids[] = {0, 1, 2}; int i; struct dcerpc_binding_handle *b = p->binding_handle; @@ -1138,7 +1138,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, *r.in.sequence_num -= 1; - torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n", + torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n", r.in.database_id, (unsigned long long)*r.in.sequence_num); do { @@ -1704,7 +1704,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx, /* try a netlogon AccountDeltas */ -static bool test_AccountDeltas(struct torture_context *tctx, +static bool test_AccountDeltas(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { @@ -1749,7 +1749,7 @@ static bool test_AccountDeltas(struct torture_context *tctx, /* try a netlogon AccountSync */ -static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p, +static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { struct netr_AccountSync r; @@ -1796,7 +1796,7 @@ static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p /* try a netlogon GetDcName */ -static bool test_GetDcName(struct torture_context *tctx, +static bool test_GetDcName(struct torture_context *tctx, struct dcerpc_pipe *p) { struct netr_GetDcName r; @@ -1860,9 +1860,9 @@ static const char *function_code_str(TALLOC_CTX *mem_ctx, /* - try a netlogon LogonControl + try a netlogon LogonControl */ -static bool test_LogonControl(struct torture_context *tctx, +static bool test_LogonControl(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) @@ -1988,7 +1988,7 @@ static bool test_LogonControl(struct torture_context *tctx, /* try a netlogon GetAnyDCName */ -static bool test_GetAnyDCName(struct torture_context *tctx, +static bool test_GetAnyDCName(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; @@ -2036,7 +2036,7 @@ static bool test_GetAnyDCName(struct torture_context *tctx, /* try a netlogon LogonControl2 */ -static bool test_LogonControl2(struct torture_context *tctx, +static bool test_LogonControl2(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) @@ -2141,7 +2141,7 @@ static bool test_LogonControl2(struct torture_context *tctx, /* try a netlogon DatabaseSync2 */ -static bool test_DatabaseSync2(struct torture_context *tctx, +static bool test_DatabaseSync2(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { @@ -2150,11 +2150,11 @@ static bool test_DatabaseSync2(struct torture_context *tctx, struct netr_Authenticator return_authenticator, credential; struct netlogon_creds_CredentialState *creds; - const uint32_t database_ids[] = {0, 1, 2}; + const uint32_t database_ids[] = {0, 1, 2}; int i; struct dcerpc_binding_handle *b = p->binding_handle; - if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS, + if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS, machine_credentials, cli_credentials_get_secure_channel_type(machine_credentials), &creds)) { @@ -2212,7 +2212,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, /* try a netlogon LogonControl2Ex */ -static bool test_LogonControl2Ex(struct torture_context *tctx, +static bool test_LogonControl2Ex(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) @@ -2235,7 +2235,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, for (i=1;i<4;i++) { r.in.level = i; - torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", + torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", i, r.in.function_code); status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r); @@ -2250,7 +2250,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, for (i=1;i<4;i++) { r.in.level = i; - torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", + torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", i, r.in.function_code); status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r); @@ -2265,7 +2265,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, for (i=1;i<4;i++) { r.in.level = i; - torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", + torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", i, r.in.function_code); status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r); @@ -2280,7 +2280,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, for (i=1;i<4;i++) { r.in.level = i; - torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", + torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", i, r.in.function_code); status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r); @@ -2332,8 +2332,8 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx, return true; } -static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx, - struct dcerpc_pipe *p, const char *trusted_domain_name) +static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx, + struct dcerpc_pipe *p, const char *trusted_domain_name) { NTSTATUS status; struct netr_DsRGetForestTrustInformation r; @@ -2359,7 +2359,7 @@ static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx, /* try a netlogon netr_DsrEnumerateDomainTrusts */ -static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx, +static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; @@ -2391,7 +2391,7 @@ static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx, /* get info for transitive forest trusts */ if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) { - if (!test_netr_DsRGetForestTrustInformation(tctx, p, + if (!test_netr_DsRGetForestTrustInformation(tctx, p, r.out.trusts->array[i].dns_name)) { return false; } @@ -2439,8 +2439,8 @@ static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx, - const char *computer_name, - const char *expected_site) + const char *computer_name, + const char *expected_site) { NTSTATUS status; struct netr_DsRGetSiteName r; @@ -2462,7 +2462,7 @@ static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_conte /* try a netlogon netr_DsRGetDCName */ -static bool test_netr_DsRGetDCName(struct torture_context *tctx, +static bool test_netr_DsRGetDCName(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; @@ -2519,7 +2519,7 @@ static bool test_netr_DsRGetDCName(struct torture_context *tctx, "DsRGetDCName"); } - return test_netr_DsRGetSiteName(p, tctx, + return test_netr_DsRGetSiteName(p, tctx, info->dc_unc, info->dc_site_name); } @@ -2527,7 +2527,7 @@ static bool test_netr_DsRGetDCName(struct torture_context *tctx, /* try a netlogon netr_DsRGetDCNameEx */ -static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, +static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; @@ -2591,7 +2591,7 @@ static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, /* try a netlogon netr_DsRGetDCNameEx2 */ -static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx, +static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; @@ -2724,7 +2724,7 @@ failed: return NULL; } -static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx, +static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx, struct dcerpc_pipe *p) { char *url; @@ -3168,7 +3168,7 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, } -static bool test_GetDomainInfo(struct torture_context *tctx, +static bool test_GetDomainInfo(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { @@ -3196,7 +3196,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n"); - if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, machine_credentials, &creds)) { return false; } @@ -3261,7 +3261,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, "(sAMAccountName=%s$)", TEST_MACHINE_NAME); old_dnsname = ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL); - + /* Gets back the "servicePrincipalName"s in AD */ spn_el = ldb_msg_find_element(res[0], "servicePrincipalName"); if (spn_el != NULL) { @@ -3300,11 +3300,11 @@ static bool test_GetDomainInfo(struct torture_context *tctx, the same in combination with the "servicePrincipalName"s. The DNS hostname should also be returned by our "LogonGetDomainInfo" call (in the domain info structure). */ - + torture_assert_str_equal(tctx, ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL), old_dnsname, "'DNS hostname' was not set!"); - + spn_el = ldb_msg_find_element(res[0], "servicePrincipalName"); torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)), "'servicePrincipalName's not set!"); @@ -3324,15 +3324,15 @@ static bool test_GetDomainInfo(struct torture_context *tctx, the "servicePrincipalName"s should remain empty and no DNS hostname should be returned by our "LogonGetDomainInfo" call (in the domain info structure). */ - + torture_assert(tctx, ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL, "'DNS hostname' was set!"); - + spn_el = ldb_msg_find_element(res[0], "servicePrincipalName"); torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)), "'servicePrincipalName's were set!"); - + torture_assert(tctx, info.domain_info->dns_hostname.string == NULL, "Out 'DNS host name' was set!"); @@ -3390,7 +3390,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, torture_assert_str_equal(tctx, ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL), old_dnsname, "'DNS host name' did change!"); - + /* Find the two "servicePrincipalName"s which the DC shouldn't have been updated (HOST/ and HOST/) - see MS-NRPC 3.5.4.3.9 */ @@ -3409,7 +3409,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, break; torture_assert(tctx, i != spn_el->num_values, "'servicePrincipalName' HOST/ not found!"); - + /* Check that the out DNS hostname was set properly */ torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string, old_dnsname, "Out 'DNS hostname' doesn't match the old one!"); @@ -3601,7 +3601,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, return true; } -static bool test_GetDomainInfo_async(struct torture_context *tctx, +static bool test_GetDomainInfo_async(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) { @@ -3619,7 +3619,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT); - if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, machine_credentials, &creds)) { return false; } @@ -3648,9 +3648,9 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds)); req[i] = dcerpc_netr_LogonGetDomainInfo_r_send(tctx, tctx->ev, p->binding_handle, &r); - /* even with this flush per request a w2k3 server seems to + /* even with this flush per request a w2k3 server seems to clag with multiple outstanding requests. bleergh. */ - torture_assert_int_equal(tctx, tevent_loop_once(dcerpc_event_context(p)), 0, + torture_assert_int_equal(tctx, tevent_loop_once(dcerpc_event_context(p)), 0, "tevent_loop_once failed"); } @@ -3661,19 +3661,19 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, status = dcerpc_netr_LogonGetDomainInfo_r_recv(req[i], tctx); torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async"); - torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async"); + torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async"); - torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred), + torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred), "Credential chaining failed at async"); } - torture_comment(tctx, + torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT); return true; } -static bool test_ManyGetDCName(struct torture_context *tctx, +static bool test_ManyGetDCName(struct torture_context *tctx, struct dcerpc_pipe *p) { NTSTATUS status; -- 1.7.9.5 From e55fd0feab50eaf0af6a1b3eb617d99ac9e379e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 29 Nov 2012 22:44:33 +0100 Subject: [PATCH 06/28] s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 0a091604a45b4b143745a20fa842878ceb745c39) --- source4/torture/rpc/netlogon.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index e5de0e8..b79eb1a 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -506,9 +506,10 @@ static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len) /* try a change password for our machine account */ -static bool test_SetPassword2(struct torture_context *tctx, - struct dcerpc_pipe *p, - struct cli_credentials *machine_credentials) +static bool test_SetPassword2_with_flags(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *machine_credentials, + uint32_t flags) { struct netr_ServerPasswordSet2 r; const char *password; @@ -520,7 +521,7 @@ static bool test_SetPassword2(struct torture_context *tctx, struct netr_CryptPassword new_password; struct dcerpc_binding_handle *b = p->binding_handle; - if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { + if (!test_SetupCredentials2(p, tctx, flags, machine_credentials, cli_credentials_get_secure_channel_type(machine_credentials), &creds)) { return false; } @@ -672,6 +673,13 @@ static bool test_SetPassword2(struct torture_context *tctx, return true; } +static bool test_SetPassword2(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *machine_credentials) +{ + return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS); +} + static bool test_GetPassword(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) -- 1.7.9.5 From a2009b4035e2e1ce5425b4d2c8b64a3a52f8929c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 29 Nov 2012 22:47:19 +0100 Subject: [PATCH 07/28] s4-torture: add AES support for netr_ServerPasswordSet2 tests. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 3dc8c20b8a94063c6578b60750757c5a40d7db38) --- source4/torture/rpc/netlogon.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index b79eb1a..2f7e913 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -535,7 +535,11 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, password = generate_random_password(tctx, 8, 255); encode_pw_buffer(password_buf.data, password, STR_UNICODE); - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, password_buf.data, 516); + } else { + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + } memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -566,8 +570,11 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, */ password = ""; encode_pw_buffer(password_buf.data, password, STR_UNICODE); - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); - + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, password_buf.data, 516); + } else { + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + } memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -595,8 +602,11 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, /* now try a random password */ password = generate_random_password(tctx, 8, 255); encode_pw_buffer(password_buf.data, password, STR_UNICODE); - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); - + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, password_buf.data, 516); + } else { + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + } memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -643,7 +653,11 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, /* now try a random stream of bytes for a password */ set_pw_in_buffer(password_buf.data, &new_random_pass); - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, password_buf.data, 516); + } else { + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + } memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -680,6 +694,13 @@ static bool test_SetPassword2(struct torture_context *tctx, return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS); } +static bool test_SetPassword2_AES(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *machine_credentials) +{ + return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); +} + static bool test_GetPassword(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *machine_credentials) @@ -3811,6 +3832,7 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx) torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon); torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword); torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2); + torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES", test_SetPassword2_AES); torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword); torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords); torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo); @@ -3853,6 +3875,7 @@ struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx) torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword); torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags); torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2); + torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES", test_SetPassword2_AES); torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains); return suite; -- 1.7.9.5 From ded4c8d802fd29a27971f9a74a49c5419ea5ee3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 29 Nov 2012 22:47:40 +0100 Subject: [PATCH 08/28] s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 01e69703fb8c58ab1940bb560e34f6c3f10e0ae9) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 309601e..ef4351b 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -487,7 +487,12 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal memcpy(password_buf.data, r->in.new_password->data, 512); SIVAL(password_buf.data, 512, r->in.new_password->length); - netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_decrypt(creds, password_buf.data, 516); + } else { + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); + } if (!extract_pw_from_buffer(mem_ctx, password_buf.data, &new_password)) { DEBUG(3,("samr: failed to decode password buffer\n")); -- 1.7.9.5 From 2eff79f8b90426372e20fec483cc95256a34afee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Sat, 1 Dec 2012 00:59:44 +0100 Subject: [PATCH 09/28] s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit c6f4745c5670e8da77078e19f2d6a3a485e7adc6) --- source3/rpc_client/cli_netlogon.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 463741a..a0a9457 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -207,7 +207,10 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash); - if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16); + netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16); + } else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) { netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16); netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16); } else { -- 1.7.9.5 From bf73d1244c793a83a9ccf0d864f27fb8531606d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 4 Dec 2012 23:11:10 +0100 Subject: [PATCH 10/28] s4-torture: remove trailing whitespace in smbtorture remote_pac test. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 7ea9da0c9f0a0a8de416534d6cb1b0248d13f6cf) --- source4/torture/rpc/remote_pac.c | 82 +++++++++++++++++++------------------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 3e25a46..3f7afc3 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -1,20 +1,20 @@ -/* +/* Unix SMB/CIFS implementation. test suite for netlogon PAC operations Copyright (C) Andrew Bartlett 2012 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ @@ -67,7 +67,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); - auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data); + auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data); pac_data->pac_srv_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA); if (!pac_data->pac_srv_sig) { @@ -117,7 +117,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, /* Also happens to be a really good one-step verfication of our Kerberos stack */ -static bool test_PACVerify(struct torture_context *tctx, +static bool test_PACVerify(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials, enum netr_SchannelType secure_channel_type, @@ -134,14 +134,14 @@ static bool test_PACVerify(struct torture_context *tctx, struct netr_GenericInfo generic; struct netr_Authenticator auth, auth2; - + struct netlogon_creds_CredentialState *creds; struct gensec_security *gensec_client_context; struct gensec_security *gensec_server_context; DATA_BLOB client_to_server, server_to_client, pac_wrapped, payload; struct PAC_Validate pac_wrapped_struct; - + enum ndr_err_code ndr_err; struct auth4_context *auth_context; @@ -152,7 +152,7 @@ static bool test_PACVerify(struct torture_context *tctx, TALLOC_CTX *tmp_ctx = talloc_new(tctx); torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); - if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, credentials, secure_channel_type, &creds)) { return false; @@ -187,7 +187,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed"); server_to_client = data_blob(NULL, 0); - + do { /* Do a client-server update dance */ status = gensec_update(gensec_client_context, tmp_ctx, tctx->ev, server_to_client, &client_to_server); @@ -220,20 +220,20 @@ static bool test_PACVerify(struct torture_context *tctx, pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type; pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload - = data_blob_talloc(tmp_ctx, NULL, + = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); - memcpy(&payload.data[0], + memcpy(&payload.data[0], pac_data->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); - memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], + memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], pac_data->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); - + torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); @@ -270,7 +270,7 @@ static bool test_PACVerify(struct torture_context *tctx, "LogonSamLogon failed"); torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed"); - + /* This will break the signature nicely (even in the crypto wrapping), check we get a logon failure */ generic.data[generic.length-1]++; @@ -290,8 +290,8 @@ static bool test_PACVerify(struct torture_context *tctx, "LogonSamLogon failed"); torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); - - torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), + + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */ @@ -313,36 +313,36 @@ static bool test_PACVerify(struct torture_context *tctx, "LogonSamLogon failed"); torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); - - torture_assert(tctx, netlogon_creds_client_check(creds, - &r.out.return_authenticator->cred), + + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length; pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type; - + /* Break the SignatureType */ pac_wrapped_struct.SignatureType++; pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload - = data_blob_talloc(tmp_ctx, NULL, + = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); - memcpy(&payload.data[0], + memcpy(&payload.data[0], pac_data->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); - memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], + memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], pac_data->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); - + ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); - + torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); - + generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -357,13 +357,13 @@ static bool test_PACVerify(struct torture_context *tctx, r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; - + torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), "LogonSamLogon failed"); - + torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); - - torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), + + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length; @@ -371,26 +371,26 @@ static bool test_PACVerify(struct torture_context *tctx, pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload - = data_blob_talloc(tmp_ctx, NULL, + = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); - memcpy(&payload.data[0], + memcpy(&payload.data[0], pac_data->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); - memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], + memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], pac_data->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); - + /* Break the signature length */ pac_wrapped_struct.SignatureLength++; ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); - + torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); - + generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -405,13 +405,13 @@ static bool test_PACVerify(struct torture_context *tctx, r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; - + torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), "LogonSamLogon failed"); - + torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); - - torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), + + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); return true; -- 1.7.9.5 From b61d676003413bbc2209739d458e57046ab805a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 16:11:19 +0100 Subject: [PATCH 11/28] s4-torture: use names for r.in.logon_level of netlogon samlogon requests. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 3dffd29904b3de145941a7420d56b30611f9616f) --- source4/torture/rpc/netlogon.c | 4 ++-- source4/torture/rpc/remote_pac.c | 2 +- source4/torture/rpc/samba3rpc.c | 4 ++-- source4/torture/rpc/samlogon.c | 4 ++-- source4/torture/rpc/samsync.c | 2 +- source4/torture/rpc/schannel.c | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 2f7e913..e7cece3 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -835,7 +835,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.credential = &auth; r.in.return_authenticator = &auth2; - r.in.logon_level = 2; + r.in.logon_level = NetlogonNetworkInformation; r.in.logon = &logon; r.out.validation = &validation; r.out.authoritative = &authoritative; @@ -941,7 +941,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context "LogonSamLogon invalid *r.out.authoritative"); } - r.in.logon_level = 2; + r.in.logon_level = NetlogonNetworkInformation; r.in.credential = &auth; for (i=2;i<=3;i++) { diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 3f7afc3..6b0c044 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -663,7 +663,7 @@ static bool test_S2U4Self(struct torture_context *tctx, r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.credential = &auth; r.in.return_authenticator = &auth2; - r.in.logon_level = 2; + r.in.logon_level = NetlogonNetworkInformation; r.in.logon = &logon; r.out.validation = &validation; r.out.authoritative = &authoritative; diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index f7968b1..d8d90ce 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -1163,7 +1163,7 @@ static bool schan(struct torture_context *tctx, cli_credentials_get_workstation(wks_creds); r.in.credential = &netr_auth; r.in.return_authenticator = &netr_auth2; - r.in.logon_level = 2; + r.in.logon_level = NetlogonNetworkInformation; r.in.validation_level = i; r.in.logon = &logon; r.out.validation = &validation; @@ -1203,7 +1203,7 @@ static bool schan(struct torture_context *tctx, logon.password = &pinfo; - r.in.logon_level = 1; + r.in.logon_level = NetlogonInteractiveInformation; r.in.logon = &logon; r.out.return_authenticator = &return_authenticator; diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 640bd6a..8d13a63 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -1344,7 +1344,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, int i, v, l, f; bool ret = true; int validation_levels[] = {2,3,6}; - int logon_levels[] = { 2, 6 }; + int logon_levels[] = { NetlogonNetworkInformation, NetlogonNetworkTransitiveInformation }; int function_levels[] = { NDR_NETR_LOGONSAMLOGON, NDR_NETR_LOGONSAMLOGONEX, @@ -1484,7 +1484,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.computer_name = TEST_MACHINE_NAME; r.in.credential = &a; r.in.return_authenticator = &ra; - r.in.logon_level = 5; + r.in.logon_level = NetlogonInteractiveTransitiveInformation; r.in.logon = &logon; r.in.validation_level = 6; r.in.flags = &flags; diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index b92eb21..7249705 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -95,7 +95,7 @@ static NTSTATUS test_SamLogon(struct torture_context *tctx, r.in.computer_name = workstation; r.in.credential = &auth; r.in.return_authenticator = &auth2; - r.in.logon_level = 2; + r.in.logon_level = NetlogonNetworkInformation; r.in.logon = &logon; r.out.validation = &validation; r.out.authoritative = &authoritative; diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 8a11a20..7e3e6aa 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -102,7 +102,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); - r.in.logon_level = 2; + r.in.logon_level = NetlogonNetworkInformation; r.in.logon= &logon; r.in.flags = &_flags; r.out.validation = &validation; @@ -656,7 +656,7 @@ static bool torture_schannel_bench_start(struct torture_schannel_bench_conn *con conn->r.in.server_name = talloc_asprintf(conn->tmp, "\\\\%s", dcerpc_server_name(conn->pipe)); conn->r.in.computer_name = cli_credentials_get_workstation(conn->wks_creds); - conn->r.in.logon_level = 2; + conn->r.in.logon_level = NetlogonNetworkInformation; conn->r.in.logon = talloc(conn->tmp, union netr_LogonLevel); conn->r.in.logon->network = &conn->ninfo; conn->r.in.flags = talloc(conn->tmp, uint32_t); -- 1.7.9.5 From 4e06e21b17f05251e9a00581edd2c9d4360c4136 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 16:23:34 +0100 Subject: [PATCH 12/28] s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit d94f012f3fb428027709a9c8becf8edb85072463) --- source4/torture/rpc/remote_pac.c | 87 +++++++++++++++++++++++++++++--------- 1 file changed, 68 insertions(+), 19 deletions(-) diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 6b0c044..ccecc06 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -121,7 +121,8 @@ static bool test_PACVerify(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials, enum netr_SchannelType secure_channel_type, - const char *test_machine_name) + const char *test_machine_name, + uint32_t negotiate_flags) { NTSTATUS status; @@ -152,7 +153,11 @@ static bool test_PACVerify(struct torture_context *tctx, TALLOC_CTX *tmp_ctx = talloc_new(tctx); torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); - if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + torture_comment(tctx, + "Testing PAC Verify (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n", + secure_channel_type, test_machine_name, negotiate_flags); + + if (!test_SetupCredentials2(p, tctx, negotiate_flags, credentials, secure_channel_type, &creds)) { return false; @@ -235,7 +240,11 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); + } else { + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + } generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -341,7 +350,11 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); + } else { + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + } generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -389,7 +402,11 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); + } else { + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + } generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -417,18 +434,40 @@ static bool test_PACVerify(struct torture_context *tctx, return true; } -static bool test_PACVerify_bdc(struct torture_context *tctx, - struct dcerpc_pipe *p, - struct cli_credentials *credentials) +static bool test_PACVerify_bdc_arcfour(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *credentials) { - return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC, TEST_MACHINE_NAME_BDC); + return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC, + TEST_MACHINE_NAME_BDC, + NETLOGON_NEG_AUTH2_ADS_FLAGS); } -static bool test_PACVerify_workstation(struct torture_context *tctx, - struct dcerpc_pipe *p, - struct cli_credentials *credentials) +static bool test_PACVerify_bdc_aes(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *credentials) +{ + return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC, + TEST_MACHINE_NAME_BDC, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); +} + +static bool test_PACVerify_workstation_arcfour(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *credentials) { - return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, TEST_MACHINE_NAME_WKSTA); + return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, + TEST_MACHINE_NAME_WKSTA, + NETLOGON_NEG_AUTH2_ADS_FLAGS); +} + +static bool test_PACVerify_workstation_aes(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *credentials) +{ + return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, + TEST_MACHINE_NAME_WKSTA, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); } static bool test_PACVerify_workstation_des(struct torture_context *tctx, @@ -465,7 +504,9 @@ static bool test_PACVerify_workstation_des(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, r.out.result, "failed to set DES into account flags"); - return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, TEST_MACHINE_NAME_WKSTA_DES); + return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, + TEST_MACHINE_NAME_WKSTA_DES, + NETLOGON_NEG_AUTH2_ADS_FLAGS); } @@ -668,7 +709,7 @@ static bool test_S2U4Self(struct torture_context *tctx, r.out.validation = &validation; r.out.authoritative = &authoritative; - if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, credentials, secure_channel_type, &creds)) { return false; @@ -737,13 +778,21 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) struct torture_rpc_tcase *tcase; /* It is important to use different names, so that old entries in our credential cache are not used */ - tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon-bdc", + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", &ndr_table_netlogon, TEST_MACHINE_NAME_BDC); - torture_rpc_tcase_add_test_creds(tcase, "verify-sig", test_PACVerify_bdc); + torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_bdc_arcfour); - tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member", + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-aes", + &ndr_table_netlogon, TEST_MACHINE_NAME_BDC); + torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_bdc_aes); + + tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour", + &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); + torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_workstation_arcfour); + + tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes", &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); - torture_rpc_tcase_add_test_creds(tcase, "verify-sig", test_PACVerify_workstation); + torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes); tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); -- 1.7.9.5 From ebb54e1300de87d76b9cbed324a88a9ec6231474 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 16:20:14 +0100 Subject: [PATCH 13/28] s4-torture: support AES encryption in interactive samlogon tests in rpc.samr. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 5089442bfdbeff7314e589387c3702f9c401e12a) --- source4/torture/rpc/samr.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index a460211..7f50ce9 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -2888,7 +2888,10 @@ static bool test_SamLogon(struct torture_context *tctx, } E_md4hash(cli_credentials_get_password(test_credentials), pinfo.ntpassword.hash); - if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, pinfo.lmpassword.hash, 16); + netlogon_creds_aes_encrypt(creds, pinfo.ntpassword.hash, 16); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); } else { @@ -3072,7 +3075,7 @@ static bool setup_schannel_netlogon_pipe(struct torture_context *tctx, * with INTERNAL_ERROR */ b->flags &= ~DCERPC_AUTH_OPTIONS; - b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128; + b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AUTO; torture_assert_ntstatus_ok(tctx, dcerpc_pipe_connect_b(tctx, p, b, &ndr_table_netlogon, -- 1.7.9.5 From 3d7ec009cf60857dc2bcf506be1ed16f737b16a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 16:21:59 +0100 Subject: [PATCH 14/28] s4-torture: exit early when join fails in samba3rpc tests. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 4afb7dcb43c6903568c0fe2c2c2044706e9bd613) --- source4/torture/rpc/samba3rpc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index d8d90ce..0dd9dbd 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -399,7 +399,9 @@ static bool get_usr_handle(struct torture_context *tctx, samr_pipe = dcerpc_pipe_init(mem_ctx, tctx->ev); torture_assert(tctx, samr_pipe, "dcerpc_pipe_init failed"); - +#if 0 + samr_pipe->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT; +#endif samr_handle = samr_pipe->binding_handle; torture_assert_ntstatus_ok(tctx, @@ -744,7 +746,7 @@ static bool join3(struct torture_context *tctx, goto done; } samr_handle = samr_pipe->binding_handle; - + ret = false; { struct samr_QueryUserInfo q; union samr_UserInfo *info; -- 1.7.9.5 From 054e8f9440b5ed4478f029828d9ea2b93bbc7d83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 18:38:01 +0100 Subject: [PATCH 15/28] s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit fd7087020344f7d24737e3be2f3afbd0417b0026) --- source4/torture/rpc/samba3rpc.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index 0dd9dbd..c19476d 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -1104,7 +1104,7 @@ static bool schan(struct torture_context *tctx, for (i=2; i<4; i++) { int flags; - DATA_BLOB chal, nt_resp, lm_resp, names_blob, session_key; + DATA_BLOB chal, nt_resp, lm_resp, names_blob; struct netlogon_creds_CredentialState *creds_state; struct netr_Authenticator netr_auth, netr_auth2; struct netr_NetworkInfo ninfo; @@ -1197,11 +1197,8 @@ static bool schan(struct torture_context *tctx, ZERO_STRUCT(pinfo.lmpassword.hash); E_md4hash(cli_credentials_get_password(user_creds), pinfo.ntpassword.hash); - session_key = data_blob_talloc(mem_ctx, - creds_state->session_key, 16); - arcfour_crypt_blob(pinfo.ntpassword.hash, - sizeof(pinfo.ntpassword.hash), - &session_key); + + netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16); logon.password = &pinfo; -- 1.7.9.5 From 4b01a3e5f8ac11de67e9ba1d5de2bd085feb2f41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 16:37:02 +0100 Subject: [PATCH 16/28] s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 306a78d97f2fdfaa81c58bafdebcfab0fb8f1636) --- source3/rpc_server/netlogon/srv_netlog_nt.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 5fc2756..aef97e4 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -2398,7 +2398,7 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p, static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, const DATA_BLOB *trustAuth_blob, - const DATA_BLOB *session_key, + struct netlogon_creds_CredentialState *creds, struct samr_Password *current_pw_enc, struct samr_Password *previous_pw_enc) { @@ -2421,8 +2421,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, return NT_STATUS_UNSUCCESSFUL; } - arcfour_crypt_blob(current_pw_enc->hash, sizeof(current_pw_enc->hash), - session_key); + netlogon_creds_arcfour_crypt(creds, current_pw_enc->hash, sizeof(current_pw_enc->hash)); if (trustAuth.previous.count != 0 && trustAuth.previous.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) { @@ -2432,8 +2431,8 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, } else { mdfour(previous_pw_enc->hash, NULL, 0); } - arcfour_crypt_blob(previous_pw_enc->hash, sizeof(previous_pw_enc->hash), - session_key); + + netlogon_creds_arcfour_crypt(creds, previous_pw_enc->hash, sizeof(previous_pw_enc->hash)); return NT_STATUS_OK; } @@ -2455,7 +2454,6 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p, DATA_BLOB trustAuth_blob; struct samr_Password *new_owf_enc; struct samr_Password *old_owf_enc; - DATA_BLOB session_key; struct loadparm_context *lp_ctx; lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); @@ -2543,10 +2541,8 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p, trustAuth_blob = td->trust_auth_outgoing; } - session_key.data = creds->session_key; - session_key.length = sizeof(creds->session_key); status = get_password_from_trustAuth(p->mem_ctx, &trustAuth_blob, - &session_key, + creds, new_owf_enc, old_owf_enc); if (!NT_STATUS_IS_OK(status)) { -- 1.7.9.5 From ab5f0b796cd4e95270f25bcdad1f5e4f2ebb435b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 17:59:12 +0100 Subject: [PATCH 17/28] s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 83b00afe9f2116ef04378c251070143595450a3e) --- source4/torture/rpc/netlogon.c | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index e7cece3..1f92bc6 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -3155,9 +3155,10 @@ static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx, return true; } -static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, - struct dcerpc_pipe *p, - struct cli_credentials *machine_credentials) +static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *machine_credentials, + uint32_t negotiate_flags) { struct netr_ServerGetTrustInfo r; @@ -3170,7 +3171,9 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, struct netlogon_creds_CredentialState *creds; struct dcerpc_binding_handle *b = p->binding_handle; - if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + struct samr_Password nt_hash; + + if (!test_SetupCredentials3(p, tctx, negotiate_flags, machine_credentials, &creds)) { return false; } @@ -3193,9 +3196,34 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, r.out.result, "ServerGetTrustInfo failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed"); + E_md4hash(cli_credentials_get_password(machine_credentials), nt_hash.hash); + + netlogon_creds_des_decrypt(creds, &new_owf_password); + + dump_data(1, new_owf_password.hash, 16); + dump_data(1, nt_hash.hash, 16); + + torture_assert_mem_equal(tctx, new_owf_password.hash, nt_hash.hash, 16, + "received unexpected owf password\n"); + return true; } +static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *machine_credentials) +{ + return test_netr_ServerGetTrustInfo_flags(tctx, p, machine_credentials, + NETLOGON_NEG_AUTH2_ADS_FLAGS); +} + +static bool test_netr_ServerGetTrustInfo_AES(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *machine_credentials) +{ + return test_netr_ServerGetTrustInfo_flags(tctx, p, machine_credentials, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); +} static bool test_GetDomainInfo(struct torture_context *tctx, struct dcerpc_pipe *p, @@ -3857,6 +3885,7 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx) torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW); torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW); torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo); + torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo_AES", test_netr_ServerGetTrustInfo_AES); torture_rpc_tcase_add_test_creds(tcase, "GetForestTrustInformation", test_netr_GetForestTrustInformation); return suite; -- 1.7.9.5 From 5bd71a6355be4132b9808a49b3bc72a551e98e61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 18:06:54 +0100 Subject: [PATCH 18/28] s4-torture: validate owf password hash and negotiate AES in forest trust test. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 6aec126566d01dd9ddbbd5488f73b61729094a52) --- source4/torture/rpc/forest_trust.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/source4/torture/rpc/forest_trust.c b/source4/torture/rpc/forest_trust.c index f416054..2208280 100644 --- a/source4/torture/rpc/forest_trust.c +++ b/source4/torture/rpc/forest_trust.c @@ -597,6 +597,7 @@ static bool test_validate_trust(struct torture_context *tctx, struct netr_GetForestTrustInformation fr; struct lsa_ForestTrustInformation *forest_trust_info; int i; + struct samr_Password nt_hash; status = dcerpc_parse_binding(tctx, binding, &b); torture_assert_ntstatus_ok(tctx, status, "Bad binding string"); @@ -630,7 +631,7 @@ static bool test_validate_trust(struct torture_context *tctx, return false; } - if (!test_SetupCredentials3(pipe, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + if (!test_SetupCredentials3(pipe, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, credentials, &creds)) { torture_comment(tctx, "test_SetupCredentials3 failed.\n"); return false; @@ -670,6 +671,16 @@ static bool test_validate_trust(struct torture_context *tctx, return false; } + E_md4hash(cli_credentials_get_password(credentials), nt_hash.hash); + + netlogon_creds_des_decrypt(creds, &new_owf_password); + + dump_data(1, new_owf_password.hash, 16); + dump_data(1, nt_hash.hash, 16); + + torture_assert_mem_equal(tctx, new_owf_password.hash, nt_hash.hash, 16, + "received unexpected owf password\n"); + netlogon_creds_client_authenticator(creds, &a); fr.in.server_name = talloc_asprintf(tctx, "\\\\%s", -- 1.7.9.5 From 91f680dac21f8c14e3684a71645c647379f58295 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 19:52:54 +0100 Subject: [PATCH 19/28] s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sumit, please check. Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit a52115ce67c2e5bd1e478d7601483fd2490aea31) --- source3/rpc_server/netlogon/srv_netlog_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index aef97e4..16542f8 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -2421,7 +2421,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, return NT_STATUS_UNSUCCESSFUL; } - netlogon_creds_arcfour_crypt(creds, current_pw_enc->hash, sizeof(current_pw_enc->hash)); + netlogon_creds_des_encrypt(creds, current_pw_enc); if (trustAuth.previous.count != 0 && trustAuth.previous.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) { @@ -2432,7 +2432,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, mdfour(previous_pw_enc->hash, NULL, 0); } - netlogon_creds_arcfour_crypt(creds, previous_pw_enc->hash, sizeof(previous_pw_enc->hash)); + netlogon_creds_des_encrypt(creds, previous_pw_enc); return NT_STATUS_OK; } -- 1.7.9.5 From 25863e90961e57099af2520d6fc6346600258ec5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 16:24:24 +0100 Subject: [PATCH 20/28] s4-rpc_server: support AES encryption in interactive and generic samlogon. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 71572632bd33dcb5c03a701bbb72a707e5642237) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index ef4351b..ac69d3d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -635,7 +635,14 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal case NetlogonServiceInformation: case NetlogonInteractiveTransitiveInformation: case NetlogonServiceTransitiveInformation: - if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_decrypt(creds, + r->in.logon->password->lmpassword.hash, + sizeof(r->in.logon->password->lmpassword.hash)); + netlogon_creds_aes_decrypt(creds, + r->in.logon->password->ntpassword.hash, + sizeof(r->in.logon->password->ntpassword.hash)); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { netlogon_creds_arcfour_crypt(creds, r->in.logon->password->lmpassword.hash, sizeof(r->in.logon->password->lmpassword.hash)); @@ -698,7 +705,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal case NetlogonGenericInformation: { - if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_decrypt(creds, + r->in.logon->generic->data, r->in.logon->generic->length); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { netlogon_creds_arcfour_crypt(creds, r->in.logon->generic->data, r->in.logon->generic->length); } else { @@ -811,8 +821,12 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal /* It appears that level 6 is not individually encrypted */ if ((r->in.validation_level != 6) && memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) { - /* This key is sent unencrypted without the ARCFOUR flag set */ - if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + /* This key is sent unencrypted without the ARCFOUR or AES flag set */ + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, + sam->key.key, + sizeof(sam->key.key)); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { netlogon_creds_arcfour_crypt(creds, sam->key.key, sizeof(sam->key.key)); @@ -823,7 +837,11 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal /* It appears that level 6 is not individually encrypted */ if ((r->in.validation_level != 6) && memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) { - if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, + sam->LMSessKey.key, + sizeof(sam->LMSessKey.key)); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { netlogon_creds_arcfour_crypt(creds, sam->LMSessKey.key, sizeof(sam->LMSessKey.key)); -- 1.7.9.5 From 8a78339e5b64053f87da4ac7907973877c5b900a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 5 Dec 2012 19:49:52 +0100 Subject: [PATCH 21/28] s3-rpc_server: support AES for interactive netlogon samlogon password decryption. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Still need to fix AES support for the returned validation info. Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 645289216eeb718eab1201dd3ad0a50fdf85753c) --- source3/auth/auth_util.c | 34 +------------------------ source3/auth/proto.h | 3 +-- source3/rpc_server/netlogon/srv_netlog_nt.c | 36 +++++++++++++++++++++++++-- 3 files changed, 36 insertions(+), 37 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 83c95a9..b75a390 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -207,16 +207,12 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], - const uchar nt_interactive_pwd[16], - const uchar *dc_sess_key) + const uchar nt_interactive_pwd[16]) { struct samr_Password lm_pwd; struct samr_Password nt_pwd; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; - unsigned char key[16]; - - memcpy(key, dc_sess_key, 16); if (lm_interactive_pwd) memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash)); @@ -224,31 +220,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in if (nt_interactive_pwd) memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash)); -#ifdef DEBUG_PASSWORD - DEBUG(100,("key:")); - dump_data(100, key, sizeof(key)); - - DEBUG(100,("lm owf password:")); - dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash)); - - DEBUG(100,("nt owf password:")); - dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash)); -#endif - - if (lm_interactive_pwd) - arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash)); - - if (nt_interactive_pwd) - arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash)); - -#ifdef DEBUG_PASSWORD - DEBUG(100,("decrypt of lm owf password:")); - dump_data(100, lm_pwd.hash, sizeof(lm_pwd)); - - DEBUG(100,("decrypt of nt owf password:")); - dump_data(100, nt_pwd.hash, sizeof(nt_pwd)); -#endif - if (lm_interactive_pwd) SMBOWFencrypt(lm_pwd.hash, chal, local_lm_response); @@ -257,9 +228,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in SMBOWFencrypt(nt_pwd.hash, chal, local_nt_response); - /* Password info paranoia */ - ZERO_STRUCT(key); - { bool ret; NTSTATUS nt_status; diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 98b48df..6c996722 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -174,8 +174,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], - const uchar nt_interactive_pwd[16], - const uchar *dc_sess_key); + const uchar nt_interactive_pwd[16]); bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 16542f8..cb932b4 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1596,6 +1596,39 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, { uint8_t chal[8]; +#ifdef DEBUG_PASSWORD + DEBUG(100,("lm owf password:")); + dump_data(100, logon->password->lmpassword.hash, 16); + + DEBUG(100,("nt owf password:")); + dump_data(100, logon->password->ntpassword.hash, 16); +#endif + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_decrypt(creds, + logon->password->lmpassword.hash, + 16); + netlogon_creds_aes_decrypt(creds, + logon->password->ntpassword.hash, + 16); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + netlogon_creds_arcfour_crypt(creds, + logon->password->lmpassword.hash, + 16); + netlogon_creds_arcfour_crypt(creds, + logon->password->ntpassword.hash, + 16); + } else { + netlogon_creds_des_decrypt(creds, &logon->password->lmpassword); + netlogon_creds_des_decrypt(creds, &logon->password->ntpassword); + } + +#ifdef DEBUG_PASSWORD + DEBUG(100,("decrypt of lm owf password:")); + dump_data(100, logon->password->lmpassword.hash, 16); + + DEBUG(100,("decrypt of nt owf password:")); + dump_data(100, logon->password->ntpassword.hash, 16); +#endif status = make_auth_context_subsystem(talloc_tos(), &auth_context); if (!NT_STATUS_IS_OK(status)) { @@ -1611,8 +1644,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, logon->password->identity_info.parameter_control, chal, logon->password->lmpassword.hash, - logon->password->ntpassword.hash, - creds->session_key)) { + logon->password->ntpassword.hash)) { status = NT_STATUS_NO_MEMORY; } break; -- 1.7.9.5 From 14597acfabeee0eb144ef9daf9561e472a690352 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 6 Dec 2012 14:31:32 +0100 Subject: [PATCH 22/28] s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit 7f435bd649f0b313804f40807a38de9478478b6c) --- source3/auth/server_info.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c index 216e5e3..02bf689 100644 --- a/source3/auth/server_info.c +++ b/source3/auth/server_info.c @@ -176,20 +176,12 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, server_info->session_key.data, MIN(sizeof(info3->base.key.key), server_info->session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.key.key, - pipe_session_key, 16); - } } if (server_info->lm_session_key.length) { memcpy(info3->base.LMSessKey.key, server_info->lm_session_key.data, MIN(sizeof(info3->base.LMSessKey.key), server_info->lm_session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.LMSessKey.key, - pipe_session_key, 8); - } } sam6->base = info3->base; -- 1.7.9.5 From 063dbdbc356b66ceb3078afbca85ac4ccf324e63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 6 Dec 2012 14:54:25 +0100 Subject: [PATCH 23/28] s3-rpc_server: Remove obsolete process_creds boolean in samlogon server. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit c1fb595081c2b0bf66bce06c09750f53e8031311) --- source3/rpc_server/netlogon/srv_netlog_nt.c | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index cb932b4..4be2355 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1465,21 +1465,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, struct auth_usersupplied_info *user_info = NULL; struct auth_serversupplied_info *server_info = NULL; struct auth_context *auth_context = NULL; - uint8_t pipe_session_key[16]; - bool process_creds = true; const char *fn; switch (p->opnum) { case NDR_NETR_LOGONSAMLOGON: - process_creds = true; fn = "_netr_LogonSamLogon"; break; case NDR_NETR_LOGONSAMLOGONWITHFLAGS: - process_creds = true; fn = "_netr_LogonSamLogonWithFlags"; break; case NDR_NETR_LOGONSAMLOGONEX: - process_creds = false; fn = "_netr_LogonSamLogonEx"; break; default: @@ -1693,33 +1688,17 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, the SAM Local Security Authority should record that the user is logged in to the domain. */ - if (process_creds) { - /* Get the pipe session key from the creds. */ - memcpy(pipe_session_key, creds->session_key, 16); - } else { - struct schannel_state *schannel_auth; - /* Get the pipe session key from the schannel. */ - if ((p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) - || (p->auth.auth_ctx == NULL)) { - return NT_STATUS_INVALID_HANDLE; - } - - schannel_auth = talloc_get_type_abort(p->auth.auth_ctx, - struct schannel_state); - memcpy(pipe_session_key, schannel_auth->creds->session_key, 16); - } - switch (r->in.validation_level) { case 2: - status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16, + status = serverinfo_to_SamInfo2(server_info, creds->session_key, 16, r->out.validation->sam2); break; case 3: - status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16, + status = serverinfo_to_SamInfo3(server_info, creds->session_key, 16, r->out.validation->sam3); break; case 6: - status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16, + status = serverinfo_to_SamInfo6(server_info, creds->session_key, 16, r->out.validation->sam6); break; } -- 1.7.9.5 From 2105d420bcf83eb644e6e2a9f14e716911159dad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 6 Dec 2012 15:21:02 +0100 Subject: [PATCH 24/28] s3-auth: remove crypto from serverinfo_to_SamInfoX calls. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All crypto is dealt with within the netlogon samlogon server now. Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit f2d9589b178c0e3374e1c1ad363639b9e2bdce5f) --- source3/auth/check_samsec.c | 2 +- source3/auth/proto.h | 6 ----- source3/auth/server_info.c | 22 ------------------ source3/rpc_server/netlogon/srv_netlog_nt.c | 32 +++++++++++++++++++++++---- source3/torture/pdbtest.c | 2 +- 5 files changed, 30 insertions(+), 34 deletions(-) diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c index 2d3cb65..7ed8cc2 100644 --- a/source3/auth/check_samsec.c +++ b/source3/auth/check_samsec.c @@ -537,7 +537,7 @@ NTSTATUS check_sam_security_info3(const DATA_BLOB *challenge, goto done; } - status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3); + status = serverinfo_to_SamInfo3(server_info, info3); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n", nt_errstr(status))); diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 6c996722..76661fc 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -276,16 +276,10 @@ struct netr_SamInfo6; struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx); NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo2 *sam2); NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo3 *sam3); NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo6 *sam6); NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, struct samu *samu, diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c index 02bf689..3f4f708 100644 --- a/source3/auth/server_info.c +++ b/source3/auth/server_info.c @@ -59,8 +59,6 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) *****************************************************************************/ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo2 *sam2) { struct netr_SamInfo3 *info3; @@ -75,20 +73,12 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, server_info->session_key.data, MIN(sizeof(info3->base.key.key), server_info->session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.key.key, - pipe_session_key, 16); - } } if (server_info->lm_session_key.length) { memcpy(info3->base.LMSessKey.key, server_info->lm_session_key.data, MIN(sizeof(info3->base.LMSessKey.key), server_info->lm_session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.LMSessKey.key, - pipe_session_key, 8); - } } sam2->base = info3->base; @@ -102,8 +92,6 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, *****************************************************************************/ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo3 *sam3) { struct netr_SamInfo3 *info3; @@ -118,20 +106,12 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in server_info->session_key.data, MIN(sizeof(info3->base.key.key), server_info->session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.key.key, - pipe_session_key, 16); - } } if (server_info->lm_session_key.length) { memcpy(info3->base.LMSessKey.key, server_info->lm_session_key.data, MIN(sizeof(info3->base.LMSessKey.key), server_info->lm_session_key.length)); - if (pipe_session_key) { - arcfour_crypt(info3->base.LMSessKey.key, - pipe_session_key, 8); - } } sam3->base = info3->base; @@ -148,8 +128,6 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in *****************************************************************************/ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, struct netr_SamInfo6 *sam6) { struct pdb_domain_info *dominfo; diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 4be2355..9b50655 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1466,6 +1466,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, struct auth_serversupplied_info *server_info = NULL; struct auth_context *auth_context = NULL; const char *fn; + struct netr_SamBaseInfo *base; switch (p->opnum) { case NDR_NETR_LOGONSAMLOGON: @@ -1690,22 +1691,45 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, switch (r->in.validation_level) { case 2: - status = serverinfo_to_SamInfo2(server_info, creds->session_key, 16, + status = serverinfo_to_SamInfo2(server_info, r->out.validation->sam2); + base = &r->out.validation->sam2->base; break; case 3: - status = serverinfo_to_SamInfo3(server_info, creds->session_key, 16, + status = serverinfo_to_SamInfo3(server_info, r->out.validation->sam3); + base = &r->out.validation->sam3->base; break; case 6: - status = serverinfo_to_SamInfo6(server_info, creds->session_key, 16, + status = serverinfo_to_SamInfo6(server_info, r->out.validation->sam6); + base = &r->out.validation->sam6->base; break; } TALLOC_FREE(server_info); - return status; + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (r->in.validation_level == 6) { + /* no further crypto to be applied - gd */ + return NT_STATUS_OK; + } + + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_encrypt(creds, base->key.key, 16); + netlogon_creds_aes_encrypt(creds, base->LMSessKey.key, 8); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + netlogon_creds_arcfour_crypt(creds, base->key.key, 16); + netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8); + } else { + /* key is unencrypted when neither AES nor RC4 bits are set */ + netlogon_creds_des_encrypt_LMKey(creds, &base->LMSessKey); + } + + return NT_STATUS_OK; } /**************************************************************** diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c index d0d529e..17da455 100644 --- a/source3/torture/pdbtest.c +++ b/source3/torture/pdbtest.c @@ -316,7 +316,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) return False; } - status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3_auth); + status = serverinfo_to_SamInfo3(server_info, info3_auth); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n", nt_errstr(status))); -- 1.7.9.5 From 786ba6342bb7d2747785e24bec39401d88a5ac08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 7 Dec 2012 01:05:00 +0100 Subject: [PATCH 25/28] libcli/auth: remove trailing whitespace. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit be296a21fc509cacaedb5aad0c3ca4ccd44b4a62) --- libcli/auth/credentials.c | 76 ++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index be43c95..77df7f7 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -1,21 +1,21 @@ -/* +/* Unix SMB/CIFS implementation. code to manipulate domain credentials Copyright (C) Andrew Tridgell 1997-2003 Copyright (C) Andrew Bartlett 2004 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ @@ -85,7 +85,7 @@ static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *cr memset(zero, 0, sizeof(zero)); - hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx); + hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx); MD5Init(&md5); MD5Update(&md5, zero, sizeof(zero)); MD5Update(&md5, client_challenge->data, 8); @@ -142,7 +142,7 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) { struct netr_Credential time_cred; - DEBUG(5,("\tseed %08x:%08x\n", + DEBUG(5,("\tseed %08x:%08x\n", IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4))); SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence); @@ -152,18 +152,18 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) netlogon_creds_step_crypt(creds, &time_cred, &creds->client); - DEBUG(5,("\tCLIENT %08x:%08x\n", + DEBUG(5,("\tCLIENT %08x:%08x\n", IVAL(creds->client.data, 0), IVAL(creds->client.data, 4))); SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1); SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4)); - DEBUG(5,("\tseed+time+1 %08x:%08x\n", + DEBUG(5,("\tseed+time+1 %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); netlogon_creds_step_crypt(creds, &time_cred, &creds->server); - DEBUG(5,("\tSERVER %08x:%08x\n", + DEBUG(5,("\tSERVER %08x:%08x\n", IVAL(creds->server.data, 0), IVAL(creds->server.data, 4))); creds->seed = time_cred; @@ -259,10 +259,10 @@ next comes the client specific functions initialise the credentials chain and return the first client credentials */ - -struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx, + +struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx, const char *client_account, - const char *client_computer_name, + const char *client_computer_name, const struct netr_Credential *client_challenge, const struct netr_Credential *server_challenge, const struct samr_Password *machine_password, @@ -270,11 +270,11 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me uint32_t negotiate_flags) { struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); - + if (!creds) { return NULL; } - + creds->sequence = time(NULL); creds->negotiate_flags = negotiate_flags; @@ -317,7 +317,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me initialise the credentials structure with only a session key. The caller better know what they are doing! */ -struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx, +struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx, const uint8_t session_key[16]) { struct netlogon_creds_CredentialState *creds; @@ -326,7 +326,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA if (!creds) { return NULL; } - + memcpy(creds->session_key, session_key, 16); return creds; @@ -336,12 +336,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA step the credentials to the next element in the chain, updating the current client and server credentials and the seed - produce the next authenticator in the sequence ready to send to + produce the next authenticator in the sequence ready to send to the server */ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds, struct netr_Authenticator *next) -{ +{ creds->sequence += 2; netlogon_creds_step(creds); @@ -355,7 +355,7 @@ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState * bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds, const struct netr_Credential *received_credentials) { - if (!received_credentials || + if (!received_credentials || memcmp(received_credentials->data, creds->server.data, 8) != 0) { DEBUG(2,("credentials check failed\n")); return false; @@ -388,9 +388,9 @@ static bool netlogon_creds_server_check_internal(const struct netlogon_creds_Cre initialise the credentials chain and return the first server credentials */ -struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx, +struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx, const char *client_account, - const char *client_computer_name, + const char *client_computer_name, uint16_t secure_channel_type, const struct netr_Credential *client_challenge, const struct netr_Credential *server_challenge, @@ -399,13 +399,13 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me struct netr_Credential *credentials_out, uint32_t negotiate_flags) { - + struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); - + if (!creds) { return NULL; } - + creds->negotiate_flags = negotiate_flags; creds->secure_channel_type = secure_channel_type; @@ -430,10 +430,10 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me server_challenge, machine_password); } else if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { - netlogon_creds_init_128bit(creds, client_challenge, server_challenge, + netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password); } else { - netlogon_creds_init_64bit(creds, client_challenge, server_challenge, + netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password); } @@ -461,7 +461,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds, struct netr_Authenticator *received_authenticator, - struct netr_Authenticator *return_authenticator) + struct netr_Authenticator *return_authenticator) { if (!received_authenticator || !return_authenticator) { return NT_STATUS_INVALID_PARAMETER; @@ -487,7 +487,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds, uint16_t validation_level, - union netr_Validation *validation) + union netr_Validation *validation) { static const char zeros[16]; @@ -521,27 +521,27 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred if (validation_level == 6) { /* they aren't encrypted! */ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - if (memcmp(base->key.key, zeros, + if (memcmp(base->key.key, zeros, sizeof(base->key.key)) != 0) { - netlogon_creds_arcfour_crypt(creds, - base->key.key, + netlogon_creds_arcfour_crypt(creds, + base->key.key, sizeof(base->key.key)); } - - if (memcmp(base->LMSessKey.key, zeros, + + if (memcmp(base->LMSessKey.key, zeros, sizeof(base->LMSessKey.key)) != 0) { - netlogon_creds_arcfour_crypt(creds, - base->LMSessKey.key, + netlogon_creds_arcfour_crypt(creds, + base->LMSessKey.key, sizeof(base->LMSessKey.key)); } } else { - if (memcmp(base->LMSessKey.key, zeros, + if (memcmp(base->LMSessKey.key, zeros, sizeof(base->LMSessKey.key)) != 0) { - netlogon_creds_des_decrypt_LMKey(creds, + netlogon_creds_des_decrypt_LMKey(creds, &base->LMSessKey); } } -} +} /* copy a netlogon_creds_CredentialState struct -- 1.7.9.5 From 7f695f315122db827eea05b8941342ad8541ed70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 7 Dec 2012 12:38:16 +0100 Subject: [PATCH 26/28] libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit f6cb8049b2fe62054d254a006b8a39f000d1d1d5) --- libcli/auth/credentials.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 77df7f7..63407e7 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -520,6 +520,20 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred /* find and decyrpt the session keys, return in parameters above */ if (validation_level == 6) { /* they aren't encrypted! */ + } else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + if (memcmp(base->key.key, zeros, + sizeof(base->key.key)) != 0) { + netlogon_creds_aes_decrypt(creds, + base->key.key, + sizeof(base->key.key)); + } + + if (memcmp(base->LMSessKey.key, zeros, + sizeof(base->LMSessKey.key)) != 0) { + netlogon_creds_aes_decrypt(creds, + base->LMSessKey.key, + sizeof(base->LMSessKey.key)); + } } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { if (memcmp(base->key.key, zeros, sizeof(base->key.key)) != 0) { -- 1.7.9.5 From 742dbcce98966e4f5045f08e12357a1c2cd3a325 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 7 Dec 2012 12:57:18 +0100 Subject: [PATCH 27/28] s4-torture: precalculate expected session keys from samlogon in schannel test. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit d0bad6c3350698b26ba009bb0c91d0265cc22f60) --- source4/torture/rpc/schannel.c | 118 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 111 insertions(+), 7 deletions(-) diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 7e3e6aa..e0862d2 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -58,6 +58,13 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, int flags = CLI_CRED_NTLM_AUTH; struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_UserSessionKey key; + struct netr_LMSessionKey LMSessKey; + uint32_t validation_levels[] = { 2, 3 }; + struct netr_SamBaseInfo *base; + const char *crypto_alg = ""; + bool can_do_validation_6 = true; + if (lpcfg_client_lanman_auth(tctx->lp_ctx)) { flags |= CLI_CRED_LANMAN_AUTH; } @@ -109,16 +116,113 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, r.out.authoritative = &authoritative; r.out.flags = &_flags; + /* + - retrieve level6 + - save usrsession and lmsession key + - retrieve level 2 + - calculate, compare + - retrieve level 3 + - calculate, compare + */ + + if (creds) { + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + crypto_alg = "AES"; + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + crypto_alg = "ARCFOUR"; + } + } + + r.in.validation_level = 6; + torture_comment(tctx, - "Testing LogonSamLogonEx with name %s\n", - ninfo.identity_info.account_name.string); + "Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n", + ninfo.identity_info.account_name.string, crypto_alg, + r.in.validation_level); + + torture_assert_ntstatus_ok(tctx, + dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r), + "LogonSamLogonEx failed"); + if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) { + can_do_validation_6 = false; + } else { + torture_assert_ntstatus_ok(tctx, r.out.result, + "LogonSamLogonEx failed"); + + key = r.out.validation->sam6->base.key; + LMSessKey = r.out.validation->sam6->base.LMSessKey; + + DEBUG(1,("unencrypted session keys from validation_level 6:\n")); + dump_data(1, r.out.validation->sam6->base.key.key, 16); + dump_data(1, r.out.validation->sam6->base.LMSessKey.key, 8); + } + + for (i=0; i < ARRAY_SIZE(validation_levels); i++) { - for (i=2;i<3;i++) { - r.in.validation_level = i; + r.in.validation_level = validation_levels[i]; + + torture_comment(tctx, + "Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n", + ninfo.identity_info.account_name.string, crypto_alg, + r.in.validation_level); + + torture_assert_ntstatus_ok(tctx, + dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r), + "LogonSamLogonEx failed"); + torture_assert_ntstatus_ok(tctx, r.out.result, + "LogonSamLogonEx failed"); + + if (creds == NULL) { + /* when this test is called without creds no point in + * testing the session keys */ + continue; + } + + switch (validation_levels[i]) { + case 2: + base = &r.out.validation->sam2->base; + break; + case 3: + base = &r.out.validation->sam3->base; + break; + default: + break; + } + + DEBUG(1,("encrypted keys validation_level %d:\n", + validation_levels[i])); + dump_data(1, base->key.key, 16); + dump_data(1, base->LMSessKey.key, 8); + + if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { + netlogon_creds_aes_decrypt(creds, base->key.key, 16); + netlogon_creds_aes_decrypt(creds, base->LMSessKey.key, 8); + } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + netlogon_creds_arcfour_crypt(creds, base->key.key, 16); + netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8); + } + + DEBUG(1,("decryped keys validation_level %d\n", + validation_levels[i])); + + dump_data(1, base->key.key, 16); + dump_data(1, base->LMSessKey.key, 8); + + if (!can_do_validation_6) { + /* we cant compare against unencrypted keys */ + continue; + } - torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r), - "LogonSamLogon failed"); - torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed"); + torture_assert_mem_equal(tctx, + base->key.key, + key.key, + 16, + "unexpected user session key\n"); + torture_assert_mem_equal(tctx, + base->LMSessKey.key, + LMSessKey.key, + 8, + "unexpected LM session key\n"); } return true; -- 1.7.9.5 From e390bd120f58c19d50273058dcb52ea3aa809c5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 7 Dec 2012 12:51:10 +0100 Subject: [PATCH 28/28] s4-torture: call the s4u2self tests with arcfour and aes. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Dec 9 21:24:44 CET 2012 on sn-devel-104 (cherry picked from commit ade5bfd304cc806758a58f04b35834cd730dd9ba) --- source4/torture/rpc/remote_pac.c | 59 ++++++++++++++++++++++++++++++-------- 1 file changed, 47 insertions(+), 12 deletions(-) diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index ccecc06..b95773f 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -515,7 +515,8 @@ static bool test_S2U4Self(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials, enum netr_SchannelType secure_channel_type, - const char *test_machine_name) + const char *test_machine_name, + uint32_t negotiate_flags) { NTSTATUS status; struct dcerpc_binding_handle *b = p->binding_handle; @@ -550,6 +551,10 @@ static bool test_S2U4Self(struct torture_context *tctx, torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); + torture_comment(tctx, + "Testing S4U2SELF (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n", + secure_channel_type, test_machine_name, negotiate_flags); + auth_context = talloc_zero(tmp_ctx, struct auth4_context); torture_assert(tctx, auth_context != NULL, "talloc_new() failed"); @@ -709,7 +714,7 @@ static bool test_S2U4Self(struct torture_context *tctx, r.out.validation = &validation; r.out.authoritative = &authoritative; - if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + if (!test_SetupCredentials2(p, tctx, negotiate_flags, credentials, secure_channel_type, &creds)) { return false; @@ -758,18 +763,40 @@ static bool test_S2U4Self(struct torture_context *tctx, return true; } -static bool test_S2U4Self_bdc(struct torture_context *tctx, - struct dcerpc_pipe *p, - struct cli_credentials *credentials) +static bool test_S2U4Self_bdc_arcfour(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *credentials) { - return test_S2U4Self(tctx, p, credentials, SEC_CHAN_BDC, TEST_MACHINE_NAME_S2U4SELF_BDC); + return test_S2U4Self(tctx, p, credentials, SEC_CHAN_BDC, + TEST_MACHINE_NAME_S2U4SELF_BDC, + NETLOGON_NEG_AUTH2_ADS_FLAGS); } -static bool test_S2U4Self_workstation(struct torture_context *tctx, +static bool test_S2U4Self_bdc_aes(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials) { - return test_S2U4Self(tctx, p, credentials, SEC_CHAN_WKSTA, TEST_MACHINE_NAME_S2U4SELF_WKSTA); + return test_S2U4Self(tctx, p, credentials, SEC_CHAN_BDC, + TEST_MACHINE_NAME_S2U4SELF_BDC, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); +} + +static bool test_S2U4Self_workstation_arcfour(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *credentials) +{ + return test_S2U4Self(tctx, p, credentials, SEC_CHAN_WKSTA, + TEST_MACHINE_NAME_S2U4SELF_WKSTA, + NETLOGON_NEG_AUTH2_ADS_FLAGS); +} + +static bool test_S2U4Self_workstation_aes(struct torture_context *tctx, + struct dcerpc_pipe *p, + struct cli_credentials *credentials) +{ + return test_S2U4Self(tctx, p, credentials, SEC_CHAN_WKSTA, + TEST_MACHINE_NAME_S2U4SELF_WKSTA, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); } struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) @@ -798,13 +825,21 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); - tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon-bdc", + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", + &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_BDC); + torture_rpc_tcase_add_test_creds(tcase, "s2u4self-arcfour", test_S2U4Self_bdc_arcfour); + + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bcd-aes", &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_BDC); - torture_rpc_tcase_add_test_creds(tcase, "s2u4self", test_S2U4Self_bdc); + torture_rpc_tcase_add_test_creds(tcase, "s2u4self-aes", test_S2U4Self_bdc_aes); - tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member", + tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour", + &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_WKSTA); + torture_rpc_tcase_add_test_creds(tcase, "s2u4self-arcfour", test_S2U4Self_workstation_arcfour); + + tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes", &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_WKSTA); + torture_rpc_tcase_add_test_creds(tcase, "s2u4self-aes", test_S2U4Self_workstation_aes); - torture_rpc_tcase_add_test_creds(tcase, "s2u4self", test_S2U4Self_workstation); return suite; } -- 1.7.9.5