The Samba-Bugzilla – Attachment 8318 Details for
Bug 9438
netr_ServerPasswordSet2, netr_LogonSamLogon with netlogon AES broken
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-0-test
tmp40.diff (text/plain), 128.97 KB, created by
Stefan Metzmacher
on 2012-12-10 07:25:10 UTC
(
hide
)
Description:
Patches for v4-0-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-12-10 07:25:10 UTC
Size:
128.97 KB
patch
obsolete
>From 50fb2b9a7f6557ca6ee8fcdddb2fdf0b79f68f4a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 29 Nov 2012 21:23:30 +0100 >Subject: [PATCH 01/28] libcli/auth: add netlogon_creds_aes_{en|de}crypt > routines. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 429600c5f3079c8433d5a542383908d6ff61fe60) >--- > libcli/auth/credentials.c | 28 ++++++++++++++++++++++++++++ > libcli/auth/proto.h | 2 ++ > 2 files changed, 30 insertions(+) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index dfbfdb3..be43c95 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -222,6 +222,34 @@ void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, > data_blob_free(&session_key); > } > >+/* >+ AES encrypt a password buffer using the session key >+*/ >+void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) >+{ >+ AES_KEY key; >+ uint8_t iv[AES_BLOCK_SIZE]; >+ >+ AES_set_encrypt_key(creds->session_key, 128, &key); >+ ZERO_STRUCT(iv); >+ >+ aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT); >+} >+ >+/* >+ AES decrypt a password buffer using the session key >+*/ >+void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len) >+{ >+ AES_KEY key; >+ uint8_t iv[AES_BLOCK_SIZE]; >+ >+ AES_set_encrypt_key(creds->session_key, 128, &key); >+ ZERO_STRUCT(iv); >+ >+ aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT); >+} >+ > /***************************************************************** > The above functions are common to the client and server interface > next comes the client specific functions >diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h >index 37c87b4..b9d91d0 100644 >--- a/libcli/auth/proto.h >+++ b/libcli/auth/proto.h >@@ -16,6 +16,8 @@ void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *cre > void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); > void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); > void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); >+void netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); >+void netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); > > /***************************************************************** > The above functions are common to the client and server interface >-- >1.7.9.5 > > >From bb25ca0b0aceec28bf7949350daf7bcbe126f59a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 29 Nov 2012 21:30:24 +0100 >Subject: [PATCH 02/28] s3-rpc_client: use netlogon_creds_arcfour_crypt() in > init_netr_CryptPassword. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit ec06c81db313f2862544c972cbf582a07bb844c2) >--- > source3/rpc_client/cli_netlogon.c | 2 +- > source3/rpc_client/init_netlogon.c | 6 +++--- > source3/rpc_client/init_netlogon.h | 2 +- > 3 files changed, 5 insertions(+), 5 deletions(-) > >diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c >index bbcca06..463741a 100644 >--- a/source3/rpc_client/cli_netlogon.c >+++ b/source3/rpc_client/cli_netlogon.c >@@ -628,7 +628,7 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, > uint32_t old_timeout; > > init_netr_CryptPassword(new_trust_pwd_cleartext, >- cli->dc->session_key, >+ cli->dc, > &new_password); > > old_timeout = dcerpc_binding_handle_set_timeout(b, 600000); >diff --git a/source3/rpc_client/init_netlogon.c b/source3/rpc_client/init_netlogon.c >index 445108a..0d33d6f 100644 >--- a/source3/rpc_client/init_netlogon.c >+++ b/source3/rpc_client/init_netlogon.c >@@ -1,7 +1,7 @@ > /* > * Unix SMB/CIFS implementation. > * RPC Pipe client / server routines >- * Copyright (C) Guenther Deschner 2008. >+ * Copyright (C) Guenther Deschner 2008,2012 > * > * This program is free software; you can redistribute it and/or modify > * it under the terms of the GNU General Public License as published by >@@ -27,14 +27,14 @@ > *************************************************************************/ > > void init_netr_CryptPassword(const char *pwd, >- unsigned char session_key[16], >+ struct netlogon_creds_CredentialState *creds, > struct netr_CryptPassword *pwd_buf) > { > struct samr_CryptPassword password_buf; > > encode_pw_buffer(password_buf.data, pwd, STR_UNICODE); > >- arcfour_crypt(password_buf.data, session_key, 516); >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); > memcpy(pwd_buf->data, password_buf.data, 512); > pwd_buf->length = IVAL(password_buf.data, 512); > } >diff --git a/source3/rpc_client/init_netlogon.h b/source3/rpc_client/init_netlogon.h >index 826d0c5..bb4496b 100644 >--- a/source3/rpc_client/init_netlogon.h >+++ b/source3/rpc_client/init_netlogon.h >@@ -23,7 +23,7 @@ > /* The following definitions come from rpc_client/init_netlogon.c */ > > void init_netr_CryptPassword(const char *pwd, >- unsigned char session_key[16], >+ struct netlogon_creds_CredentialState *creds, > struct netr_CryptPassword *pwd_buf); > > #endif /* _RPC_CLIENT_INIT_NETLOGON_H_ */ >-- >1.7.9.5 > > >From 2ed45a1c9864a09e740346a86561687e18922d79 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 29 Nov 2012 21:34:36 +0100 >Subject: [PATCH 03/28] s3-rpc_client: support AES encryption in > netr_ServerPasswordSet2 client. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 64345018cda744d16b123d6ef5c4a982340484dc) >--- > source3/rpc_client/init_netlogon.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > >diff --git a/source3/rpc_client/init_netlogon.c b/source3/rpc_client/init_netlogon.c >index 0d33d6f..4d9157b 100644 >--- a/source3/rpc_client/init_netlogon.c >+++ b/source3/rpc_client/init_netlogon.c >@@ -19,7 +19,7 @@ > > #include "includes.h" > #include "../libcli/auth/libcli_auth.h" >-#include "../lib/crypto/arcfour.h" >+#include "../lib/crypto/crypto.h" > #include "rpc_client/init_netlogon.h" > > /************************************************************************* >@@ -34,7 +34,11 @@ void init_netr_CryptPassword(const char *pwd, > > encode_pw_buffer(password_buf.data, pwd, STR_UNICODE); > >- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, password_buf.data, 516); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ } > memcpy(pwd_buf->data, password_buf.data, 512); > pwd_buf->length = IVAL(password_buf.data, 512); > } >-- >1.7.9.5 > > >From 9d2276fb39e180018f90ce2b73da7883b6a3341a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 29 Nov 2012 21:35:04 +0100 >Subject: [PATCH 04/28] s3-rpc_server: support AES decryption in > netr_ServerPasswordSet2 server. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 1362d542df715aa31e9b818ee8783b5ee35f8870) >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index d992a65..5fc2756 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1332,7 +1332,12 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > > memcpy(password_buf.data, r->in.new_password->data, 512); > SIVAL(password_buf.data, 512, r->in.new_password->length); >- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_decrypt(creds, password_buf.data, 516); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ } > > if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) { > TALLOC_FREE(creds); >-- >1.7.9.5 > > >From 5e95422806f0a83fda02c1b2eac1fb1043344657 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 29 Nov 2012 22:24:37 +0100 >Subject: [PATCH 05/28] s4-torture: remove trailing whitespace from netlogon > test. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit d1f481ffe17ce84ffddbedf1bd7efb0654e2807e) >--- > source4/torture/rpc/netlogon.c | 210 ++++++++++++++++++++-------------------- > 1 file changed, 105 insertions(+), 105 deletions(-) > >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index f1d605c..e5de0e8 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -1,4 +1,4 @@ >-/* >+/* > Unix SMB/CIFS implementation. > > test suite for netlogon rpc operations >@@ -7,17 +7,17 @@ > Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004 > Copyright (C) Tim Potter 2003 > Copyright (C) Matthias Dieter Wallnöfer 2009-2010 >- >+ > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation; either version 3 of the License, or > (at your option) any later version. >- >+ > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. >- >+ > You should have received a copy of the GNU General Public License > along with this program. If not, see <http://www.gnu.org/licenses/>. > */ >@@ -98,7 +98,7 @@ static bool test_netr_broken_binding_handle(struct torture_context *tctx, > return true; > } > >-static bool test_LogonUasLogon(struct torture_context *tctx, >+static bool test_LogonUasLogon(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > NTSTATUS status; >@@ -173,8 +173,8 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, > > creds = netlogon_creds_client_init(tctx, a.in.account_name, > a.in.computer_name, >- &credentials1, &credentials2, >- mach_password, &credentials3, >+ &credentials1, &credentials2, >+ mach_password, &credentials3, > 0); > torture_assert(tctx, creds != NULL, "memory allocation"); > >@@ -186,7 +186,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, > > /* This allows the tests to continue against the more fussy windows 2008 */ > if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) { >- return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, > credentials, > cli_credentials_get_secure_channel_type(credentials), > creds_out); >@@ -194,7 +194,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, > > torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate"); > >- torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), >+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), > "Credential chaining failed"); > > *creds_out = creds; >@@ -242,9 +242,9 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, > a.out.return_credentials = &credentials3; > > creds = netlogon_creds_client_init(tctx, a.in.account_name, >- a.in.computer_name, >- &credentials1, &credentials2, >- mach_password, &credentials3, >+ a.in.computer_name, >+ &credentials1, &credentials2, >+ mach_password, &credentials3, > negotiate_flags); > > torture_assert(tctx, creds != NULL, "memory allocation"); >@@ -255,7 +255,7 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, > "ServerAuthenticate2 failed"); > torture_assert_ntstatus_ok(tctx, a.out.result, "ServerAuthenticate2 failed"); > >- torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), >+ torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), > "Credential chaining failed"); > > torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags); >@@ -310,10 +310,10 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, > > creds = netlogon_creds_client_init(tctx, a.in.account_name, > a.in.computer_name, >- &credentials1, &credentials2, >+ &credentials1, &credentials2, > &mach_password, &credentials3, > negotiate_flags); >- >+ > torture_assert(tctx, creds != NULL, "memory allocation"); > > torture_comment(tctx, "Testing ServerAuthenticate3\n"); >@@ -324,7 +324,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, > torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); > > torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags); >- >+ > /* Prove that requesting a challenge again won't break it */ > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), > "ServerReqChallenge failed"); >@@ -337,7 +337,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, > /* > try a change password for our machine account > */ >-static bool test_SetPassword(struct torture_context *tctx, >+static bool test_SetPassword(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { >@@ -366,7 +366,7 @@ static bool test_SetPassword(struct torture_context *tctx, > netlogon_creds_des_encrypt(creds, &new_password); > > torture_comment(tctx, "Testing ServerPasswordSet on machine account\n"); >- torture_comment(tctx, "Changing machine account password to '%s'\n", >+ torture_comment(tctx, "Changing machine account password to '%s'\n", > password); > > netlogon_creds_client_authenticator(creds, &credential); >@@ -383,9 +383,9 @@ static bool test_SetPassword(struct torture_context *tctx, > credentials chaining fully, and we verify that the server > allows the password to be set to the same value twice in a > row (match win2k3) */ >- torture_comment(tctx, >+ torture_comment(tctx, > "Testing a second ServerPasswordSet on machine account\n"); >- torture_comment(tctx, >+ torture_comment(tctx, > "Changing machine account password to '%s' (same as previous run)\n", password); > > netlogon_creds_client_authenticator(creds, &credential); >@@ -400,8 +400,8 @@ static bool test_SetPassword(struct torture_context *tctx, > > cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); > >- torture_assert(tctx, >- test_SetupCredentials(p, tctx, machine_credentials, &creds), >+ torture_assert(tctx, >+ test_SetupCredentials(p, tctx, machine_credentials, &creds), > "ServerPasswordSet failed to actually change the password"); > > return true; >@@ -506,8 +506,8 @@ static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len) > /* > try a change password for our machine account > */ >-static bool test_SetPassword2(struct torture_context *tctx, >- struct dcerpc_pipe *p, >+static bool test_SetPassword2(struct torture_context *tctx, >+ struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { > struct netr_ServerPasswordSet2 r; >@@ -555,7 +555,7 @@ static bool test_SetPassword2(struct torture_context *tctx, > cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); > > if (!torture_setting_bool(tctx, "dangerous", false)) { >- torture_comment(tctx, >+ torture_comment(tctx, > "Not testing ability to set password to '', enable dangerous tests to perform this test\n"); > } else { > /* by changing the machine password to "" >@@ -566,29 +566,29 @@ static bool test_SetPassword2(struct torture_context *tctx, > password = ""; > encode_pw_buffer(password_buf.data, password, STR_UNICODE); > netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >- >+ > memcpy(new_password.data, password_buf.data, 512); > new_password.length = IVAL(password_buf.data, 512); >- >- torture_comment(tctx, >+ >+ torture_comment(tctx, > "Testing ServerPasswordSet2 on machine account\n"); >- torture_comment(tctx, >+ torture_comment(tctx, > "Changing machine account password to '%s'\n", password); >- >+ > netlogon_creds_client_authenticator(creds, &credential); >- >+ > torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), > "ServerPasswordSet2 failed"); > torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed"); >- >+ > if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { > torture_comment(tctx, "Credential chaining failed\n"); > } >- >+ > cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); > } > >- torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds), >+ torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds), > "ServerPasswordSet failed to actually change the password"); > > /* now try a random password */ >@@ -616,9 +616,9 @@ static bool test_SetPassword2(struct torture_context *tctx, > credentials chaining fully, and we verify that the server > allows the password to be set to the same value twice in a > row (match win2k3) */ >- torture_comment(tctx, >+ torture_comment(tctx, > "Testing a second ServerPasswordSet2 on machine account\n"); >- torture_comment(tctx, >+ torture_comment(tctx, > "Changing machine account password to '%s' (same as previous run)\n", password); > > netlogon_creds_client_authenticator(creds, &credential); >@@ -633,8 +633,8 @@ static bool test_SetPassword2(struct torture_context *tctx, > > cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); > >- torture_assert (tctx, >- test_SetupCredentials(p, tctx, machine_credentials, &creds), >+ torture_assert (tctx, >+ test_SetupCredentials(p, tctx, machine_credentials, &creds), > "ServerPasswordSet failed to actually change the password"); > > new_random_pass = netlogon_very_rand_pass(tctx, 128); >@@ -647,7 +647,7 @@ static bool test_SetPassword2(struct torture_context *tctx, > memcpy(new_password.data, password_buf.data, 512); > new_password.length = IVAL(password_buf.data, 512); > >- torture_comment(tctx, >+ torture_comment(tctx, > "Testing a third ServerPasswordSet2 on machine account, with a completely random password\n"); > > netlogon_creds_client_authenticator(creds, &credential); >@@ -665,8 +665,8 @@ static bool test_SetPassword2(struct torture_context *tctx, > cli_credentials_set_password(machine_credentials, NULL, CRED_UNINITIALISED); > cli_credentials_set_nt_hash(machine_credentials, &nt_hash, CRED_SPECIFIED); > >- torture_assert (tctx, >- test_SetupCredentials(p, tctx, machine_credentials, &creds), >+ torture_assert (tctx, >+ test_SetupCredentials(p, tctx, machine_credentials, &creds), > "ServerPasswordSet failed to actually change the password"); > > return true; >@@ -765,7 +765,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context > flags |= CLI_CRED_NTLMv2_AUTH; > } > >- cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx, >+ cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx, > &ninfo.identity_info.account_name.string, > &ninfo.identity_info.domain_name.string); > >@@ -773,16 +773,16 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context > ninfo.identity_info.domain_name.string = NULL; > } > >- generate_random_buffer(ninfo.challenge, >+ generate_random_buffer(ninfo.challenge, > sizeof(ninfo.challenge)); >- chal = data_blob_const(ninfo.challenge, >+ chal = data_blob_const(ninfo.challenge, > sizeof(ninfo.challenge)); > >- names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials), >+ names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials), > cli_credentials_get_domain(credentials)); > >- status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, >- &flags, >+ status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, >+ &flags, > chal, > names_blob, > &lm_resp, &nt_resp, >@@ -812,19 +812,19 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context > r.out.authoritative = &authoritative; > > d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string); >- >+ > for (i=2;i<=3;i++) { > ZERO_STRUCT(auth2); > netlogon_creds_client_authenticator(creds, &auth); >- >+ > r.in.validation_level = i; >- >+ > torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), > "LogonSamLogon failed"); > torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed"); >- >- torture_assert(tctx, netlogon_creds_client_check(creds, >- &r.out.return_authenticator->cred), >+ >+ torture_assert(tctx, netlogon_creds_client_check(creds, >+ &r.out.return_authenticator->cred), > "Credential chaining failed"); > torture_assert_int_equal(tctx, *r.out.authoritative, 1, > "LogonSamLogon invalid *r.out.authoritative"); >@@ -999,7 +999,7 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t > /* > try a netlogon SamLogon > */ >-static bool test_SamLogon(struct torture_context *tctx, >+static bool test_SamLogon(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *credentials) > { >@@ -1031,13 +1031,13 @@ static uint64_t sequence_nums[3]; > /* > try a netlogon DatabaseSync > */ >-static bool test_DatabaseSync(struct torture_context *tctx, >+static bool test_DatabaseSync(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { > struct netr_DatabaseSync r; > struct netlogon_creds_CredentialState *creds; >- const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; >+ const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; > int i; > struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; > struct netr_Authenticator credential, return_authenticator; >@@ -1090,10 +1090,10 @@ static bool test_DatabaseSync(struct torture_context *tctx, > delta_enum_array->num_deltas > 0 && > delta_enum_array->delta_enum[0].delta_type == NETR_DELTA_DOMAIN && > delta_enum_array->delta_enum[0].delta_union.domain) { >- sequence_nums[r.in.database_id] = >+ sequence_nums[r.in.database_id] = > delta_enum_array->delta_enum[0].delta_union.domain->sequence_num; > torture_comment(tctx, "\tsequence_nums[%d]=%llu\n", >- r.in.database_id, >+ r.in.database_id, > (unsigned long long)sequence_nums[r.in.database_id]); > } > } while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES)); >@@ -1106,7 +1106,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, > /* > try a netlogon DatabaseDeltas > */ >-static bool test_DatabaseDeltas(struct torture_context *tctx, >+static bool test_DatabaseDeltas(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { >@@ -1115,7 +1115,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, > struct netr_Authenticator credential; > struct netr_Authenticator return_authenticator; > struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; >- const uint32_t database_ids[] = {0, 1, 2}; >+ const uint32_t database_ids[] = {0, 1, 2}; > int i; > struct dcerpc_binding_handle *b = p->binding_handle; > >@@ -1138,7 +1138,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, > > *r.in.sequence_num -= 1; > >- torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n", >+ torture_comment(tctx, "Testing DatabaseDeltas of id %d at %llu\n", > r.in.database_id, (unsigned long long)*r.in.sequence_num); > > do { >@@ -1704,7 +1704,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx, > /* > try a netlogon AccountDeltas > */ >-static bool test_AccountDeltas(struct torture_context *tctx, >+static bool test_AccountDeltas(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { >@@ -1749,7 +1749,7 @@ static bool test_AccountDeltas(struct torture_context *tctx, > /* > try a netlogon AccountSync > */ >-static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p, >+static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { > struct netr_AccountSync r; >@@ -1796,7 +1796,7 @@ static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p > /* > try a netlogon GetDcName > */ >-static bool test_GetDcName(struct torture_context *tctx, >+static bool test_GetDcName(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > struct netr_GetDcName r; >@@ -1860,9 +1860,9 @@ static const char *function_code_str(TALLOC_CTX *mem_ctx, > > > /* >- try a netlogon LogonControl >+ try a netlogon LogonControl > */ >-static bool test_LogonControl(struct torture_context *tctx, >+static bool test_LogonControl(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > >@@ -1988,7 +1988,7 @@ static bool test_LogonControl(struct torture_context *tctx, > /* > try a netlogon GetAnyDCName > */ >-static bool test_GetAnyDCName(struct torture_context *tctx, >+static bool test_GetAnyDCName(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > NTSTATUS status; >@@ -2036,7 +2036,7 @@ static bool test_GetAnyDCName(struct torture_context *tctx, > /* > try a netlogon LogonControl2 > */ >-static bool test_LogonControl2(struct torture_context *tctx, >+static bool test_LogonControl2(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > >@@ -2141,7 +2141,7 @@ static bool test_LogonControl2(struct torture_context *tctx, > /* > try a netlogon DatabaseSync2 > */ >-static bool test_DatabaseSync2(struct torture_context *tctx, >+static bool test_DatabaseSync2(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { >@@ -2150,11 +2150,11 @@ static bool test_DatabaseSync2(struct torture_context *tctx, > struct netr_Authenticator return_authenticator, credential; > > struct netlogon_creds_CredentialState *creds; >- const uint32_t database_ids[] = {0, 1, 2}; >+ const uint32_t database_ids[] = {0, 1, 2}; > int i; > struct dcerpc_binding_handle *b = p->binding_handle; > >- if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS, >+ if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_FLAGS, > machine_credentials, > cli_credentials_get_secure_channel_type(machine_credentials), > &creds)) { >@@ -2212,7 +2212,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, > /* > try a netlogon LogonControl2Ex > */ >-static bool test_LogonControl2Ex(struct torture_context *tctx, >+static bool test_LogonControl2Ex(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > >@@ -2235,7 +2235,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, > for (i=1;i<4;i++) { > r.in.level = i; > >- torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", >+ torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", > i, r.in.function_code); > > status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r); >@@ -2250,7 +2250,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, > for (i=1;i<4;i++) { > r.in.level = i; > >- torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", >+ torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", > i, r.in.function_code); > > status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r); >@@ -2265,7 +2265,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, > for (i=1;i<4;i++) { > r.in.level = i; > >- torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", >+ torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", > i, r.in.function_code); > > status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r); >@@ -2280,7 +2280,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, > for (i=1;i<4;i++) { > r.in.level = i; > >- torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", >+ torture_comment(tctx, "Testing LogonControl2Ex level %d function %d\n", > i, r.in.function_code); > > status = dcerpc_netr_LogonControl2Ex_r(b, tctx, &r); >@@ -2332,8 +2332,8 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx, > return true; > } > >-static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx, >- struct dcerpc_pipe *p, const char *trusted_domain_name) >+static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx, >+ struct dcerpc_pipe *p, const char *trusted_domain_name) > { > NTSTATUS status; > struct netr_DsRGetForestTrustInformation r; >@@ -2359,7 +2359,7 @@ static bool test_netr_DsRGetForestTrustInformation(struct torture_context *tctx, > /* > try a netlogon netr_DsrEnumerateDomainTrusts > */ >-static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx, >+static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > NTSTATUS status; >@@ -2391,7 +2391,7 @@ static bool test_DsrEnumerateDomainTrusts(struct torture_context *tctx, > /* get info for transitive forest trusts */ > > if (r.out.trusts->array[i].trust_attributes & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) { >- if (!test_netr_DsRGetForestTrustInformation(tctx, p, >+ if (!test_netr_DsRGetForestTrustInformation(tctx, p, > r.out.trusts->array[i].dns_name)) { > return false; > } >@@ -2439,8 +2439,8 @@ static bool test_netr_NetrEnumerateTrustedDomainsEx(struct torture_context *tctx > > > static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_context *tctx, >- const char *computer_name, >- const char *expected_site) >+ const char *computer_name, >+ const char *expected_site) > { > NTSTATUS status; > struct netr_DsRGetSiteName r; >@@ -2462,7 +2462,7 @@ static bool test_netr_DsRGetSiteName(struct dcerpc_pipe *p, struct torture_conte > /* > try a netlogon netr_DsRGetDCName > */ >-static bool test_netr_DsRGetDCName(struct torture_context *tctx, >+static bool test_netr_DsRGetDCName(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > NTSTATUS status; >@@ -2519,7 +2519,7 @@ static bool test_netr_DsRGetDCName(struct torture_context *tctx, > "DsRGetDCName"); > } > >- return test_netr_DsRGetSiteName(p, tctx, >+ return test_netr_DsRGetSiteName(p, tctx, > info->dc_unc, > info->dc_site_name); > } >@@ -2527,7 +2527,7 @@ static bool test_netr_DsRGetDCName(struct torture_context *tctx, > /* > try a netlogon netr_DsRGetDCNameEx > */ >-static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, >+static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > NTSTATUS status; >@@ -2591,7 +2591,7 @@ static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx, > /* > try a netlogon netr_DsRGetDCNameEx2 > */ >-static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx, >+static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > NTSTATUS status; >@@ -2724,7 +2724,7 @@ failed: > return NULL; > } > >-static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx, >+static bool test_netr_DsrGetDcSiteCoverageW(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > char *url; >@@ -3168,7 +3168,7 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, > } > > >-static bool test_GetDomainInfo(struct torture_context *tctx, >+static bool test_GetDomainInfo(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { >@@ -3196,7 +3196,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, > > torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n"); > >- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, > machine_credentials, &creds)) { > return false; > } >@@ -3261,7 +3261,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, > "(sAMAccountName=%s$)", TEST_MACHINE_NAME); > old_dnsname = > ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL); >- >+ > /* Gets back the "servicePrincipalName"s in AD */ > spn_el = ldb_msg_find_element(res[0], "servicePrincipalName"); > if (spn_el != NULL) { >@@ -3300,11 +3300,11 @@ static bool test_GetDomainInfo(struct torture_context *tctx, > the same in combination with the "servicePrincipalName"s. > The DNS hostname should also be returned by our > "LogonGetDomainInfo" call (in the domain info structure). */ >- >+ > torture_assert_str_equal(tctx, > ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL), > old_dnsname, "'DNS hostname' was not set!"); >- >+ > spn_el = ldb_msg_find_element(res[0], "servicePrincipalName"); > torture_assert(tctx, ((spns != NULL) && (spn_el != NULL)), > "'servicePrincipalName's not set!"); >@@ -3324,15 +3324,15 @@ static bool test_GetDomainInfo(struct torture_context *tctx, > the "servicePrincipalName"s should remain empty and no DNS > hostname should be returned by our "LogonGetDomainInfo" > call (in the domain info structure). */ >- >+ > torture_assert(tctx, > ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL) == NULL, > "'DNS hostname' was set!"); >- >+ > spn_el = ldb_msg_find_element(res[0], "servicePrincipalName"); > torture_assert(tctx, ((spns == NULL) && (spn_el == NULL)), > "'servicePrincipalName's were set!"); >- >+ > torture_assert(tctx, > info.domain_info->dns_hostname.string == NULL, > "Out 'DNS host name' was set!"); >@@ -3390,7 +3390,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, > torture_assert_str_equal(tctx, > ldb_msg_find_attr_as_string(res[0], "dNSHostName", NULL), > old_dnsname, "'DNS host name' did change!"); >- >+ > /* Find the two "servicePrincipalName"s which the DC shouldn't have been > updated (HOST/<Netbios name> and HOST/<FQDN name>) - see MS-NRPC > 3.5.4.3.9 */ >@@ -3409,7 +3409,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, > break; > torture_assert(tctx, i != spn_el->num_values, > "'servicePrincipalName' HOST/<FQDN name> not found!"); >- >+ > /* Check that the out DNS hostname was set properly */ > torture_assert_str_equal(tctx, info.domain_info->dns_hostname.string, > old_dnsname, "Out 'DNS hostname' doesn't match the old one!"); >@@ -3601,7 +3601,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, > return true; > } > >-static bool test_GetDomainInfo_async(struct torture_context *tctx, >+static bool test_GetDomainInfo_async(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) > { >@@ -3619,7 +3619,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, > > torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT); > >- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, > machine_credentials, &creds)) { > return false; > } >@@ -3648,9 +3648,9 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, > creds_async[i] = (struct netlogon_creds_CredentialState *)talloc_memdup(creds, creds, sizeof(*creds)); > req[i] = dcerpc_netr_LogonGetDomainInfo_r_send(tctx, tctx->ev, p->binding_handle, &r); > >- /* even with this flush per request a w2k3 server seems to >+ /* even with this flush per request a w2k3 server seems to > clag with multiple outstanding requests. bleergh. */ >- torture_assert_int_equal(tctx, tevent_loop_once(dcerpc_event_context(p)), 0, >+ torture_assert_int_equal(tctx, tevent_loop_once(dcerpc_event_context(p)), 0, > "tevent_loop_once failed"); > } > >@@ -3661,19 +3661,19 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, > status = dcerpc_netr_LogonGetDomainInfo_r_recv(req[i], tctx); > > torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async"); >- torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async"); >+ torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async"); > >- torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred), >+ torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred), > "Credential chaining failed at async"); > } > >- torture_comment(tctx, >+ torture_comment(tctx, > "Testing netr_LogonGetDomainInfo - async count %d OK\n", ASYNC_COUNT); > > return true; > } > >-static bool test_ManyGetDCName(struct torture_context *tctx, >+static bool test_ManyGetDCName(struct torture_context *tctx, > struct dcerpc_pipe *p) > { > NTSTATUS status; >-- >1.7.9.5 > > >From e55fd0feab50eaf0af6a1b3eb617d99ac9e379e4 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 29 Nov 2012 22:44:33 +0100 >Subject: [PATCH 06/28] s4-torture: pass down netlogon flags in > netr_ServerPasswordSet2 tests. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 0a091604a45b4b143745a20fa842878ceb745c39) >--- > source4/torture/rpc/netlogon.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index e5de0e8..b79eb1a 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -506,9 +506,10 @@ static DATA_BLOB netlogon_very_rand_pass(TALLOC_CTX *mem_ctx, int len) > /* > try a change password for our machine account > */ >-static bool test_SetPassword2(struct torture_context *tctx, >- struct dcerpc_pipe *p, >- struct cli_credentials *machine_credentials) >+static bool test_SetPassword2_with_flags(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *machine_credentials, >+ uint32_t flags) > { > struct netr_ServerPasswordSet2 r; > const char *password; >@@ -520,7 +521,7 @@ static bool test_SetPassword2(struct torture_context *tctx, > struct netr_CryptPassword new_password; > struct dcerpc_binding_handle *b = p->binding_handle; > >- if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { >+ if (!test_SetupCredentials2(p, tctx, flags, machine_credentials, cli_credentials_get_secure_channel_type(machine_credentials), &creds)) { > return false; > } > >@@ -672,6 +673,13 @@ static bool test_SetPassword2(struct torture_context *tctx, > return true; > } > >+static bool test_SetPassword2(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *machine_credentials) >+{ >+ return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS); >+} >+ > static bool test_GetPassword(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) >-- >1.7.9.5 > > >From a2009b4035e2e1ce5425b4d2c8b64a3a52f8929c Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 29 Nov 2012 22:47:19 +0100 >Subject: [PATCH 07/28] s4-torture: add AES support for > netr_ServerPasswordSet2 tests. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 3dc8c20b8a94063c6578b60750757c5a40d7db38) >--- > source4/torture/rpc/netlogon.c | 35 +++++++++++++++++++++++++++++------ > 1 file changed, 29 insertions(+), 6 deletions(-) > >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index b79eb1a..2f7e913 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -535,7 +535,11 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, > > password = generate_random_password(tctx, 8, 255); > encode_pw_buffer(password_buf.data, password, STR_UNICODE); >- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, password_buf.data, 516); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ } > > memcpy(new_password.data, password_buf.data, 512); > new_password.length = IVAL(password_buf.data, 512); >@@ -566,8 +570,11 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, > */ > password = ""; > encode_pw_buffer(password_buf.data, password, STR_UNICODE); >- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >- >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, password_buf.data, 516); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ } > memcpy(new_password.data, password_buf.data, 512); > new_password.length = IVAL(password_buf.data, 512); > >@@ -595,8 +602,11 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, > /* now try a random password */ > password = generate_random_password(tctx, 8, 255); > encode_pw_buffer(password_buf.data, password, STR_UNICODE); >- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >- >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, password_buf.data, 516); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ } > memcpy(new_password.data, password_buf.data, 512); > new_password.length = IVAL(password_buf.data, 512); > >@@ -643,7 +653,11 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, > /* now try a random stream of bytes for a password */ > set_pw_in_buffer(password_buf.data, &new_random_pass); > >- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, password_buf.data, 516); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ } > > memcpy(new_password.data, password_buf.data, 512); > new_password.length = IVAL(password_buf.data, 512); >@@ -680,6 +694,13 @@ static bool test_SetPassword2(struct torture_context *tctx, > return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS); > } > >+static bool test_SetPassword2_AES(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *machine_credentials) >+{ >+ return test_SetPassword2_with_flags(tctx, p, machine_credentials, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); >+} >+ > static bool test_GetPassword(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) >@@ -3811,6 +3832,7 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx) > torture_rpc_tcase_add_test_creds(tcase, "SamLogon", test_SamLogon); > torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword); > torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2); >+ torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES", test_SetPassword2_AES); > torture_rpc_tcase_add_test_creds(tcase, "GetPassword", test_GetPassword); > torture_rpc_tcase_add_test_creds(tcase, "GetTrustPasswords", test_GetTrustPasswords); > torture_rpc_tcase_add_test_creds(tcase, "GetDomainInfo", test_GetDomainInfo); >@@ -3853,6 +3875,7 @@ struct torture_suite *torture_rpc_netlogon_s3(TALLOC_CTX *mem_ctx) > torture_rpc_tcase_add_test_creds(tcase, "SetPassword", test_SetPassword); > torture_rpc_tcase_add_test_creds(tcase, "SetPassword_with_flags", test_SetPassword_with_flags); > torture_rpc_tcase_add_test_creds(tcase, "SetPassword2", test_SetPassword2); >+ torture_rpc_tcase_add_test_creds(tcase, "SetPassword2_AES", test_SetPassword2_AES); > torture_rpc_tcase_add_test(tcase, "NetrEnumerateTrustedDomains", test_netr_NetrEnumerateTrustedDomains); > > return suite; >-- >1.7.9.5 > > >From ded4c8d802fd29a27971f9a74a49c5419ea5ee3a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 29 Nov 2012 22:47:40 +0100 >Subject: [PATCH 08/28] s4-rpc_server: support AES decryption in > netr_ServerPasswordSet2 server. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 01e69703fb8c58ab1940bb560e34f6c3f10e0ae9) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 309601e..ef4351b 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -487,7 +487,12 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal > > memcpy(password_buf.data, r->in.new_password->data, 512); > SIVAL(password_buf.data, 512, r->in.new_password->length); >- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_decrypt(creds, password_buf.data, 516); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); >+ } > > if (!extract_pw_from_buffer(mem_ctx, password_buf.data, &new_password)) { > DEBUG(3,("samr: failed to decode password buffer\n")); >-- >1.7.9.5 > > >From 2eff79f8b90426372e20fec483cc95256a34afee Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Sat, 1 Dec 2012 00:59:44 +0100 >Subject: [PATCH 09/28] s3-rpc_client: use netlogon_creds_aes_encrypt in > interactive netlogon samlogon. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit c6f4745c5670e8da77078e19f2d6a3a485e7adc6) >--- > source3/rpc_client/cli_netlogon.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c >index 463741a..a0a9457 100644 >--- a/source3/rpc_client/cli_netlogon.c >+++ b/source3/rpc_client/cli_netlogon.c >@@ -207,7 +207,10 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, > > nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash); > >- if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16); >+ netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16); >+ } else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) { > netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16); > netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16); > } else { >-- >1.7.9.5 > > >From bf73d1244c793a83a9ccf0d864f27fb8531606d2 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Tue, 4 Dec 2012 23:11:10 +0100 >Subject: [PATCH 10/28] s4-torture: remove trailing whitespace in smbtorture > remote_pac test. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 7ea9da0c9f0a0a8de416534d6cb1b0248d13f6cf) >--- > source4/torture/rpc/remote_pac.c | 82 +++++++++++++++++++------------------- > 1 file changed, 41 insertions(+), 41 deletions(-) > >diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c >index 3e25a46..3f7afc3 100644 >--- a/source4/torture/rpc/remote_pac.c >+++ b/source4/torture/rpc/remote_pac.c >@@ -1,20 +1,20 @@ >-/* >+/* > Unix SMB/CIFS implementation. > > test suite for netlogon PAC operations > > Copyright (C) Andrew Bartlett <abartlet@samba.org> 2012 >- >+ > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation; either version 3 of the License, or > (at your option) any later version. >- >+ > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. >- >+ > You should have received a copy of the GNU General Public License > along with this program. If not, see <http://www.gnu.org/licenses/>. > */ >@@ -67,7 +67,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, > tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); > NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); > >- auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data); >+ auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data); > > pac_data->pac_srv_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA); > if (!pac_data->pac_srv_sig) { >@@ -117,7 +117,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, > > /* Also happens to be a really good one-step verfication of our Kerberos stack */ > >-static bool test_PACVerify(struct torture_context *tctx, >+static bool test_PACVerify(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *credentials, > enum netr_SchannelType secure_channel_type, >@@ -134,14 +134,14 @@ static bool test_PACVerify(struct torture_context *tctx, > > struct netr_GenericInfo generic; > struct netr_Authenticator auth, auth2; >- >+ > struct netlogon_creds_CredentialState *creds; > struct gensec_security *gensec_client_context; > struct gensec_security *gensec_server_context; > > DATA_BLOB client_to_server, server_to_client, pac_wrapped, payload; > struct PAC_Validate pac_wrapped_struct; >- >+ > enum ndr_err_code ndr_err; > > struct auth4_context *auth_context; >@@ -152,7 +152,7 @@ static bool test_PACVerify(struct torture_context *tctx, > TALLOC_CTX *tmp_ctx = talloc_new(tctx); > torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); > >- if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, > credentials, secure_channel_type, > &creds)) { > return false; >@@ -187,7 +187,7 @@ static bool test_PACVerify(struct torture_context *tctx, > torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed"); > > server_to_client = data_blob(NULL, 0); >- >+ > do { > /* Do a client-server update dance */ > status = gensec_update(gensec_client_context, tmp_ctx, tctx->ev, server_to_client, &client_to_server); >@@ -220,20 +220,20 @@ static bool test_PACVerify(struct torture_context *tctx, > pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type; > pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; > pac_wrapped_struct.ChecksumAndSignature = payload >- = data_blob_talloc(tmp_ctx, NULL, >+ = data_blob_talloc(tmp_ctx, NULL, > pac_wrapped_struct.ChecksumLength > + pac_wrapped_struct.SignatureLength); >- memcpy(&payload.data[0], >+ memcpy(&payload.data[0], > pac_data->pac_srv_sig->signature.data, > pac_wrapped_struct.ChecksumLength); >- memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], >+ memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], > pac_data->pac_kdc_sig->signature.data, > pac_wrapped_struct.SignatureLength); > > ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, > (ndr_push_flags_fn_t)ndr_push_PAC_Validate); > torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); >- >+ > torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); > netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); > >@@ -270,7 +270,7 @@ static bool test_PACVerify(struct torture_context *tctx, > "LogonSamLogon failed"); > > torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed"); >- >+ > /* This will break the signature nicely (even in the crypto wrapping), check we get a logon failure */ > generic.data[generic.length-1]++; > >@@ -290,8 +290,8 @@ static bool test_PACVerify(struct torture_context *tctx, > "LogonSamLogon failed"); > > torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); >- >- torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), >+ >+ torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), > "Credential chaining failed"); > > /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */ >@@ -313,36 +313,36 @@ static bool test_PACVerify(struct torture_context *tctx, > "LogonSamLogon failed"); > > torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); >- >- torture_assert(tctx, netlogon_creds_client_check(creds, >- &r.out.return_authenticator->cred), >+ >+ torture_assert(tctx, netlogon_creds_client_check(creds, >+ &r.out.return_authenticator->cred), > "Credential chaining failed"); > > pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length; > pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type; >- >+ > /* Break the SignatureType */ > pac_wrapped_struct.SignatureType++; > > pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; > pac_wrapped_struct.ChecksumAndSignature = payload >- = data_blob_talloc(tmp_ctx, NULL, >+ = data_blob_talloc(tmp_ctx, NULL, > pac_wrapped_struct.ChecksumLength > + pac_wrapped_struct.SignatureLength); >- memcpy(&payload.data[0], >+ memcpy(&payload.data[0], > pac_data->pac_srv_sig->signature.data, > pac_wrapped_struct.ChecksumLength); >- memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], >+ memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], > pac_data->pac_kdc_sig->signature.data, > pac_wrapped_struct.SignatureLength); >- >+ > ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, > (ndr_push_flags_fn_t)ndr_push_PAC_Validate); > torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); >- >+ > torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); > netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); >- >+ > generic.length = pac_wrapped.length; > generic.data = pac_wrapped.data; > >@@ -357,13 +357,13 @@ static bool test_PACVerify(struct torture_context *tctx, > r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); > r.in.computer_name = cli_credentials_get_workstation(credentials); > r.in.validation_level = NetlogonValidationGenericInfo2; >- >+ > torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), > "LogonSamLogon failed"); >- >+ > torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); >- >- torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), >+ >+ torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), > "Credential chaining failed"); > > pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length; >@@ -371,26 +371,26 @@ static bool test_PACVerify(struct torture_context *tctx, > pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; > > pac_wrapped_struct.ChecksumAndSignature = payload >- = data_blob_talloc(tmp_ctx, NULL, >+ = data_blob_talloc(tmp_ctx, NULL, > pac_wrapped_struct.ChecksumLength > + pac_wrapped_struct.SignatureLength); >- memcpy(&payload.data[0], >+ memcpy(&payload.data[0], > pac_data->pac_srv_sig->signature.data, > pac_wrapped_struct.ChecksumLength); >- memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], >+ memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], > pac_data->pac_kdc_sig->signature.data, > pac_wrapped_struct.SignatureLength); >- >+ > /* Break the signature length */ > pac_wrapped_struct.SignatureLength++; > > ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, > (ndr_push_flags_fn_t)ndr_push_PAC_Validate); > torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); >- >+ > torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); > netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); >- >+ > generic.length = pac_wrapped.length; > generic.data = pac_wrapped.data; > >@@ -405,13 +405,13 @@ static bool test_PACVerify(struct torture_context *tctx, > r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); > r.in.computer_name = cli_credentials_get_workstation(credentials); > r.in.validation_level = NetlogonValidationGenericInfo2; >- >+ > torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogon_r(b, tctx, &r), > "LogonSamLogon failed"); >- >+ > torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); >- >- torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), >+ >+ torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), > "Credential chaining failed"); > > return true; >-- >1.7.9.5 > > >From b61d676003413bbc2209739d458e57046ab805a9 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 16:11:19 +0100 >Subject: [PATCH 11/28] s4-torture: use names for r.in.logon_level of netlogon > samlogon requests. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 3dffd29904b3de145941a7420d56b30611f9616f) >--- > source4/torture/rpc/netlogon.c | 4 ++-- > source4/torture/rpc/remote_pac.c | 2 +- > source4/torture/rpc/samba3rpc.c | 4 ++-- > source4/torture/rpc/samlogon.c | 4 ++-- > source4/torture/rpc/samsync.c | 2 +- > source4/torture/rpc/schannel.c | 4 ++-- > 6 files changed, 10 insertions(+), 10 deletions(-) > >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index 2f7e913..e7cece3 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -835,7 +835,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context > r.in.computer_name = cli_credentials_get_workstation(credentials); > r.in.credential = &auth; > r.in.return_authenticator = &auth2; >- r.in.logon_level = 2; >+ r.in.logon_level = NetlogonNetworkInformation; > r.in.logon = &logon; > r.out.validation = &validation; > r.out.authoritative = &authoritative; >@@ -941,7 +941,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context > "LogonSamLogon invalid *r.out.authoritative"); > } > >- r.in.logon_level = 2; >+ r.in.logon_level = NetlogonNetworkInformation; > r.in.credential = &auth; > > for (i=2;i<=3;i++) { >diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c >index 3f7afc3..6b0c044 100644 >--- a/source4/torture/rpc/remote_pac.c >+++ b/source4/torture/rpc/remote_pac.c >@@ -663,7 +663,7 @@ static bool test_S2U4Self(struct torture_context *tctx, > r.in.computer_name = cli_credentials_get_workstation(credentials); > r.in.credential = &auth; > r.in.return_authenticator = &auth2; >- r.in.logon_level = 2; >+ r.in.logon_level = NetlogonNetworkInformation; > r.in.logon = &logon; > r.out.validation = &validation; > r.out.authoritative = &authoritative; >diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c >index f7968b1..d8d90ce 100644 >--- a/source4/torture/rpc/samba3rpc.c >+++ b/source4/torture/rpc/samba3rpc.c >@@ -1163,7 +1163,7 @@ static bool schan(struct torture_context *tctx, > cli_credentials_get_workstation(wks_creds); > r.in.credential = &netr_auth; > r.in.return_authenticator = &netr_auth2; >- r.in.logon_level = 2; >+ r.in.logon_level = NetlogonNetworkInformation; > r.in.validation_level = i; > r.in.logon = &logon; > r.out.validation = &validation; >@@ -1203,7 +1203,7 @@ static bool schan(struct torture_context *tctx, > > logon.password = &pinfo; > >- r.in.logon_level = 1; >+ r.in.logon_level = NetlogonInteractiveInformation; > r.in.logon = &logon; > r.out.return_authenticator = &return_authenticator; > >diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c >index 640bd6a..8d13a63 100644 >--- a/source4/torture/rpc/samlogon.c >+++ b/source4/torture/rpc/samlogon.c >@@ -1344,7 +1344,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, > int i, v, l, f; > bool ret = true; > int validation_levels[] = {2,3,6}; >- int logon_levels[] = { 2, 6 }; >+ int logon_levels[] = { NetlogonNetworkInformation, NetlogonNetworkTransitiveInformation }; > int function_levels[] = { > NDR_NETR_LOGONSAMLOGON, > NDR_NETR_LOGONSAMLOGONEX, >@@ -1484,7 +1484,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, > r.in.computer_name = TEST_MACHINE_NAME; > r.in.credential = &a; > r.in.return_authenticator = &ra; >- r.in.logon_level = 5; >+ r.in.logon_level = NetlogonInteractiveTransitiveInformation; > r.in.logon = &logon; > r.in.validation_level = 6; > r.in.flags = &flags; >diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c >index b92eb21..7249705 100644 >--- a/source4/torture/rpc/samsync.c >+++ b/source4/torture/rpc/samsync.c >@@ -95,7 +95,7 @@ static NTSTATUS test_SamLogon(struct torture_context *tctx, > r.in.computer_name = workstation; > r.in.credential = &auth; > r.in.return_authenticator = &auth2; >- r.in.logon_level = 2; >+ r.in.logon_level = NetlogonNetworkInformation; > r.in.logon = &logon; > r.out.validation = &validation; > r.out.authoritative = &authoritative; >diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c >index 8a11a20..7e3e6aa 100644 >--- a/source4/torture/rpc/schannel.c >+++ b/source4/torture/rpc/schannel.c >@@ -102,7 +102,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, > > r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); > r.in.computer_name = cli_credentials_get_workstation(credentials); >- r.in.logon_level = 2; >+ r.in.logon_level = NetlogonNetworkInformation; > r.in.logon= &logon; > r.in.flags = &_flags; > r.out.validation = &validation; >@@ -656,7 +656,7 @@ static bool torture_schannel_bench_start(struct torture_schannel_bench_conn *con > > conn->r.in.server_name = talloc_asprintf(conn->tmp, "\\\\%s", dcerpc_server_name(conn->pipe)); > conn->r.in.computer_name = cli_credentials_get_workstation(conn->wks_creds); >- conn->r.in.logon_level = 2; >+ conn->r.in.logon_level = NetlogonNetworkInformation; > conn->r.in.logon = talloc(conn->tmp, union netr_LogonLevel); > conn->r.in.logon->network = &conn->ninfo; > conn->r.in.flags = talloc(conn->tmp, uint32_t); >-- >1.7.9.5 > > >From 4e06e21b17f05251e9a00581edd2c9d4360c4136 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 16:23:34 +0100 >Subject: [PATCH 12/28] s4-torture: support AES encryption in > pac_verify/generic samlogon netlogon tests. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit d94f012f3fb428027709a9c8becf8edb85072463) >--- > source4/torture/rpc/remote_pac.c | 87 +++++++++++++++++++++++++++++--------- > 1 file changed, 68 insertions(+), 19 deletions(-) > >diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c >index 6b0c044..ccecc06 100644 >--- a/source4/torture/rpc/remote_pac.c >+++ b/source4/torture/rpc/remote_pac.c >@@ -121,7 +121,8 @@ static bool test_PACVerify(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *credentials, > enum netr_SchannelType secure_channel_type, >- const char *test_machine_name) >+ const char *test_machine_name, >+ uint32_t negotiate_flags) > { > NTSTATUS status; > >@@ -152,7 +153,11 @@ static bool test_PACVerify(struct torture_context *tctx, > TALLOC_CTX *tmp_ctx = talloc_new(tctx); > torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); > >- if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ torture_comment(tctx, >+ "Testing PAC Verify (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n", >+ secure_channel_type, test_machine_name, negotiate_flags); >+ >+ if (!test_SetupCredentials2(p, tctx, negotiate_flags, > credentials, secure_channel_type, > &creds)) { > return false; >@@ -235,7 +240,11 @@ static bool test_PACVerify(struct torture_context *tctx, > torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); > > torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); >- netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); >+ } > > generic.length = pac_wrapped.length; > generic.data = pac_wrapped.data; >@@ -341,7 +350,11 @@ static bool test_PACVerify(struct torture_context *tctx, > torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); > > torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); >- netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); >+ } > > generic.length = pac_wrapped.length; > generic.data = pac_wrapped.data; >@@ -389,7 +402,11 @@ static bool test_PACVerify(struct torture_context *tctx, > torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); > > torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); >- netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, pac_wrapped.data, pac_wrapped.length); >+ } else { >+ netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); >+ } > > generic.length = pac_wrapped.length; > generic.data = pac_wrapped.data; >@@ -417,18 +434,40 @@ static bool test_PACVerify(struct torture_context *tctx, > return true; > } > >-static bool test_PACVerify_bdc(struct torture_context *tctx, >- struct dcerpc_pipe *p, >- struct cli_credentials *credentials) >+static bool test_PACVerify_bdc_arcfour(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) > { >- return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC, TEST_MACHINE_NAME_BDC); >+ return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC, >+ TEST_MACHINE_NAME_BDC, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS); > } > >-static bool test_PACVerify_workstation(struct torture_context *tctx, >- struct dcerpc_pipe *p, >- struct cli_credentials *credentials) >+static bool test_PACVerify_bdc_aes(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) >+{ >+ return test_PACVerify(tctx, p, credentials, SEC_CHAN_BDC, >+ TEST_MACHINE_NAME_BDC, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); >+} >+ >+static bool test_PACVerify_workstation_arcfour(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) > { >- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, TEST_MACHINE_NAME_WKSTA); >+ return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, >+ TEST_MACHINE_NAME_WKSTA, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS); >+} >+ >+static bool test_PACVerify_workstation_aes(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) >+{ >+ return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, >+ TEST_MACHINE_NAME_WKSTA, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); > } > > static bool test_PACVerify_workstation_des(struct torture_context *tctx, >@@ -465,7 +504,9 @@ static bool test_PACVerify_workstation_des(struct torture_context *tctx, > torture_assert_ntstatus_ok(tctx, r.out.result, > "failed to set DES into account flags"); > >- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, TEST_MACHINE_NAME_WKSTA_DES); >+ return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, >+ TEST_MACHINE_NAME_WKSTA_DES, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS); > } > > >@@ -668,7 +709,7 @@ static bool test_S2U4Self(struct torture_context *tctx, > r.out.validation = &validation; > r.out.authoritative = &authoritative; > >- if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, > credentials, secure_channel_type, > &creds)) { > return false; >@@ -737,13 +778,21 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) > struct torture_rpc_tcase *tcase; > > /* It is important to use different names, so that old entries in our credential cache are not used */ >- tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon-bdc", >+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", > &ndr_table_netlogon, TEST_MACHINE_NAME_BDC); >- torture_rpc_tcase_add_test_creds(tcase, "verify-sig", test_PACVerify_bdc); >+ torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_bdc_arcfour); > >- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member", >+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-aes", >+ &ndr_table_netlogon, TEST_MACHINE_NAME_BDC); >+ torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_bdc_aes); >+ >+ tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour", >+ &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); >+ torture_rpc_tcase_add_test_creds(tcase, "verify-sig-arcfour", test_PACVerify_workstation_arcfour); >+ >+ tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes", > &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); >- torture_rpc_tcase_add_test_creds(tcase, "verify-sig", test_PACVerify_workstation); >+ torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes); > > tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", > &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); >-- >1.7.9.5 > > >From ebb54e1300de87d76b9cbed324a88a9ec6231474 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 16:20:14 +0100 >Subject: [PATCH 13/28] s4-torture: support AES encryption in interactive > samlogon tests in rpc.samr. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 5089442bfdbeff7314e589387c3702f9c401e12a) >--- > source4/torture/rpc/samr.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > >diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c >index a460211..7f50ce9 100644 >--- a/source4/torture/rpc/samr.c >+++ b/source4/torture/rpc/samr.c >@@ -2888,7 +2888,10 @@ static bool test_SamLogon(struct torture_context *tctx, > } > E_md4hash(cli_credentials_get_password(test_credentials), pinfo.ntpassword.hash); > >- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, pinfo.lmpassword.hash, 16); >+ netlogon_creds_aes_encrypt(creds, pinfo.ntpassword.hash, 16); >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { > netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); > netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); > } else { >@@ -3072,7 +3075,7 @@ static bool setup_schannel_netlogon_pipe(struct torture_context *tctx, > * with INTERNAL_ERROR */ > > b->flags &= ~DCERPC_AUTH_OPTIONS; >- b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128; >+ b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_AUTO; > > torture_assert_ntstatus_ok(tctx, > dcerpc_pipe_connect_b(tctx, p, b, &ndr_table_netlogon, >-- >1.7.9.5 > > >From 3d7ec009cf60857dc2bcf506be1ed16f737b16a6 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 16:21:59 +0100 >Subject: [PATCH 14/28] s4-torture: exit early when join fails in samba3rpc > tests. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 4afb7dcb43c6903568c0fe2c2c2044706e9bd613) >--- > source4/torture/rpc/samba3rpc.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > >diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c >index d8d90ce..0dd9dbd 100644 >--- a/source4/torture/rpc/samba3rpc.c >+++ b/source4/torture/rpc/samba3rpc.c >@@ -399,7 +399,9 @@ static bool get_usr_handle(struct torture_context *tctx, > > samr_pipe = dcerpc_pipe_init(mem_ctx, tctx->ev); > torture_assert(tctx, samr_pipe, "dcerpc_pipe_init failed"); >- >+#if 0 >+ samr_pipe->conn->flags |= DCERPC_DEBUG_PRINT_IN | DCERPC_DEBUG_PRINT_OUT; >+#endif > samr_handle = samr_pipe->binding_handle; > > torture_assert_ntstatus_ok(tctx, >@@ -744,7 +746,7 @@ static bool join3(struct torture_context *tctx, > goto done; > } > samr_handle = samr_pipe->binding_handle; >- >+ ret = false; > { > struct samr_QueryUserInfo q; > union samr_UserInfo *info; >-- >1.7.9.5 > > >From 054e8f9440b5ed4478f029828d9ea2b93bbc7d83 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 18:38:01 +0100 >Subject: [PATCH 15/28] s4-torture: use netlogon_creds_arcfour_crypt() in > samba3rpc test. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit fd7087020344f7d24737e3be2f3afbd0417b0026) >--- > source4/torture/rpc/samba3rpc.c | 9 +++------ > 1 file changed, 3 insertions(+), 6 deletions(-) > >diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c >index 0dd9dbd..c19476d 100644 >--- a/source4/torture/rpc/samba3rpc.c >+++ b/source4/torture/rpc/samba3rpc.c >@@ -1104,7 +1104,7 @@ static bool schan(struct torture_context *tctx, > > for (i=2; i<4; i++) { > int flags; >- DATA_BLOB chal, nt_resp, lm_resp, names_blob, session_key; >+ DATA_BLOB chal, nt_resp, lm_resp, names_blob; > struct netlogon_creds_CredentialState *creds_state; > struct netr_Authenticator netr_auth, netr_auth2; > struct netr_NetworkInfo ninfo; >@@ -1197,11 +1197,8 @@ static bool schan(struct torture_context *tctx, > ZERO_STRUCT(pinfo.lmpassword.hash); > E_md4hash(cli_credentials_get_password(user_creds), > pinfo.ntpassword.hash); >- session_key = data_blob_talloc(mem_ctx, >- creds_state->session_key, 16); >- arcfour_crypt_blob(pinfo.ntpassword.hash, >- sizeof(pinfo.ntpassword.hash), >- &session_key); >+ >+ netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16); > > logon.password = &pinfo; > >-- >1.7.9.5 > > >From 4b01a3e5f8ac11de67e9ba1d5de2bd085feb2f41 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 16:37:02 +0100 >Subject: [PATCH 16/28] s3-rpc_server: pass down netlogon cred state in > _netr_ServerGetTrustInfo(). >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 306a78d97f2fdfaa81c58bafdebcfab0fb8f1636) >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 14 +++++--------- > 1 file changed, 5 insertions(+), 9 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 5fc2756..aef97e4 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -2398,7 +2398,7 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p, > > static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, > const DATA_BLOB *trustAuth_blob, >- const DATA_BLOB *session_key, >+ struct netlogon_creds_CredentialState *creds, > struct samr_Password *current_pw_enc, > struct samr_Password *previous_pw_enc) > { >@@ -2421,8 +2421,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, > return NT_STATUS_UNSUCCESSFUL; > } > >- arcfour_crypt_blob(current_pw_enc->hash, sizeof(current_pw_enc->hash), >- session_key); >+ netlogon_creds_arcfour_crypt(creds, current_pw_enc->hash, sizeof(current_pw_enc->hash)); > > if (trustAuth.previous.count != 0 && > trustAuth.previous.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) { >@@ -2432,8 +2431,8 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, > } else { > mdfour(previous_pw_enc->hash, NULL, 0); > } >- arcfour_crypt_blob(previous_pw_enc->hash, sizeof(previous_pw_enc->hash), >- session_key); >+ >+ netlogon_creds_arcfour_crypt(creds, previous_pw_enc->hash, sizeof(previous_pw_enc->hash)); > > return NT_STATUS_OK; > } >@@ -2455,7 +2454,6 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p, > DATA_BLOB trustAuth_blob; > struct samr_Password *new_owf_enc; > struct samr_Password *old_owf_enc; >- DATA_BLOB session_key; > struct loadparm_context *lp_ctx; > > lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); >@@ -2543,10 +2541,8 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p, > trustAuth_blob = td->trust_auth_outgoing; > } > >- session_key.data = creds->session_key; >- session_key.length = sizeof(creds->session_key); > status = get_password_from_trustAuth(p->mem_ctx, &trustAuth_blob, >- &session_key, >+ creds, > new_owf_enc, old_owf_enc); > > if (!NT_STATUS_IS_OK(status)) { >-- >1.7.9.5 > > >From ab5f0b796cd4e95270f25bcdad1f5e4f2ebb435b Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 17:59:12 +0100 >Subject: [PATCH 17/28] s4-torture: validate owf password hash and negotiate > AES ServerGetTrustInfo test. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 83b00afe9f2116ef04378c251070143595450a3e) >--- > source4/torture/rpc/netlogon.c | 37 +++++++++++++++++++++++++++++++++---- > 1 file changed, 33 insertions(+), 4 deletions(-) > >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index e7cece3..1f92bc6 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -3155,9 +3155,10 @@ static bool test_netr_DsRAddressToSitenamesExW(struct torture_context *tctx, > return true; > } > >-static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, >- struct dcerpc_pipe *p, >- struct cli_credentials *machine_credentials) >+static bool test_netr_ServerGetTrustInfo_flags(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *machine_credentials, >+ uint32_t negotiate_flags) > { > struct netr_ServerGetTrustInfo r; > >@@ -3170,7 +3171,9 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, > struct netlogon_creds_CredentialState *creds; > struct dcerpc_binding_handle *b = p->binding_handle; > >- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ struct samr_Password nt_hash; >+ >+ if (!test_SetupCredentials3(p, tctx, negotiate_flags, > machine_credentials, &creds)) { > return false; > } >@@ -3193,9 +3196,34 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, > torture_assert_ntstatus_ok(tctx, r.out.result, "ServerGetTrustInfo failed"); > torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed"); > >+ E_md4hash(cli_credentials_get_password(machine_credentials), nt_hash.hash); >+ >+ netlogon_creds_des_decrypt(creds, &new_owf_password); >+ >+ dump_data(1, new_owf_password.hash, 16); >+ dump_data(1, nt_hash.hash, 16); >+ >+ torture_assert_mem_equal(tctx, new_owf_password.hash, nt_hash.hash, 16, >+ "received unexpected owf password\n"); >+ > return true; > } > >+static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *machine_credentials) >+{ >+ return test_netr_ServerGetTrustInfo_flags(tctx, p, machine_credentials, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS); >+} >+ >+static bool test_netr_ServerGetTrustInfo_AES(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *machine_credentials) >+{ >+ return test_netr_ServerGetTrustInfo_flags(tctx, p, machine_credentials, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); >+} > > static bool test_GetDomainInfo(struct torture_context *tctx, > struct dcerpc_pipe *p, >@@ -3857,6 +3885,7 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx) > torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesW", test_netr_DsRAddressToSitenamesW); > torture_rpc_tcase_add_test(tcase, "DsRAddressToSitenamesExW", test_netr_DsRAddressToSitenamesExW); > torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo", test_netr_ServerGetTrustInfo); >+ torture_rpc_tcase_add_test_creds(tcase, "ServerGetTrustInfo_AES", test_netr_ServerGetTrustInfo_AES); > torture_rpc_tcase_add_test_creds(tcase, "GetForestTrustInformation", test_netr_GetForestTrustInformation); > > return suite; >-- >1.7.9.5 > > >From 5bd71a6355be4132b9808a49b3bc72a551e98e61 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 18:06:54 +0100 >Subject: [PATCH 18/28] s4-torture: validate owf password hash and negotiate > AES in forest trust test. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 6aec126566d01dd9ddbbd5488f73b61729094a52) >--- > source4/torture/rpc/forest_trust.c | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) > >diff --git a/source4/torture/rpc/forest_trust.c b/source4/torture/rpc/forest_trust.c >index f416054..2208280 100644 >--- a/source4/torture/rpc/forest_trust.c >+++ b/source4/torture/rpc/forest_trust.c >@@ -597,6 +597,7 @@ static bool test_validate_trust(struct torture_context *tctx, > struct netr_GetForestTrustInformation fr; > struct lsa_ForestTrustInformation *forest_trust_info; > int i; >+ struct samr_Password nt_hash; > > status = dcerpc_parse_binding(tctx, binding, &b); > torture_assert_ntstatus_ok(tctx, status, "Bad binding string"); >@@ -630,7 +631,7 @@ static bool test_validate_trust(struct torture_context *tctx, > return false; > } > >- if (!test_SetupCredentials3(pipe, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ if (!test_SetupCredentials3(pipe, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, > credentials, &creds)) { > torture_comment(tctx, "test_SetupCredentials3 failed.\n"); > return false; >@@ -670,6 +671,16 @@ static bool test_validate_trust(struct torture_context *tctx, > return false; > } > >+ E_md4hash(cli_credentials_get_password(credentials), nt_hash.hash); >+ >+ netlogon_creds_des_decrypt(creds, &new_owf_password); >+ >+ dump_data(1, new_owf_password.hash, 16); >+ dump_data(1, nt_hash.hash, 16); >+ >+ torture_assert_mem_equal(tctx, new_owf_password.hash, nt_hash.hash, 16, >+ "received unexpected owf password\n"); >+ > netlogon_creds_client_authenticator(creds, &a); > > fr.in.server_name = talloc_asprintf(tctx, "\\\\%s", >-- >1.7.9.5 > > >From 91f680dac21f8c14e3684a71645c647379f58295 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 19:52:54 +0100 >Subject: [PATCH 19/28] s3-rpc_server: we need to encrypt OWFs using DES in > _netr_ServerGetTrustInfo(). >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Sumit, please check. > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit a52115ce67c2e5bd1e478d7601483fd2490aea31) >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index aef97e4..16542f8 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -2421,7 +2421,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, > return NT_STATUS_UNSUCCESSFUL; > } > >- netlogon_creds_arcfour_crypt(creds, current_pw_enc->hash, sizeof(current_pw_enc->hash)); >+ netlogon_creds_des_encrypt(creds, current_pw_enc); > > if (trustAuth.previous.count != 0 && > trustAuth.previous.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) { >@@ -2432,7 +2432,7 @@ static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx, > mdfour(previous_pw_enc->hash, NULL, 0); > } > >- netlogon_creds_arcfour_crypt(creds, previous_pw_enc->hash, sizeof(previous_pw_enc->hash)); >+ netlogon_creds_des_encrypt(creds, previous_pw_enc); > > return NT_STATUS_OK; > } >-- >1.7.9.5 > > >From 25863e90961e57099af2520d6fc6346600258ec5 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 16:24:24 +0100 >Subject: [PATCH 20/28] s4-rpc_server: support AES encryption in interactive > and generic samlogon. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 71572632bd33dcb5c03a701bbb72a707e5642237) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++++++----- > 1 file changed, 23 insertions(+), 5 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index ef4351b..ac69d3d 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -635,7 +635,14 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal > case NetlogonServiceInformation: > case NetlogonInteractiveTransitiveInformation: > case NetlogonServiceTransitiveInformation: >- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_decrypt(creds, >+ r->in.logon->password->lmpassword.hash, >+ sizeof(r->in.logon->password->lmpassword.hash)); >+ netlogon_creds_aes_decrypt(creds, >+ r->in.logon->password->ntpassword.hash, >+ sizeof(r->in.logon->password->ntpassword.hash)); >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { > netlogon_creds_arcfour_crypt(creds, > r->in.logon->password->lmpassword.hash, > sizeof(r->in.logon->password->lmpassword.hash)); >@@ -698,7 +705,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal > > case NetlogonGenericInformation: > { >- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_decrypt(creds, >+ r->in.logon->generic->data, r->in.logon->generic->length); >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { > netlogon_creds_arcfour_crypt(creds, > r->in.logon->generic->data, r->in.logon->generic->length); > } else { >@@ -811,8 +821,12 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal > /* It appears that level 6 is not individually encrypted */ > if ((r->in.validation_level != 6) && > memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) { >- /* This key is sent unencrypted without the ARCFOUR flag set */ >- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ /* This key is sent unencrypted without the ARCFOUR or AES flag set */ >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, >+ sam->key.key, >+ sizeof(sam->key.key)); >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { > netlogon_creds_arcfour_crypt(creds, > sam->key.key, > sizeof(sam->key.key)); >@@ -823,7 +837,11 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal > /* It appears that level 6 is not individually encrypted */ > if ((r->in.validation_level != 6) && > memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) { >- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, >+ sam->LMSessKey.key, >+ sizeof(sam->LMSessKey.key)); >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { > netlogon_creds_arcfour_crypt(creds, > sam->LMSessKey.key, > sizeof(sam->LMSessKey.key)); >-- >1.7.9.5 > > >From 8a78339e5b64053f87da4ac7907973877c5b900a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 5 Dec 2012 19:49:52 +0100 >Subject: [PATCH 21/28] s3-rpc_server: support AES for interactive netlogon > samlogon password decryption. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Still need to fix AES support for the returned validation info. > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 645289216eeb718eab1201dd3ad0a50fdf85753c) >--- > source3/auth/auth_util.c | 34 +------------------------ > source3/auth/proto.h | 3 +-- > source3/rpc_server/netlogon/srv_netlog_nt.c | 36 +++++++++++++++++++++++++-- > 3 files changed, 36 insertions(+), 37 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 83c95a9..b75a390 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -207,16 +207,12 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in > uint32 logon_parameters, > const uchar chal[8], > const uchar lm_interactive_pwd[16], >- const uchar nt_interactive_pwd[16], >- const uchar *dc_sess_key) >+ const uchar nt_interactive_pwd[16]) > { > struct samr_Password lm_pwd; > struct samr_Password nt_pwd; > unsigned char local_lm_response[24]; > unsigned char local_nt_response[24]; >- unsigned char key[16]; >- >- memcpy(key, dc_sess_key, 16); > > if (lm_interactive_pwd) > memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash)); >@@ -224,31 +220,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in > if (nt_interactive_pwd) > memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash)); > >-#ifdef DEBUG_PASSWORD >- DEBUG(100,("key:")); >- dump_data(100, key, sizeof(key)); >- >- DEBUG(100,("lm owf password:")); >- dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash)); >- >- DEBUG(100,("nt owf password:")); >- dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash)); >-#endif >- >- if (lm_interactive_pwd) >- arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash)); >- >- if (nt_interactive_pwd) >- arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash)); >- >-#ifdef DEBUG_PASSWORD >- DEBUG(100,("decrypt of lm owf password:")); >- dump_data(100, lm_pwd.hash, sizeof(lm_pwd)); >- >- DEBUG(100,("decrypt of nt owf password:")); >- dump_data(100, nt_pwd.hash, sizeof(nt_pwd)); >-#endif >- > if (lm_interactive_pwd) > SMBOWFencrypt(lm_pwd.hash, chal, > local_lm_response); >@@ -257,9 +228,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in > SMBOWFencrypt(nt_pwd.hash, chal, > local_nt_response); > >- /* Password info paranoia */ >- ZERO_STRUCT(key); >- > { > bool ret; > NTSTATUS nt_status; >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 98b48df..6c996722 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -174,8 +174,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in > uint32 logon_parameters, > const uchar chal[8], > const uchar lm_interactive_pwd[16], >- const uchar nt_interactive_pwd[16], >- const uchar *dc_sess_key); >+ const uchar nt_interactive_pwd[16]); > bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, > const char *smb_name, > const char *client_domain, >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 16542f8..cb932b4 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1596,6 +1596,39 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, > { > uint8_t chal[8]; > >+#ifdef DEBUG_PASSWORD >+ DEBUG(100,("lm owf password:")); >+ dump_data(100, logon->password->lmpassword.hash, 16); >+ >+ DEBUG(100,("nt owf password:")); >+ dump_data(100, logon->password->ntpassword.hash, 16); >+#endif >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_decrypt(creds, >+ logon->password->lmpassword.hash, >+ 16); >+ netlogon_creds_aes_decrypt(creds, >+ logon->password->ntpassword.hash, >+ 16); >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ netlogon_creds_arcfour_crypt(creds, >+ logon->password->lmpassword.hash, >+ 16); >+ netlogon_creds_arcfour_crypt(creds, >+ logon->password->ntpassword.hash, >+ 16); >+ } else { >+ netlogon_creds_des_decrypt(creds, &logon->password->lmpassword); >+ netlogon_creds_des_decrypt(creds, &logon->password->ntpassword); >+ } >+ >+#ifdef DEBUG_PASSWORD >+ DEBUG(100,("decrypt of lm owf password:")); >+ dump_data(100, logon->password->lmpassword.hash, 16); >+ >+ DEBUG(100,("decrypt of nt owf password:")); >+ dump_data(100, logon->password->ntpassword.hash, 16); >+#endif > status = make_auth_context_subsystem(talloc_tos(), > &auth_context); > if (!NT_STATUS_IS_OK(status)) { >@@ -1611,8 +1644,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, > logon->password->identity_info.parameter_control, > chal, > logon->password->lmpassword.hash, >- logon->password->ntpassword.hash, >- creds->session_key)) { >+ logon->password->ntpassword.hash)) { > status = NT_STATUS_NO_MEMORY; > } > break; >-- >1.7.9.5 > > >From 14597acfabeee0eb144ef9daf9561e472a690352 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 6 Dec 2012 14:31:32 +0100 >Subject: [PATCH 22/28] s3-auth: session keys in validation level 6 samlogon > replies are *not* encrypted. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 7f435bd649f0b313804f40807a38de9478478b6c) >--- > source3/auth/server_info.c | 8 -------- > 1 file changed, 8 deletions(-) > >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index 216e5e3..02bf689 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -176,20 +176,12 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, > server_info->session_key.data, > MIN(sizeof(info3->base.key.key), > server_info->session_key.length)); >- if (pipe_session_key) { >- arcfour_crypt(info3->base.key.key, >- pipe_session_key, 16); >- } > } > if (server_info->lm_session_key.length) { > memcpy(info3->base.LMSessKey.key, > server_info->lm_session_key.data, > MIN(sizeof(info3->base.LMSessKey.key), > server_info->lm_session_key.length)); >- if (pipe_session_key) { >- arcfour_crypt(info3->base.LMSessKey.key, >- pipe_session_key, 8); >- } > } > > sam6->base = info3->base; >-- >1.7.9.5 > > >From 063dbdbc356b66ceb3078afbca85ac4ccf324e63 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 6 Dec 2012 14:54:25 +0100 >Subject: [PATCH 23/28] s3-rpc_server: Remove obsolete process_creds boolean > in samlogon server. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit c1fb595081c2b0bf66bce06c09750f53e8031311) >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 27 +++------------------------ > 1 file changed, 3 insertions(+), 24 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index cb932b4..4be2355 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1465,21 +1465,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, > struct auth_usersupplied_info *user_info = NULL; > struct auth_serversupplied_info *server_info = NULL; > struct auth_context *auth_context = NULL; >- uint8_t pipe_session_key[16]; >- bool process_creds = true; > const char *fn; > > switch (p->opnum) { > case NDR_NETR_LOGONSAMLOGON: >- process_creds = true; > fn = "_netr_LogonSamLogon"; > break; > case NDR_NETR_LOGONSAMLOGONWITHFLAGS: >- process_creds = true; > fn = "_netr_LogonSamLogonWithFlags"; > break; > case NDR_NETR_LOGONSAMLOGONEX: >- process_creds = false; > fn = "_netr_LogonSamLogonEx"; > break; > default: >@@ -1693,33 +1688,17 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, > the SAM Local Security Authority should record that the user is > logged in to the domain. */ > >- if (process_creds) { >- /* Get the pipe session key from the creds. */ >- memcpy(pipe_session_key, creds->session_key, 16); >- } else { >- struct schannel_state *schannel_auth; >- /* Get the pipe session key from the schannel. */ >- if ((p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) >- || (p->auth.auth_ctx == NULL)) { >- return NT_STATUS_INVALID_HANDLE; >- } >- >- schannel_auth = talloc_get_type_abort(p->auth.auth_ctx, >- struct schannel_state); >- memcpy(pipe_session_key, schannel_auth->creds->session_key, 16); >- } >- > switch (r->in.validation_level) { > case 2: >- status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16, >+ status = serverinfo_to_SamInfo2(server_info, creds->session_key, 16, > r->out.validation->sam2); > break; > case 3: >- status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16, >+ status = serverinfo_to_SamInfo3(server_info, creds->session_key, 16, > r->out.validation->sam3); > break; > case 6: >- status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16, >+ status = serverinfo_to_SamInfo6(server_info, creds->session_key, 16, > r->out.validation->sam6); > break; > } >-- >1.7.9.5 > > >From 2105d420bcf83eb644e6e2a9f14e716911159dad Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 6 Dec 2012 15:21:02 +0100 >Subject: [PATCH 24/28] s3-auth: remove crypto from serverinfo_to_SamInfoX > calls. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >All crypto is dealt with within the netlogon samlogon server now. > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit f2d9589b178c0e3374e1c1ad363639b9e2bdce5f) >--- > source3/auth/check_samsec.c | 2 +- > source3/auth/proto.h | 6 ----- > source3/auth/server_info.c | 22 ------------------ > source3/rpc_server/netlogon/srv_netlog_nt.c | 32 +++++++++++++++++++++++---- > source3/torture/pdbtest.c | 2 +- > 5 files changed, 30 insertions(+), 34 deletions(-) > >diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c >index 2d3cb65..7ed8cc2 100644 >--- a/source3/auth/check_samsec.c >+++ b/source3/auth/check_samsec.c >@@ -537,7 +537,7 @@ NTSTATUS check_sam_security_info3(const DATA_BLOB *challenge, > goto done; > } > >- status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3); >+ status = serverinfo_to_SamInfo3(server_info, info3); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n", > nt_errstr(status))); >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 6c996722..76661fc 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -276,16 +276,10 @@ struct netr_SamInfo6; > > struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx); > NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, >- uint8_t *pipe_session_key, >- size_t pipe_session_key_len, > struct netr_SamInfo2 *sam2); > NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info, >- uint8_t *pipe_session_key, >- size_t pipe_session_key_len, > struct netr_SamInfo3 *sam3); > NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, >- uint8_t *pipe_session_key, >- size_t pipe_session_key_len, > struct netr_SamInfo6 *sam6); > NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > struct samu *samu, >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index 02bf689..3f4f708 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -59,8 +59,6 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) > *****************************************************************************/ > > NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, >- uint8_t *pipe_session_key, >- size_t pipe_session_key_len, > struct netr_SamInfo2 *sam2) > { > struct netr_SamInfo3 *info3; >@@ -75,20 +73,12 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, > server_info->session_key.data, > MIN(sizeof(info3->base.key.key), > server_info->session_key.length)); >- if (pipe_session_key) { >- arcfour_crypt(info3->base.key.key, >- pipe_session_key, 16); >- } > } > if (server_info->lm_session_key.length) { > memcpy(info3->base.LMSessKey.key, > server_info->lm_session_key.data, > MIN(sizeof(info3->base.LMSessKey.key), > server_info->lm_session_key.length)); >- if (pipe_session_key) { >- arcfour_crypt(info3->base.LMSessKey.key, >- pipe_session_key, 8); >- } > } > > sam2->base = info3->base; >@@ -102,8 +92,6 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, > *****************************************************************************/ > > NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info, >- uint8_t *pipe_session_key, >- size_t pipe_session_key_len, > struct netr_SamInfo3 *sam3) > { > struct netr_SamInfo3 *info3; >@@ -118,20 +106,12 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in > server_info->session_key.data, > MIN(sizeof(info3->base.key.key), > server_info->session_key.length)); >- if (pipe_session_key) { >- arcfour_crypt(info3->base.key.key, >- pipe_session_key, 16); >- } > } > if (server_info->lm_session_key.length) { > memcpy(info3->base.LMSessKey.key, > server_info->lm_session_key.data, > MIN(sizeof(info3->base.LMSessKey.key), > server_info->lm_session_key.length)); >- if (pipe_session_key) { >- arcfour_crypt(info3->base.LMSessKey.key, >- pipe_session_key, 8); >- } > } > > sam3->base = info3->base; >@@ -148,8 +128,6 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in > *****************************************************************************/ > > NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, >- uint8_t *pipe_session_key, >- size_t pipe_session_key_len, > struct netr_SamInfo6 *sam6) > { > struct pdb_domain_info *dominfo; >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 4be2355..9b50655 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -1466,6 +1466,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, > struct auth_serversupplied_info *server_info = NULL; > struct auth_context *auth_context = NULL; > const char *fn; >+ struct netr_SamBaseInfo *base; > > switch (p->opnum) { > case NDR_NETR_LOGONSAMLOGON: >@@ -1690,22 +1691,45 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, > > switch (r->in.validation_level) { > case 2: >- status = serverinfo_to_SamInfo2(server_info, creds->session_key, 16, >+ status = serverinfo_to_SamInfo2(server_info, > r->out.validation->sam2); >+ base = &r->out.validation->sam2->base; > break; > case 3: >- status = serverinfo_to_SamInfo3(server_info, creds->session_key, 16, >+ status = serverinfo_to_SamInfo3(server_info, > r->out.validation->sam3); >+ base = &r->out.validation->sam3->base; > break; > case 6: >- status = serverinfo_to_SamInfo6(server_info, creds->session_key, 16, >+ status = serverinfo_to_SamInfo6(server_info, > r->out.validation->sam6); >+ base = &r->out.validation->sam6->base; > break; > } > > TALLOC_FREE(server_info); > >- return status; >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ if (r->in.validation_level == 6) { >+ /* no further crypto to be applied - gd */ >+ return NT_STATUS_OK; >+ } >+ >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_encrypt(creds, base->key.key, 16); >+ netlogon_creds_aes_encrypt(creds, base->LMSessKey.key, 8); >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ netlogon_creds_arcfour_crypt(creds, base->key.key, 16); >+ netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8); >+ } else { >+ /* key is unencrypted when neither AES nor RC4 bits are set */ >+ netlogon_creds_des_encrypt_LMKey(creds, &base->LMSessKey); >+ } >+ >+ return NT_STATUS_OK; > } > > /**************************************************************** >diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c >index d0d529e..17da455 100644 >--- a/source3/torture/pdbtest.c >+++ b/source3/torture/pdbtest.c >@@ -316,7 +316,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) > return False; > } > >- status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3_auth); >+ status = serverinfo_to_SamInfo3(server_info, info3_auth); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n", > nt_errstr(status))); >-- >1.7.9.5 > > >From 786ba6342bb7d2747785e24bec39401d88a5ac08 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 7 Dec 2012 01:05:00 +0100 >Subject: [PATCH 25/28] libcli/auth: remove trailing whitespace. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit be296a21fc509cacaedb5aad0c3ca4ccd44b4a62) >--- > libcli/auth/credentials.c | 76 ++++++++++++++++++++++----------------------- > 1 file changed, 38 insertions(+), 38 deletions(-) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index be43c95..77df7f7 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -1,21 +1,21 @@ >-/* >+/* > Unix SMB/CIFS implementation. > > code to manipulate domain credentials > > Copyright (C) Andrew Tridgell 1997-2003 > Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 >- >+ > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation; either version 3 of the License, or > (at your option) any later version. >- >+ > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. >- >+ > You should have received a copy of the GNU General Public License > along with this program. If not, see <http://www.gnu.org/licenses/>. > */ >@@ -85,7 +85,7 @@ static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *cr > > memset(zero, 0, sizeof(zero)); > >- hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx); >+ hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx); > MD5Init(&md5); > MD5Update(&md5, zero, sizeof(zero)); > MD5Update(&md5, client_challenge->data, 8); >@@ -142,7 +142,7 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) > { > struct netr_Credential time_cred; > >- DEBUG(5,("\tseed %08x:%08x\n", >+ DEBUG(5,("\tseed %08x:%08x\n", > IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4))); > > SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence); >@@ -152,18 +152,18 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds) > > netlogon_creds_step_crypt(creds, &time_cred, &creds->client); > >- DEBUG(5,("\tCLIENT %08x:%08x\n", >+ DEBUG(5,("\tCLIENT %08x:%08x\n", > IVAL(creds->client.data, 0), IVAL(creds->client.data, 4))); > > SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1); > SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4)); > >- DEBUG(5,("\tseed+time+1 %08x:%08x\n", >+ DEBUG(5,("\tseed+time+1 %08x:%08x\n", > IVAL(time_cred.data, 0), IVAL(time_cred.data, 4))); > > netlogon_creds_step_crypt(creds, &time_cred, &creds->server); > >- DEBUG(5,("\tSERVER %08x:%08x\n", >+ DEBUG(5,("\tSERVER %08x:%08x\n", > IVAL(creds->server.data, 0), IVAL(creds->server.data, 4))); > > creds->seed = time_cred; >@@ -259,10 +259,10 @@ next comes the client specific functions > initialise the credentials chain and return the first client > credentials > */ >- >-struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx, >+ >+struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx, > const char *client_account, >- const char *client_computer_name, >+ const char *client_computer_name, > const struct netr_Credential *client_challenge, > const struct netr_Credential *server_challenge, > const struct samr_Password *machine_password, >@@ -270,11 +270,11 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me > uint32_t negotiate_flags) > { > struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); >- >+ > if (!creds) { > return NULL; > } >- >+ > creds->sequence = time(NULL); > creds->negotiate_flags = negotiate_flags; > >@@ -317,7 +317,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me > initialise the credentials structure with only a session key. The caller better know what they are doing! > */ > >-struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx, >+struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx, > const uint8_t session_key[16]) > { > struct netlogon_creds_CredentialState *creds; >@@ -326,7 +326,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA > if (!creds) { > return NULL; > } >- >+ > memcpy(creds->session_key, session_key, 16); > > return creds; >@@ -336,12 +336,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA > step the credentials to the next element in the chain, updating the > current client and server credentials and the seed > >- produce the next authenticator in the sequence ready to send to >+ produce the next authenticator in the sequence ready to send to > the server > */ > void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds, > struct netr_Authenticator *next) >-{ >+{ > creds->sequence += 2; > netlogon_creds_step(creds); > >@@ -355,7 +355,7 @@ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState * > bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds, > const struct netr_Credential *received_credentials) > { >- if (!received_credentials || >+ if (!received_credentials || > memcmp(received_credentials->data, creds->server.data, 8) != 0) { > DEBUG(2,("credentials check failed\n")); > return false; >@@ -388,9 +388,9 @@ static bool netlogon_creds_server_check_internal(const struct netlogon_creds_Cre > initialise the credentials chain and return the first server > credentials > */ >-struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx, >+struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx, > const char *client_account, >- const char *client_computer_name, >+ const char *client_computer_name, > uint16_t secure_channel_type, > const struct netr_Credential *client_challenge, > const struct netr_Credential *server_challenge, >@@ -399,13 +399,13 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me > struct netr_Credential *credentials_out, > uint32_t negotiate_flags) > { >- >+ > struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); >- >+ > if (!creds) { > return NULL; > } >- >+ > creds->negotiate_flags = negotiate_flags; > creds->secure_channel_type = secure_channel_type; > >@@ -430,10 +430,10 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me > server_challenge, > machine_password); > } else if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { >- netlogon_creds_init_128bit(creds, client_challenge, server_challenge, >+ netlogon_creds_init_128bit(creds, client_challenge, server_challenge, > machine_password); > } else { >- netlogon_creds_init_64bit(creds, client_challenge, server_challenge, >+ netlogon_creds_init_64bit(creds, client_challenge, server_challenge, > machine_password); > } > >@@ -461,7 +461,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me > > NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds, > struct netr_Authenticator *received_authenticator, >- struct netr_Authenticator *return_authenticator) >+ struct netr_Authenticator *return_authenticator) > { > if (!received_authenticator || !return_authenticator) { > return NT_STATUS_INVALID_PARAMETER; >@@ -487,7 +487,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState > > void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds, > uint16_t validation_level, >- union netr_Validation *validation) >+ union netr_Validation *validation) > { > static const char zeros[16]; > >@@ -521,27 +521,27 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred > if (validation_level == 6) { > /* they aren't encrypted! */ > } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >- if (memcmp(base->key.key, zeros, >+ if (memcmp(base->key.key, zeros, > sizeof(base->key.key)) != 0) { >- netlogon_creds_arcfour_crypt(creds, >- base->key.key, >+ netlogon_creds_arcfour_crypt(creds, >+ base->key.key, > sizeof(base->key.key)); > } >- >- if (memcmp(base->LMSessKey.key, zeros, >+ >+ if (memcmp(base->LMSessKey.key, zeros, > sizeof(base->LMSessKey.key)) != 0) { >- netlogon_creds_arcfour_crypt(creds, >- base->LMSessKey.key, >+ netlogon_creds_arcfour_crypt(creds, >+ base->LMSessKey.key, > sizeof(base->LMSessKey.key)); > } > } else { >- if (memcmp(base->LMSessKey.key, zeros, >+ if (memcmp(base->LMSessKey.key, zeros, > sizeof(base->LMSessKey.key)) != 0) { >- netlogon_creds_des_decrypt_LMKey(creds, >+ netlogon_creds_des_decrypt_LMKey(creds, > &base->LMSessKey); > } > } >-} >+} > > /* > copy a netlogon_creds_CredentialState struct >-- >1.7.9.5 > > >From 7f695f315122db827eea05b8941342ad8541ed70 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 7 Dec 2012 12:38:16 +0100 >Subject: [PATCH 26/28] libcli/auth: support AES decryption in > netlogon_creds_decrypt_samlogon(). >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit f6cb8049b2fe62054d254a006b8a39f000d1d1d5) >--- > libcli/auth/credentials.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c >index 77df7f7..63407e7 100644 >--- a/libcli/auth/credentials.c >+++ b/libcli/auth/credentials.c >@@ -520,6 +520,20 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred > /* find and decyrpt the session keys, return in parameters above */ > if (validation_level == 6) { > /* they aren't encrypted! */ >+ } else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ if (memcmp(base->key.key, zeros, >+ sizeof(base->key.key)) != 0) { >+ netlogon_creds_aes_decrypt(creds, >+ base->key.key, >+ sizeof(base->key.key)); >+ } >+ >+ if (memcmp(base->LMSessKey.key, zeros, >+ sizeof(base->LMSessKey.key)) != 0) { >+ netlogon_creds_aes_decrypt(creds, >+ base->LMSessKey.key, >+ sizeof(base->LMSessKey.key)); >+ } > } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { > if (memcmp(base->key.key, zeros, > sizeof(base->key.key)) != 0) { >-- >1.7.9.5 > > >From 742dbcce98966e4f5045f08e12357a1c2cd3a325 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 7 Dec 2012 12:57:18 +0100 >Subject: [PATCH 27/28] s4-torture: precalculate expected session keys from > samlogon in schannel test. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit d0bad6c3350698b26ba009bb0c91d0265cc22f60) >--- > source4/torture/rpc/schannel.c | 118 +++++++++++++++++++++++++++++++++++++--- > 1 file changed, 111 insertions(+), 7 deletions(-) > >diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c >index 7e3e6aa..e0862d2 100644 >--- a/source4/torture/rpc/schannel.c >+++ b/source4/torture/rpc/schannel.c >@@ -58,6 +58,13 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, > int flags = CLI_CRED_NTLM_AUTH; > struct dcerpc_binding_handle *b = p->binding_handle; > >+ struct netr_UserSessionKey key; >+ struct netr_LMSessionKey LMSessKey; >+ uint32_t validation_levels[] = { 2, 3 }; >+ struct netr_SamBaseInfo *base; >+ const char *crypto_alg = ""; >+ bool can_do_validation_6 = true; >+ > if (lpcfg_client_lanman_auth(tctx->lp_ctx)) { > flags |= CLI_CRED_LANMAN_AUTH; > } >@@ -109,16 +116,113 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, > r.out.authoritative = &authoritative; > r.out.flags = &_flags; > >+ /* >+ - retrieve level6 >+ - save usrsession and lmsession key >+ - retrieve level 2 >+ - calculate, compare >+ - retrieve level 3 >+ - calculate, compare >+ */ >+ >+ if (creds) { >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ crypto_alg = "AES"; >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ crypto_alg = "ARCFOUR"; >+ } >+ } >+ >+ r.in.validation_level = 6; >+ > torture_comment(tctx, >- "Testing LogonSamLogonEx with name %s\n", >- ninfo.identity_info.account_name.string); >+ "Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n", >+ ninfo.identity_info.account_name.string, crypto_alg, >+ r.in.validation_level); >+ >+ torture_assert_ntstatus_ok(tctx, >+ dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r), >+ "LogonSamLogonEx failed"); >+ if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) { >+ can_do_validation_6 = false; >+ } else { >+ torture_assert_ntstatus_ok(tctx, r.out.result, >+ "LogonSamLogonEx failed"); >+ >+ key = r.out.validation->sam6->base.key; >+ LMSessKey = r.out.validation->sam6->base.LMSessKey; >+ >+ DEBUG(1,("unencrypted session keys from validation_level 6:\n")); >+ dump_data(1, r.out.validation->sam6->base.key.key, 16); >+ dump_data(1, r.out.validation->sam6->base.LMSessKey.key, 8); >+ } >+ >+ for (i=0; i < ARRAY_SIZE(validation_levels); i++) { > >- for (i=2;i<3;i++) { >- r.in.validation_level = i; >+ r.in.validation_level = validation_levels[i]; >+ >+ torture_comment(tctx, >+ "Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n", >+ ninfo.identity_info.account_name.string, crypto_alg, >+ r.in.validation_level); >+ >+ torture_assert_ntstatus_ok(tctx, >+ dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r), >+ "LogonSamLogonEx failed"); >+ torture_assert_ntstatus_ok(tctx, r.out.result, >+ "LogonSamLogonEx failed"); >+ >+ if (creds == NULL) { >+ /* when this test is called without creds no point in >+ * testing the session keys */ >+ continue; >+ } >+ >+ switch (validation_levels[i]) { >+ case 2: >+ base = &r.out.validation->sam2->base; >+ break; >+ case 3: >+ base = &r.out.validation->sam3->base; >+ break; >+ default: >+ break; >+ } >+ >+ DEBUG(1,("encrypted keys validation_level %d:\n", >+ validation_levels[i])); >+ dump_data(1, base->key.key, 16); >+ dump_data(1, base->LMSessKey.key, 8); >+ >+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ netlogon_creds_aes_decrypt(creds, base->key.key, 16); >+ netlogon_creds_aes_decrypt(creds, base->LMSessKey.key, 8); >+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { >+ netlogon_creds_arcfour_crypt(creds, base->key.key, 16); >+ netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8); >+ } >+ >+ DEBUG(1,("decryped keys validation_level %d\n", >+ validation_levels[i])); >+ >+ dump_data(1, base->key.key, 16); >+ dump_data(1, base->LMSessKey.key, 8); >+ >+ if (!can_do_validation_6) { >+ /* we cant compare against unencrypted keys */ >+ continue; >+ } > >- torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r), >- "LogonSamLogon failed"); >- torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed"); >+ torture_assert_mem_equal(tctx, >+ base->key.key, >+ key.key, >+ 16, >+ "unexpected user session key\n"); >+ torture_assert_mem_equal(tctx, >+ base->LMSessKey.key, >+ LMSessKey.key, >+ 8, >+ "unexpected LM session key\n"); > } > > return true; >-- >1.7.9.5 > > >From e390bd120f58c19d50273058dcb52ea3aa809c5d Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 7 Dec 2012 12:51:10 +0100 >Subject: [PATCH 28/28] s4-torture: call the s4u2self tests with arcfour and > aes. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Sun Dec 9 21:24:44 CET 2012 on sn-devel-104 >(cherry picked from commit ade5bfd304cc806758a58f04b35834cd730dd9ba) >--- > source4/torture/rpc/remote_pac.c | 59 ++++++++++++++++++++++++++++++-------- > 1 file changed, 47 insertions(+), 12 deletions(-) > >diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c >index ccecc06..b95773f 100644 >--- a/source4/torture/rpc/remote_pac.c >+++ b/source4/torture/rpc/remote_pac.c >@@ -515,7 +515,8 @@ static bool test_S2U4Self(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *credentials, > enum netr_SchannelType secure_channel_type, >- const char *test_machine_name) >+ const char *test_machine_name, >+ uint32_t negotiate_flags) > { > NTSTATUS status; > struct dcerpc_binding_handle *b = p->binding_handle; >@@ -550,6 +551,10 @@ static bool test_S2U4Self(struct torture_context *tctx, > > torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); > >+ torture_comment(tctx, >+ "Testing S4U2SELF (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n", >+ secure_channel_type, test_machine_name, negotiate_flags); >+ > auth_context = talloc_zero(tmp_ctx, struct auth4_context); > torture_assert(tctx, auth_context != NULL, "talloc_new() failed"); > >@@ -709,7 +714,7 @@ static bool test_S2U4Self(struct torture_context *tctx, > r.out.validation = &validation; > r.out.authoritative = &authoritative; > >- if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, >+ if (!test_SetupCredentials2(p, tctx, negotiate_flags, > credentials, secure_channel_type, > &creds)) { > return false; >@@ -758,18 +763,40 @@ static bool test_S2U4Self(struct torture_context *tctx, > return true; > } > >-static bool test_S2U4Self_bdc(struct torture_context *tctx, >- struct dcerpc_pipe *p, >- struct cli_credentials *credentials) >+static bool test_S2U4Self_bdc_arcfour(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) > { >- return test_S2U4Self(tctx, p, credentials, SEC_CHAN_BDC, TEST_MACHINE_NAME_S2U4SELF_BDC); >+ return test_S2U4Self(tctx, p, credentials, SEC_CHAN_BDC, >+ TEST_MACHINE_NAME_S2U4SELF_BDC, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS); > } > >-static bool test_S2U4Self_workstation(struct torture_context *tctx, >+static bool test_S2U4Self_bdc_aes(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *credentials) > { >- return test_S2U4Self(tctx, p, credentials, SEC_CHAN_WKSTA, TEST_MACHINE_NAME_S2U4SELF_WKSTA); >+ return test_S2U4Self(tctx, p, credentials, SEC_CHAN_BDC, >+ TEST_MACHINE_NAME_S2U4SELF_BDC, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); >+} >+ >+static bool test_S2U4Self_workstation_arcfour(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) >+{ >+ return test_S2U4Self(tctx, p, credentials, SEC_CHAN_WKSTA, >+ TEST_MACHINE_NAME_S2U4SELF_WKSTA, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS); >+} >+ >+static bool test_S2U4Self_workstation_aes(struct torture_context *tctx, >+ struct dcerpc_pipe *p, >+ struct cli_credentials *credentials) >+{ >+ return test_S2U4Self(tctx, p, credentials, SEC_CHAN_WKSTA, >+ TEST_MACHINE_NAME_S2U4SELF_WKSTA, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); > } > > struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) >@@ -798,13 +825,21 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) > &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); > torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); > >- tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netlogon-bdc", >+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", >+ &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_BDC); >+ torture_rpc_tcase_add_test_creds(tcase, "s2u4self-arcfour", test_S2U4Self_bdc_arcfour); >+ >+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bcd-aes", > &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_BDC); >- torture_rpc_tcase_add_test_creds(tcase, "s2u4self", test_S2U4Self_bdc); >+ torture_rpc_tcase_add_test_creds(tcase, "s2u4self-aes", test_S2U4Self_bdc_aes); > >- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member", >+ tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-arcfour", >+ &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_WKSTA); >+ torture_rpc_tcase_add_test_creds(tcase, "s2u4self-arcfour", test_S2U4Self_workstation_arcfour); >+ >+ tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netr-mem-aes", > &ndr_table_netlogon, TEST_MACHINE_NAME_S2U4SELF_WKSTA); >+ torture_rpc_tcase_add_test_creds(tcase, "s2u4self-aes", test_S2U4Self_workstation_aes); > >- torture_rpc_tcase_add_test_creds(tcase, "s2u4self", test_S2U4Self_workstation); > return suite; > } >-- >1.7.9.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8318">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
gd
:
review+
metze
:
review+
Actions:
View
Attachments on
bug 9438
: 8318