svn commit: samba r2200 - in branches/SAMBA_4_0/source/torture: . rpc

Fri Sep 3 08:28:25 GMT 2004

Author: tridge
Date: 2004-09-03 08:28:24 +0000 (Fri, 03 Sep 2004)
New Revision: 2200

WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/torture&rev=2200&nolog=1

Log:
solved another piece of the lsakey puzzle - the session key for lsa
encryption on ncacn_ip_tcp is a fixed buffer! I don't yet know what
the buffer is, but this code proves its the same buffer for different
w2k3 servers and different user passwords, plus it is independent of
the negotiated NTLMSSP session key.


Modified:
   branches/SAMBA_4_0/source/torture/rpc/lsa.c
   branches/SAMBA_4_0/source/torture/rpc/testjoin.c
   branches/SAMBA_4_0/source/torture/torture.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/lsa.c
===================================================================

--- branches/SAMBA_4_0/source/torture/rpc/lsa.c	2004-09-03 05:16:25 UTC (rev 2199)
+++ branches/SAMBA_4_0/source/torture/rpc/lsa.c	2004-09-03 08:28:24 UTC (rev 2200)
@@ -496,6 +496,153 @@
 	return ret;
 }
 
+
+static BOOL test_lsakey_puzzle(struct dcerpc_pipe *p_smb, 
+				      TALLOC_CTX *mem_ctx,
+				      struct policy_handle *handle_smb)
+{
+        NTSTATUS status;
+        struct dcerpc_pipe *p_tcp;
+	struct policy_handle handle_tcp, sec_handle, sec_handle2;
+	struct lsa_CreateSecret cr;
+	struct lsa_OpenSecret or;
+	struct lsa_SetSecret sr;
+	struct lsa_QuerySecret qr;
+	char *secname;
+	const char *secret1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+	DATA_BLOB session_key, blob1, blob2;
+	DATA_BLOB enc_key;
+	NTTIME old_mtime, new_mtime;
+	struct lsa_DATA_BUF buf1;
+	struct lsa_DATA_BUF_PTR bufp1;
+
+	status = torture_rpc_connection_transport(&p_tcp, 
+						  DCERPC_LSARPC_NAME, 
+						  DCERPC_LSARPC_UUID, 
+						  DCERPC_LSARPC_VERSION,
+						  NCACN_IP_TCP);
+	if (!NT_STATUS_IS_OK(status)) {
+		return False;
+	}
+
+	if (!test_OpenPolicy2(p_tcp, mem_ctx, &handle_tcp)) {
+		return False;
+	}
+
+	asprintf(&secname, "torturesecret-%u", (uint_t)random());
+
+	printf("calling CreateSecret on %s\n", secname);
+
+	init_lsa_Name(&cr.in.name, secname);
+
+	cr.in.handle = handle_smb;
+	cr.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+	cr.out.sec_handle = &sec_handle;
+
+	status = dcerpc_lsa_CreateSecret(p_smb, mem_ctx, &cr);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("CreateSecret failed - %s\n", nt_errstr(status));
+		return False;
+	}
+
+	status = dcerpc_fetch_session_key(p_smb, &session_key);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
+		return False;
+	}
+
+	printf("SMB session key:\n");
+	dump_data(0, session_key.data, session_key.length);
+
+	enc_key = sess_encrypt_string(secret1, &session_key);
+
+	blob1 = data_blob_talloc(mem_ctx, enc_key.data, enc_key.length);
+	sess_crypt_blob(&blob1, &enc_key, &session_key, False);
+
+	printf("Plain-text:\n");
+	dump_data(0, blob1.data, blob1.length);
+
+	printf("SMB encrypted:\n");
+	dump_data(0, enc_key.data, enc_key.length);
+
+	sr.in.handle = &sec_handle;
+	sr.in.new_val = &buf1;
+	sr.in.old_val = NULL;
+	sr.in.new_val->data = enc_key.data;
+	sr.in.new_val->length = enc_key.length;
+	sr.in.new_val->size = enc_key.length;
+
+	printf("calling SetSecret\n");
+
+	status = dcerpc_lsa_SetSecret(p_smb, mem_ctx, &sr);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("SetSecret failed - %s\n", nt_errstr(status));
+		return False;
+	}
+
+	or.in.handle = &handle_tcp;
+	or.in.access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
+	or.in.name = cr.in.name;
+	or.out.sec_handle = &sec_handle2;
+
+	printf("Calling OpenSecret\n");
+
+	status = dcerpc_lsa_OpenSecret(p_tcp, mem_ctx, &or);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("OpenSecret failed - %s\n", nt_errstr(status));
+		return False;
+	}
+
+	ZERO_STRUCT(new_mtime);
+	ZERO_STRUCT(old_mtime);
+
+	/* fetch the secret back again */
+	qr.in.handle = &sec_handle2;
+	qr.in.new_val = &bufp1;
+	qr.in.new_mtime = &new_mtime;
+	qr.in.old_val = NULL;
+	qr.in.old_mtime = NULL;
+
+	bufp1.buf = NULL;
+
+	status = dcerpc_lsa_QuerySecret(p_tcp, mem_ctx, &qr);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("QuerySecret failed - %s\n", nt_errstr(status));
+		return False;
+	}
+
+	status = dcerpc_fetch_session_key(p_tcp, &session_key);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("dcerpc_fetch_session_key failed - %s\n", nt_errstr(status));
+		return False;
+	}
+
+	printf("TCP session key:\n");
+	dump_data(0, session_key.data, session_key.length);
+
+	blob1.data = qr.out.new_val->buf->data;
+	blob1.length = qr.out.new_val->buf->length;
+
+	printf("Encrypted blob:\n");
+	dump_data(0, blob1.data, blob1.length);
+
+	session_key.length = 16;
+	blob2 = data_blob_talloc(mem_ctx, blob1.data, blob1.length);
+
+	/* try a zero session key to decrypt. */
+	data_blob_clear(&session_key);
+	sess_crypt_blob(&blob2, &blob1, &session_key, False);
+	printf("Test-text:\n");
+	dump_data(0, blob2.data, blob2.length);
+
+	talloc_destroy(mem_ctx);
+        torture_rpc_close(p_smb);
+        torture_rpc_close(p_tcp);
+
+	return True;
+}
+
+
 static BOOL test_EnumAccountRights(struct dcerpc_pipe *p, 
 				   TALLOC_CTX *mem_ctx, 
 				   struct policy_handle *acct_handle,
@@ -893,6 +1040,11 @@
 		ret = False;
 	}
 
+	if (!test_lsakey_puzzle(p, mem_ctx, &handle)) {
+		ret = False;
+	}
+	exit(1);
+
 	if (!test_many_LookupSids(p, mem_ctx, &handle)) {
 		ret = False;
 	}

Modified: branches/SAMBA_4_0/source/torture/rpc/testjoin.c
===================================================================
--- branches/SAMBA_4_0/source/torture/rpc/testjoin.c	2004-09-03 05:16:25 UTC (rev 2199)
+++ branches/SAMBA_4_0/source/torture/rpc/testjoin.c	2004-09-03 08:28:24 UTC (rev 2200)
@@ -125,10 +125,11 @@
 
 	printf("Connecting to SAMR (forced ncacn_np)\n");
 
-	status = torture_rpc_connection_smb(&join->p, 
-					    DCERPC_SAMR_NAME,
-					    DCERPC_SAMR_UUID,
-					    DCERPC_SAMR_VERSION);
+	status = torture_rpc_connection_transport(&join->p, 
+						  DCERPC_SAMR_NAME,
+						  DCERPC_SAMR_UUID,
+						  DCERPC_SAMR_VERSION,
+						  NCACN_NP);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto failed;
 	}

Modified: branches/SAMBA_4_0/source/torture/torture.c
===================================================================
--- branches/SAMBA_4_0/source/torture/torture.c	2004-09-03 05:16:25 UTC (rev 2199)
+++ branches/SAMBA_4_0/source/torture/torture.c	2004-09-03 08:28:24 UTC (rev 2200)
@@ -158,11 +158,12 @@
         return status;
 }
 
-/* open a rpc connection to a named pipe */
-NTSTATUS torture_rpc_connection_smb(struct dcerpc_pipe **p, 
-				    const char *pipe_name,
-				    const char *pipe_uuid, 
-				    uint32_t pipe_version)
+/* open a rpc connection to a specific transport */
+NTSTATUS torture_rpc_connection_transport(struct dcerpc_pipe **p, 
+					  const char *pipe_name,
+					  const char *pipe_uuid, 
+					  uint32_t pipe_version,
+					  enum dcerpc_transport_t transport)
 {
         NTSTATUS status;
 	const char *binding = lp_parm_string(-1, "torture", "binding");
@@ -181,7 +182,7 @@
 		return status;
 	}
 
-	b.transport = NCACN_NP;
+	b.transport = transport;
 
 	status = dcerpc_pipe_connect_b(p, &b, pipe_uuid, pipe_version,
 				       lp_parm_string(-1, "torture", "userdomain"), 

