[PATCH] Use krb5_wrap function in gensec_krb5

Andrew Bartlett abartlet at samba.org
Mon Aug 29 18:58:00 UTC 2016 

On Mon, 2016-08-29 at 15:16 +0200, Andreas Schneider wrote:
> On Monday, 29 August 2016 21:23:07 CEST Andrew Bartlett wrote:
> > 
> > Have you run tests against Windows?
> 
> asn: ~/workspace/projects/samba> bin/smbtorture --
> option='fss:sequence 
> timeout=1' --maximum-runtime=1200 --option=torture:progress=no
> ncacn_np:dwdc1 
> -k yes -UAdministrator%Samba777 --workgroup=DISCWORLD.SITE --
> option=clientusespnegoprincipal=yes --
> option=gensec:fake_gssapi_krb5=yes --
> option=gensec:gssapi_krb5=no --option=gensec:target_hostname=DWDC1 
> 'rpc.lsa.secrets.none*'
> smbtorture 4.6.0pre1-DEVELOPERBUILD
> Using seed 1472476204
> time: 2016-08-29 15:10:04.930207
> test: none keyexchange:yes ntlm2:yes lm_key:yes
> time: 2016-08-29 15:10:04.931027
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-540396684
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.028226
> success: none keyexchange:yes ntlm2:yes lm_key:yes
> test: none keyexchange:yes ntlm2:yes lm_key:yes
> time: 2016-08-29 15:10:05.028277
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-2013987131
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.039913
> success: none keyexchange:yes ntlm2:yes lm_key:yes
> test: none keyexchange:yes ntlm2:yes lm_key:no
> time: 2016-08-29 15:10:05.039967
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-1461337782
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.051143
> success: none keyexchange:yes ntlm2:yes lm_key:no
> test: none keyexchange:yes ntlm2:yes lm_key:no
> time: 2016-08-29 15:10:05.051172
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-1406052089
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.062028
> success: none keyexchange:yes ntlm2:yes lm_key:no
> test: none keyexchange:yes ntlm2:no lm_key:yes
> time: 2016-08-29 15:10:05.062061
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-975954445
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.073636
> success: none keyexchange:yes ntlm2:no lm_key:yes
> test: none keyexchange:yes ntlm2:no lm_key:yes
> time: 2016-08-29 15:10:05.073687
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-663334993
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.085899
> success: none keyexchange:yes ntlm2:no lm_key:yes
> test: none keyexchange:yes ntlm2:no lm_key:no
> time: 2016-08-29 15:10:05.085941
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-51680497
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.097437
> success: none keyexchange:yes ntlm2:no lm_key:no
> test: none keyexchange:yes ntlm2:no lm_key:no
> time: 2016-08-29 15:10:05.097469
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-1880885519
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.108561
> success: none keyexchange:yes ntlm2:no lm_key:no
> test: none keyexchange:no ntlm2:yes lm_key:yes
> time: 2016-08-29 15:10:05.108594
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-32453894
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.120184
> success: none keyexchange:no ntlm2:yes lm_key:yes
> test: none keyexchange:no ntlm2:yes lm_key:yes
> time: 2016-08-29 15:10:05.120235
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-157268836
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.132432
> success: none keyexchange:no ntlm2:yes lm_key:yes
> test: none keyexchange:no ntlm2:yes lm_key:no
> time: 2016-08-29 15:10:05.132471
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-1899989946
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.143482
> success: none keyexchange:no ntlm2:yes lm_key:no
> test: none keyexchange:no ntlm2:yes lm_key:no
> time: 2016-08-29 15:10:05.143511
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-917994290
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.154568
> success: none keyexchange:no ntlm2:yes lm_key:no
> test: none keyexchange:no ntlm2:no lm_key:yes
> time: 2016-08-29 15:10:05.154602
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-1570710709
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.166834
> success: none keyexchange:no ntlm2:no lm_key:yes
> test: none keyexchange:no ntlm2:no lm_key:yes
> time: 2016-08-29 15:10:05.166880
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-1151138564
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.179294
> success: none keyexchange:no ntlm2:no lm_key:yes
> test: none keyexchange:no ntlm2:no lm_key:no
> time: 2016-08-29 15:10:05.179335
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-787868027
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.191495
> success: none keyexchange:no ntlm2:no lm_key:no
> test: none keyexchange:no ntlm2:no lm_key:no
> time: 2016-08-29 15:10:05.191532
> 
> Testing OpenPolicy2
> Testing CreateSecret of torturesecret-1964127422
> Testing SetSecret
> Testing SetSecret with broken key
> Testing QuerySecret
> decrypted string 'abcdef12345699qwerty' of length 20
> time: 2016-08-29 15:10:05.203748
> success: none keyexchange:no ntlm2:no lm_key:no
> 
>  
> > 
> > That is the only thing I would need beyond the re-read I've done to
> > give a review.  (I have to ask because these things are really easy
> > to
> > break symmetrically).
> 
> Is that enough?

That should cover it.

Reviewed-by: Andrew Bartlett <abartlet at samba.org>

I'll push.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list