/*
* Create an access check structure, the format depends on the version parameter.
- * If broken is specified then we create a stucture that isn't conform to the
+ * If broken is specified then we create a stucture that isn't conform to the
* specification.
*
* If the structure can't be created then NULL is returned.
}
if (broken_magic_access){
- /* The start of the access_check structure contains the
+ /* The start of the access_check structure contains the
* GUID of the certificate
*/
xs->data[0]++;
return true;
}
-/* Test to check the failure to recover a secret because the
+/* Test to check the failure to recover a secret because the
* secret blob is not reversed
*/
static bool test_RestoreGUID_ko(struct torture_context *tctx,
ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
- /*
+ /*
* Windows 2012R2 has, presumably, a programming error
- * returning an NTSTATUS code on this interface
+ * returning an NTSTATUS code on this interface
*/
if (W_ERROR_V(r->out.result) != NT_STATUS_V(NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
return true;
}
-/*
+/*
* Check that the RSA modulus in the certificate of the DCs has 2048 bits.
*/
static bool test_RetrieveBackupKeyGUID_2048bits(struct torture_context *tctx,
int RSA_returned_bits;
torture_assert(tctx, r != NULL, "createRetrieveBackupKeyGUIDStruct failed");
-
+
hx509_context_init(&hctx);
if (r == NULL) {
RSA_free(rsa);
- /*
+ /*
* Because we prevented spki from being changed above,
- * we can now safely call this to free it
+ * we can now safely call this to free it
*/
free_SubjectPublicKeyInfo(&spki);
hx509_cert_free(cert);
r.out.result,
"encrypt");
encrypted.length = *r.out.data_out_len;
-
+
/* Decrypt */
torture_assert_ntstatus_ok(tctx,
GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
ndr_err = ndr_push_struct_blob(&encrypted, tctx, &server_side_wrapped,
(ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped);
torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "push of server_side_wrapped");
-
+
/* Decrypt */
torture_assert_ntstatus_ok(tctx,
GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
ZERO_STRUCT(r_query_secret);
/* Now read BCKUPKEY_P and prove we can do a matching decrypt and encrypt */
-
+
torture_assert_ntstatus_ok(tctx,
torture_rpc_connection(tctx, &lsa_p, &ndr_table_lsarpc),
"Opening LSA pipe");
torture_assert(tctx, test_lsa_OpenPolicy2(lsa_b, tctx, &handle), "OpenPolicy failed");
r_secret.in.name.string = "G$BCKUPKEY_P";
-
+
r_secret.in.handle = handle;
r_secret.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r_secret.out.sec_handle = &sec_handle;
-
+
torture_comment(tctx, "Testing OpenSecret\n");
-
+
torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(lsa_b, tctx, &r_secret),
"OpenSecret failed");
torture_assert_ntstatus_ok(tctx, r_secret.out.result,
"OpenSecret failed");
-
+
r_query_secret.in.sec_handle = &sec_handle;
r_query_secret.in.new_val = &bufp1;
bufp1.buf = NULL;
"QuerySecret failed");
torture_assert_ntstatus_ok(tctx, r_query_secret.out.result,
"QuerySecret failed");
-
-
+
+
preferred_key.data = r_query_secret.out.new_val->buf->data;
preferred_key.length = r_query_secret.out.new_val->buf->size;
torture_assert_ntstatus_ok(tctx, dcerpc_fetch_session_key(lsa_p, &session_key),
"dcerpc_fetch_session_key failed");
-
+
torture_assert_ntstatus_ok(tctx,
sess_decrypt_blob(tctx,
&preferred_key, &session_key, &preferred_key_clear),
"sess_decrypt_blob failed");
-
+
torture_assert_ntstatus_ok(tctx, GUID_from_ndr_blob(&preferred_key_clear, &preferred_key_guid),
"GUID parse failed");
-
+
torture_assert_guid_equal(tctx, server_side_wrapped->guid,
preferred_key_guid,
"GUID didn't match value pointed at by G$BCKUPKEY_P");
/* And read BCKUPKEY_<guid> and get the actual key */
-
+
key_guid_string = GUID_string(tctx, &server_side_wrapped->guid);
r_secret.in.name.string = talloc_asprintf(tctx, "G$BCKUPKEY_%s", key_guid_string);
-
+
r_secret.in.handle = handle;
r_secret.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r_secret.out.sec_handle = &sec_handle;
-
+
torture_comment(tctx, "Testing OpenSecret\n");
-
+
torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(lsa_b, tctx, &r_secret),
"OpenSecret failed");
torture_assert_ntstatus_ok(tctx, r_secret.out.result,
"OpenSecret failed");
-
+
r_query_secret.in.sec_handle = &sec_handle;
r_query_secret.in.new_val = &bufp1;
"QuerySecret failed");
torture_assert_ntstatus_ok(tctx, r_query_secret.out.result,
"QuerySecret failed");
-
-
+
+
decrypt_key.data = r_query_secret.out.new_val->buf->data;
decrypt_key.length = r_query_secret.out.new_val->buf->size;
-
+
torture_assert_ntstatus_ok(tctx,
sess_decrypt_blob(tctx,
&decrypt_key, &session_key, &decrypt_key_clear),
"sess_decrypt_blob failed");
-
+
torture_assert_ndr_err_equal(tctx, ndr_pull_struct_blob(&decrypt_key_clear, tctx, &server_key,
(ndr_pull_flags_fn_t)ndr_pull_bkrp_dc_serverwrap_key),
NDR_ERR_SUCCESS, "Failed to parse server_key");
/*
* This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
- * BACKUPKEY_BACKUP_GUID, it really is the whole key
+ * BACKUPKEY_BACKUP_GUID, it really is the whole key
*/
HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key),
server_side_wrapped->r2, sizeof(server_side_wrapped->r2),
symkey, &hash_len);
-
+
/* rc4 decrypt sid and secret using sym key */
symkey_blob = data_blob_const(symkey, sizeof(symkey));
-
+
encrypted_blob = data_blob_talloc(tctx, server_side_wrapped->rc4encryptedpayload,
server_side_wrapped->ciphertext_length);
-
+
arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob);
torture_assert_ndr_err_equal(tctx, ndr_pull_struct_blob(&encrypted_blob, tctx, &rc4payload,
/*
* This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
- * BACKUPKEY_BACKUP_GUID, it really is the whole key
+ * BACKUPKEY_BACKUP_GUID, it really is the whole key
*/
HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key),
rc4payload.r3, sizeof(rc4payload.r3),
mackey, &hash_len);
-
+
torture_assert_ndr_err_equal(tctx, ndr_push_struct_blob(&sid_blob, tctx, &rc4payload.sid,
(ndr_push_flags_fn_t)ndr_push_dom_sid),
NDR_ERR_SUCCESS, "unable to push SID");
torture_assert_sid_equal(tctx, &rc4payload.sid, caller_sid, "Secret saved with wrong SID");
-
+
/* RE-encrypt */
if (wrong == WRONG_SID) {
HMAC_CTX_cleanup(&ctx);
dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac));
-
+
torture_assert_ndr_err_equal(tctx,
ndr_push_struct_blob(&encrypted_blob, tctx, &rc4payload,
(ndr_push_flags_fn_t)ndr_push_bkrp_rc4encryptedpayload),
symkey_blob.data[1] = 78;
symkey_blob.data[2] = 78;
}
-
+
/* rc4 encrypt sid and secret using sym key */
arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob);
encrypted_blob.length,
"expected encrypted data not to change");
}
-
+
server_side_wrapped->payload_length = rc4payload.secret_data.length;
server_side_wrapped->ciphertext_length = encrypted_blob.length;
server_side_wrapped->rc4encryptedpayload = encrypted_blob.data;
repush = true;
break;
case WRONG_CIPHERTEXT_LENGTH:
- /*
+ /*
* Change the ciphertext len. We can't push this if
* we have it wrong, so do it raw
*/
repush = true;
break;
case SHORT_CIPHERTEXT_LENGTH:
- /*
+ /*
* Change the ciphertext len. We can't push this if
* we have it wrong, so do it raw
*/
repush = true;
break;
case ZERO_CIPHERTEXT_LENGTH:
- /*
+ /*
* Change the ciphertext len. We can't push this if
* we have it wrong, so do it raw
*/
(ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped);
torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "push of server_side_wrapped");
}
-
+
/* Decrypt */
torture_assert_ntstatus_ok(tctx,
GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
WERR_INVALID_PARAM,
"decrypt should fail with WERR_INVALID_PARAM");
}
-
+
/* Decrypt */
torture_assert_ntstatus_ok(tctx,
GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid),
WERR_INVALID_PARAM,
"decrypt should fail with WERR_INVALID_PARAM");
}
-
+
return true;
}
torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_zero_ciphertext_length",
test_ServerWrap_decrypt_zero_ciphertext_length);
- torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_remote_key",
+ torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_remote_key",
test_ServerWrap_encrypt_decrypt_remote_key);
-
+
torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_wrong_key",
test_ServerWrap_encrypt_decrypt_wrong_key);