2 Unix SMB/CIFS implementation.
3 test suite for backupkey remote protocol rpc operations
5 Copyright (C) Matthieu Patou 2010-2011
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "../libcli/security/security.h"
24 #include "torture/rpc/torture_rpc.h"
25 #include "torture/ndr/ndr.h"
27 #ifdef SAMBA4_USES_HEIMDAL
28 #include "librpc/gen_ndr/ndr_backupkey_c.h"
29 #include "librpc/gen_ndr/ndr_backupkey.h"
30 #include "librpc/gen_ndr/ndr_lsa_c.h"
31 #include "librpc/gen_ndr/ndr_security.h"
32 #include "lib/cmdline/popt_common.h"
33 #include "libcli/auth/proto.h"
34 #include "lib/crypto/arcfour.h"
36 #include <hcrypto/sha.h>
37 #include <system/network.h>
40 #include <hcrypto/rsa.h>
41 #include <hcrypto/hmac.h>
42 #include <hcrypto/sha.h>
43 #include <hcrypto/evp.h>
49 WRONG_CIPHERTEXT_LENGTH,
51 SHORT_CIPHERTEXT_LENGTH,
53 ZERO_CIPHERTEXT_LENGTH,
59 /* Our very special and valued secret */
60 /* No need to put const as we cast the array in uint8_t
61 * we will get a warning about the discared const
63 static const char secret[] = "tata yoyo mais qu'est ce qu'il y a sous ton grand chapeau ?";
65 /* Get the SID from a user */
66 static struct dom_sid *get_user_sid(struct torture_context *tctx,
70 struct lsa_ObjectAttribute attr;
71 struct lsa_QosInfo qos;
72 struct lsa_OpenPolicy2 r;
75 struct policy_handle handle;
76 struct lsa_LookupNames l;
77 struct lsa_TransSidArray sids;
78 struct lsa_RefDomainList *domains = NULL;
79 struct lsa_String lsa_name;
81 struct dom_sid *result;
83 struct dcerpc_pipe *p2;
84 struct dcerpc_binding_handle *b;
86 const char *domain = cli_credentials_get_domain(cmdline_credentials);
88 torture_assert_ntstatus_ok(tctx,
89 torture_rpc_connection(tctx, &p2, &ndr_table_lsarpc),
90 "could not open lsarpc pipe");
91 b = p2->binding_handle;
93 if (!(tmp_ctx = talloc_new(mem_ctx))) {
97 qos.impersonation_level = 2;
99 qos.effective_only = 0;
102 attr.root_dir = NULL;
103 attr.object_name = NULL;
105 attr.sec_desc = NULL;
108 r.in.system_name = "\\";
110 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
111 r.out.handle = &handle;
113 status = dcerpc_lsa_OpenPolicy2_r(b, tmp_ctx, &r);
114 if (!NT_STATUS_IS_OK(status)) {
115 torture_comment(tctx,
116 "OpenPolicy2 failed - %s\n",
118 talloc_free(tmp_ctx);
121 if (!NT_STATUS_IS_OK(r.out.result)) {
122 torture_comment(tctx,
123 "OpenPolicy2_ failed - %s\n",
124 nt_errstr(r.out.result));
125 talloc_free(tmp_ctx);
132 lsa_name.string = talloc_asprintf(tmp_ctx, "%s\\%s", domain, user);
134 l.in.handle = &handle;
136 l.in.names = &lsa_name;
140 l.out.count = &count;
142 l.out.domains = &domains;
144 status = dcerpc_lsa_LookupNames_r(b, tmp_ctx, &l);
145 if (!NT_STATUS_IS_OK(status)) {
146 torture_comment(tctx,
147 "LookupNames of %s failed - %s\n",
150 talloc_free(tmp_ctx);
154 if (domains->count == 0) {
158 result = dom_sid_add_rid(mem_ctx,
159 domains->domains[0].sid,
160 l.out.sids->sids[0].rid);
161 c.in.handle = &handle;
162 c.out.handle = &handle;
164 status = dcerpc_lsa_Close_r(b, tmp_ctx, &c);
166 if (!NT_STATUS_IS_OK(status)) {
167 torture_comment(tctx,
168 "dcerpc_lsa_Close failed - %s\n",
170 talloc_free(tmp_ctx);
174 if (!NT_STATUS_IS_OK(c.out.result)) {
175 torture_comment(tctx,
176 "dcerpc_lsa_Close failed - %s\n",
177 nt_errstr(c.out.result));
178 talloc_free(tmp_ctx);
182 talloc_free(tmp_ctx);
185 torture_comment(tctx, "Get_user_sid finished\n");
190 * Create a bkrp_encrypted_secret_vX structure
191 * the version depends on the version parameter
192 * the structure is returned as a blob.
193 * The broken flag is to indicate if we want
194 * to create a non conform to specification structre
196 static DATA_BLOB *create_unencryptedsecret(TALLOC_CTX *mem_ctx,
200 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
201 DATA_BLOB *blob = talloc_zero(mem_ctx, DATA_BLOB);
202 enum ndr_err_code ndr_err;
205 struct bkrp_encrypted_secret_v2 unenc_sec;
207 ZERO_STRUCT(unenc_sec);
208 unenc_sec.secret_len = sizeof(secret);
209 unenc_sec.secret = discard_const_p(uint8_t, secret);
210 generate_random_buffer(unenc_sec.payload_key,
211 sizeof(unenc_sec.payload_key));
213 ndr_err = ndr_push_struct_blob(blob, blob, &unenc_sec,
214 (ndr_push_flags_fn_t)ndr_push_bkrp_encrypted_secret_v2);
215 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
220 /* The magic value is correctly set by the NDR push
221 * but we want to test the behavior of the server
222 * if a differrent value is provided
224 ((uint8_t*)blob->data)[4] = 79; /* A great year !!! */
229 struct bkrp_encrypted_secret_v3 unenc_sec;
231 ZERO_STRUCT(unenc_sec);
232 unenc_sec.secret_len = sizeof(secret);
233 unenc_sec.secret = discard_const_p(uint8_t, secret);
234 generate_random_buffer(unenc_sec.payload_key,
235 sizeof(unenc_sec.payload_key));
237 ndr_err = ndr_push_struct_blob(blob, blob, &unenc_sec,
238 (ndr_push_flags_fn_t)ndr_push_bkrp_encrypted_secret_v3);
239 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
245 * The magic value is correctly set by the NDR push
246 * but we want to test the behavior of the server
247 * if a differrent value is provided
249 ((uint8_t*)blob->data)[4] = 79; /* A great year !!! */
252 talloc_free(tmp_ctx);
257 * Create an access check structure, the format depends on the version parameter.
258 * If broken is specified then we create a stucture that isn't conform to the
261 * If the structure can't be created then NULL is returned.
263 static DATA_BLOB *create_access_check(struct torture_context *tctx,
264 struct dcerpc_pipe *p,
270 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
271 DATA_BLOB *blob = talloc_zero(mem_ctx, DATA_BLOB);
272 enum ndr_err_code ndr_err;
273 const struct dom_sid *sid = get_user_sid(tctx, tmp_ctx, user);
280 struct bkrp_access_check_v2 access_struct;
284 ZERO_STRUCT(access_struct);
285 generate_random_buffer(nonce, sizeof(nonce));
286 access_struct.nonce_len = sizeof(nonce);
287 access_struct.nonce = nonce;
288 access_struct.sid = *sid;
290 ndr_err = ndr_push_struct_blob(blob, blob, &access_struct,
291 (ndr_push_flags_fn_t)ndr_push_bkrp_access_check_v2);
292 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
297 * We pushed the whole structure including a null hash
298 * but the hash need to be calculated only up to the hash field
299 * so we reduce the size of what has to be calculated
303 SHA1_Update(&sctx, blob->data,
304 blob->length - sizeof(access_struct.hash));
305 SHA1_Final(blob->data + blob->length - sizeof(access_struct.hash),
308 /* Altering the SHA */
310 blob->data[blob->length - 1]++;
315 struct bkrp_access_check_v3 access_struct;
316 struct hc_sha512state sctx;
319 ZERO_STRUCT(access_struct);
320 generate_random_buffer(nonce, sizeof(nonce));
321 access_struct.nonce_len = sizeof(nonce);
322 access_struct.nonce = nonce;
323 access_struct.sid = *sid;
325 ndr_err = ndr_push_struct_blob(blob, blob, &access_struct,
326 (ndr_push_flags_fn_t)ndr_push_bkrp_access_check_v3);
327 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
331 /*We pushed the whole structure including a null hash
332 * but the hash need to be calculated only up to the hash field
333 * so we reduce the size of what has to be calculated
337 SHA512_Update(&sctx, blob->data,
338 blob->length - sizeof(access_struct.hash));
339 SHA512_Final(blob->data + blob->length - sizeof(access_struct.hash),
342 /* Altering the SHA */
344 blob->data[blob->length -1]++;
347 talloc_free(tmp_ctx);
352 static DATA_BLOB *encrypt_blob(struct torture_context *tctx,
356 DATA_BLOB *to_encrypt,
357 const AlgorithmIdentifier *alg)
361 heim_octet_string ivos;
362 heim_octet_string *encrypted;
363 DATA_BLOB *blob = talloc_zero(mem_ctx, DATA_BLOB);
366 ivos.data = talloc_array(mem_ctx, uint8_t, iv->length);
367 ivos.length = iv->length;
368 memcpy(ivos.data, iv->data, iv->length);
370 hx509_context_init(&hctx);
371 res = hx509_crypto_init(hctx, NULL, &alg->algorithm, &crypto);
373 torture_comment(tctx,
374 "error while doing the init of the crypto object\n");
375 hx509_context_free(&hctx);
378 res = hx509_crypto_set_key_data(crypto, key->data, key->length);
380 torture_comment(tctx,
381 "error while setting the key of the crypto object\n");
382 hx509_context_free(&hctx);
386 hx509_crypto_set_padding(crypto, HX509_CRYPTO_PADDING_NONE);
387 res = hx509_crypto_encrypt(crypto,
393 torture_comment(tctx, "error while encrypting\n");
394 hx509_crypto_destroy(crypto);
395 hx509_context_free(&hctx);
399 *blob = data_blob_talloc(blob, encrypted->data, encrypted->length);
400 der_free_octet_string(encrypted);
402 hx509_crypto_destroy(crypto);
403 hx509_context_free(&hctx);
408 * Certs used for this protocol have a GUID in the issuer_uniq_id field.
409 * This function fetch it.
411 static struct GUID *get_cert_guid(struct torture_context *tctx,
418 heim_bit_string subjectuniqid;
422 struct GUID *guid = talloc_zero(mem_ctx, struct GUID);
425 hx509_context_init(&hctx);
427 hret = hx509_cert_init_data(hctx, cert_data, cert_len, &cert);
429 torture_comment(tctx, "error while loading the cert\n");
430 hx509_context_free(&hctx);
433 hret = hx509_cert_get_issuer_unique_id(hctx, cert, &subjectuniqid);
435 torture_comment(tctx, "error while getting the issuer_uniq_id\n");
436 hx509_cert_free(cert);
437 hx509_context_free(&hctx);
441 /* The subjectuniqid is a bit string,
442 * which means that the real size has to be divided by 8
443 * to have the number of bytes
445 hx509_cert_free(cert);
446 hx509_context_free(&hctx);
447 size = subjectuniqid.length / 8;
448 data = data_blob_const(subjectuniqid.data, size);
450 status = GUID_from_data_blob(&data, guid);
451 der_free_bit_string(&subjectuniqid);
452 if (!NT_STATUS_IS_OK(status)) {
460 * Encrypt a blob with the private key of the certificate
461 * passed as a parameter.
463 static DATA_BLOB *encrypt_blob_pk(struct torture_context *tctx,
467 DATA_BLOB *to_encrypt)
471 heim_octet_string secretdata;
472 heim_octet_string encrypted;
473 heim_oid encryption_oid;
477 hx509_context_init(&hctx);
479 hret = hx509_cert_init_data(hctx, cert_data, cert_len, &cert);
481 torture_comment(tctx, "error while loading the cert\n");
482 hx509_context_free(&hctx);
486 secretdata.data = to_encrypt->data;
487 secretdata.length = to_encrypt->length;
488 hret = hx509_cert_public_encrypt(hctx, &secretdata,
489 cert, &encryption_oid,
491 hx509_cert_free(cert);
492 hx509_context_free(&hctx);
494 torture_comment(tctx, "error while encrypting\n");
498 blob = talloc_zero(mem_ctx, DATA_BLOB);
500 der_free_oid(&encryption_oid);
501 der_free_octet_string(&encrypted);
505 *blob = data_blob_talloc(blob, encrypted.data, encrypted.length);
506 der_free_octet_string(&encrypted);
507 der_free_oid(&encryption_oid);
508 if (blob->data == NULL) {
516 static struct bkrp_BackupKey *createRetreiveBackupKeyGUIDStruct(struct torture_context *tctx,
517 struct dcerpc_pipe *p, int version, DATA_BLOB *out)
519 struct dcerpc_binding *binding;
520 struct bkrp_client_side_wrapped data;
521 struct GUID *g = talloc(tctx, struct GUID);
522 struct bkrp_BackupKey *r = talloc_zero(tctx, struct bkrp_BackupKey);
523 enum ndr_err_code ndr_err;
531 binding = dcerpc_binding_dup(tctx, p->binding);
532 if (binding == NULL) {
536 status = dcerpc_binding_set_flags(binding, DCERPC_SEAL|DCERPC_AUTH_SPNEGO, 0);
537 if (!NT_STATUS_IS_OK(status)) {
542 status = GUID_from_string(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, g);
543 if (!NT_STATUS_IS_OK(status)) {
547 r->in.guidActionAgent = g;
548 data.version = version;
549 ndr_err = ndr_push_struct_blob(&blob, tctx, &data,
550 (ndr_push_flags_fn_t)ndr_push_bkrp_client_side_wrapped);
551 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
554 r->in.data_in = blob.data;
555 r->in.data_in_len = blob.length;
556 r->out.data_out = &out->data;
557 r->out.data_out_len = talloc(r, uint32_t);
561 static struct bkrp_BackupKey *createRestoreGUIDStruct(struct torture_context *tctx,
562 struct dcerpc_pipe *p, int version, DATA_BLOB *out,
566 bool broken_magic_secret,
567 bool broken_magic_access,
568 bool broken_hash_access,
569 bool broken_cert_guid)
571 struct dcerpc_binding_handle *b = p->binding_handle;
572 struct bkrp_client_side_wrapped data;
575 DATA_BLOB *enc_sec = NULL;
576 DATA_BLOB *enc_xs = NULL;
578 DATA_BLOB enc_sec_reverted;
583 struct GUID *guid, *g;
586 enum ndr_err_code ndr_err;
589 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, version, &out_blob);
595 /* we take a fake user*/
598 user = cli_credentials_get_username(cmdline_credentials);
602 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
604 torture_assert_werr_ok(tctx, r->out.result,
608 * We have to set it outside of the function createRetreiveBackupKeyGUIDStruct
609 * the len of the blob, this is due to the fact that they don't have the
610 * same size (one is 32bits the other 64bits)
612 out_blob.length = *r->out.data_out_len;
614 sec = create_unencryptedsecret(tctx, broken_magic_secret, version);
619 xs = create_access_check(tctx, p, tctx, user, broken_hash_access, version);
624 if (broken_magic_access){
625 /* The start of the access_check structure contains the
626 * GUID of the certificate
631 enc_sec = encrypt_blob_pk(tctx, tctx, out_blob.data, out_blob.length, sec);
635 enc_sec_reverted.data = talloc_array(tctx, uint8_t, enc_sec->length);
636 if (enc_sec_reverted.data == NULL) {
639 enc_sec_reverted.length = enc_sec->length;
642 * We DO NOT revert the array on purpose it's in order to check that
643 * when the server is not able to decrypt then it answer the correct error
646 for(t=0; t< enc_sec->length; t++) {
647 enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[t];
650 for(t=0; t< enc_sec->length; t++) {
651 enc_sec_reverted.data[t] = ((uint8_t*)enc_sec->data)[enc_sec->length - t -1];
657 const AlgorithmIdentifier *alg = hx509_crypto_des_rsdi_ede3_cbc();
658 iv.data = sec->data+(size - 8);
661 des3_key.data = sec->data+(size - 32);
662 des3_key.length = 24;
664 enc_xs = encrypt_blob(tctx, tctx, &des3_key, &iv, xs, alg);
667 const AlgorithmIdentifier *alg = hx509_crypto_aes256_cbc();
668 iv.data = sec->data+(size-16);
671 aes_key.data = sec->data+(size-48);
674 enc_xs = encrypt_blob(tctx, tctx, &aes_key, &iv, xs, alg);
681 /* To cope with the fact that heimdal do padding at the end for the moment */
682 enc_xs->length = xs->length;
684 guid = get_cert_guid(tctx, tctx, out_blob.data, out_blob.length);
689 if (broken_version) {
692 data.version = version;
696 data.encrypted_secret = enc_sec_reverted.data;
697 data.access_check = enc_xs->data;
698 data.encrypted_secret_len = enc_sec->length;
699 data.access_check_len = enc_xs->length;
701 /* We want the blob to persist after this function so we don't
702 * allocate it in the stack
704 blob2 = talloc(tctx, DATA_BLOB);
709 ndr_err = ndr_push_struct_blob(blob2, tctx, &data,
710 (ndr_push_flags_fn_t)ndr_push_bkrp_client_side_wrapped);
711 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
715 if (broken_cert_guid) {
721 g = talloc(tctx, struct GUID);
726 status = GUID_from_string(BACKUPKEY_RESTORE_GUID, g);
727 if (!NT_STATUS_IS_OK(status)) {
731 r->in.guidActionAgent = g;
732 r->in.data_in = blob2->data;
733 r->in.data_in_len = blob2->length;
735 r->out.data_out = &(out->data);
736 r->out.data_out_len = talloc(r, uint32_t);
740 /* Check that we are able to receive the certificate of the DCs
741 * used for client wrap version of the backup key protocol
743 static bool test_RetreiveBackupKeyGUID(struct torture_context *tctx,
744 struct dcerpc_pipe *p)
746 struct dcerpc_binding_handle *b = p->binding_handle;
748 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
749 enum dcerpc_AuthType auth_type;
750 enum dcerpc_AuthLevel auth_level;
756 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
758 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
759 torture_assert_ntstatus_ok(tctx,
760 dcerpc_bkrp_BackupKey_r(b, tctx, r),
763 out_blob.length = *r->out.data_out_len;
764 torture_assert_werr_equal(tctx,
767 "Wrong dce/rpc error code");
769 torture_assert_ntstatus_equal(tctx,
770 dcerpc_bkrp_BackupKey_r(b, tctx, r),
771 NT_STATUS_ACCESS_DENIED,
777 /* Test to check the failure to recover a secret because the
778 * secret blob is not reversed
780 static bool test_RestoreGUID_ko(struct torture_context *tctx,
781 struct dcerpc_pipe *p)
783 enum ndr_err_code ndr_err;
784 struct dcerpc_binding_handle *b = p->binding_handle;
786 struct bkrp_client_side_unwrapped resp;
787 enum dcerpc_AuthType auth_type;
788 enum dcerpc_AuthLevel auth_level;
790 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
792 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
793 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob,
794 true, false, false, false, false, false, false);
795 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
796 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
797 out_blob.length = *r->out.data_out_len;
798 ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
799 torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
800 torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAM, "Wrong error code");
802 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
803 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
804 NT_STATUS_ACCESS_DENIED, "Get GUID");
809 static bool test_RestoreGUID_wrongversion(struct torture_context *tctx,
810 struct dcerpc_pipe *p)
812 enum ndr_err_code ndr_err;
813 struct dcerpc_binding_handle *b = p->binding_handle;
815 struct bkrp_client_side_unwrapped resp;
816 enum dcerpc_AuthType auth_type;
817 enum dcerpc_AuthLevel auth_level;
819 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
821 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
822 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob,
823 false, true, false, false, false, false, false);
824 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
825 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
826 out_blob.length = *r->out.data_out_len;
827 ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
828 torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
829 torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAM, "Wrong error code on wrong version");
831 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
832 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
833 NT_STATUS_ACCESS_DENIED, "Get GUID");
838 static bool test_RestoreGUID_wronguser(struct torture_context *tctx,
839 struct dcerpc_pipe *p)
841 enum ndr_err_code ndr_err;
842 struct dcerpc_binding_handle *b = p->binding_handle;
844 struct bkrp_client_side_unwrapped resp;
845 enum dcerpc_AuthType auth_type;
846 enum dcerpc_AuthLevel auth_level;
848 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
850 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
851 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob,
852 false, false, true, false, false, false, false);
853 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
854 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
855 out_blob.length = *r->out.data_out_len;
856 ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
857 torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
858 torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_ACCESS, "Restore GUID");
860 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
861 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
862 NT_STATUS_ACCESS_DENIED, "Get GUID");
867 static bool test_RestoreGUID_v3(struct torture_context *tctx,
868 struct dcerpc_pipe *p)
870 enum ndr_err_code ndr_err;
871 struct dcerpc_binding_handle *b = p->binding_handle;
873 struct bkrp_client_side_unwrapped resp;
874 enum dcerpc_AuthType auth_type;
875 enum dcerpc_AuthLevel auth_level;
877 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
879 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
880 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 3, &out_blob,
881 false, false, false, false, false, false, false);
882 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
883 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
884 out_blob.length = *r->out.data_out_len;
885 ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
886 torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 1, "Unable to unmarshall bkrp_client_side_unwrapped");
887 torture_assert_werr_equal(tctx, r->out.result, WERR_OK, "Restore GUID");
888 torture_assert_str_equal(tctx, (char*)resp.secret.data, secret, "Wrong secret");
890 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
891 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
892 NT_STATUS_ACCESS_DENIED, "Get GUID");
897 static bool test_RestoreGUID(struct torture_context *tctx,
898 struct dcerpc_pipe *p)
900 struct dcerpc_binding_handle *b = p->binding_handle;
902 struct bkrp_client_side_unwrapped resp;
903 enum dcerpc_AuthType auth_type;
904 enum dcerpc_AuthLevel auth_level;
906 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
908 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
909 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob,
910 false, false, false, false, false, false, false);
911 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
912 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
913 out_blob.length = *r->out.data_out_len;
914 torture_assert_werr_equal(tctx, r->out.result, WERR_OK, "Restore GUID");
915 torture_assert_ndr_err_equal(tctx,
916 ndr_pull_struct_blob(&out_blob, tctx, &resp,
917 (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped),
919 "Unable to unmarshall bkrp_client_side_unwrapped");
920 torture_assert_str_equal(tctx, (char*)resp.secret.data, secret, "Wrong secret");
922 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
923 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
924 NT_STATUS_ACCESS_DENIED, "Get GUID");
929 static bool test_RestoreGUID_badmagiconsecret(struct torture_context *tctx,
930 struct dcerpc_pipe *p)
932 enum ndr_err_code ndr_err;
933 struct dcerpc_binding_handle *b = p->binding_handle;
935 struct bkrp_client_side_unwrapped resp;
936 enum dcerpc_AuthType auth_type;
937 enum dcerpc_AuthLevel auth_level;
939 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
941 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
942 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 3, &out_blob,
943 false, false, false, true, false, false, false);
944 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
945 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
946 out_blob.length = *r->out.data_out_len;
947 ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
948 torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
949 torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Wrong error code while providing bad magic in secret");
951 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
952 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
953 NT_STATUS_ACCESS_DENIED, "Get GUID");
958 static bool test_RestoreGUID_emptyrequest(struct torture_context *tctx,
959 struct dcerpc_pipe *p)
961 struct dcerpc_binding_handle *b = p->binding_handle;
963 enum dcerpc_AuthType auth_type;
964 enum dcerpc_AuthLevel auth_level;
966 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
968 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
969 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 3, &out_blob,
970 false, false, false, true, false, false, true);
972 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
973 r->in.data_in = talloc(tctx, uint8_t);
974 r->in.data_in_len = 0;
976 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
977 out_blob.length = *r->out.data_out_len;
978 torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_PARAM, "Bad error code on wrong has in access check");
980 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
981 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
982 NT_STATUS_ACCESS_DENIED, "Get GUID");
987 static bool test_RestoreGUID_badcertguid(struct torture_context *tctx,
988 struct dcerpc_pipe *p)
990 enum ndr_err_code ndr_err;
991 struct dcerpc_binding_handle *b = p->binding_handle;
993 struct bkrp_client_side_unwrapped resp;
994 enum dcerpc_AuthType auth_type;
995 enum dcerpc_AuthLevel auth_level;
997 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
999 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1000 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 3, &out_blob,
1001 false, false, false, false, false, false, true);
1002 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct() failed");
1003 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
1004 out_blob.length = *r->out.data_out_len;
1005 ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
1006 torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
1009 * Windows 2012R2 has, presumably, a programming error
1010 * returning an NTSTATUS code on this interface
1012 if (W_ERROR_V(r->out.result) != NT_STATUS_V(NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1013 torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
1016 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
1017 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
1018 NT_STATUS_ACCESS_DENIED, "Get GUID");
1023 static bool test_RestoreGUID_badmagicaccesscheck(struct torture_context *tctx,
1024 struct dcerpc_pipe *p)
1026 enum ndr_err_code ndr_err;
1027 struct dcerpc_binding_handle *b = p->binding_handle;
1029 struct bkrp_client_side_unwrapped resp;
1030 enum dcerpc_AuthType auth_type;
1031 enum dcerpc_AuthLevel auth_level;
1033 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
1035 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1036 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob,
1037 false, false, false, false, true, false, false);
1038 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
1039 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
1040 out_blob.length = *r->out.data_out_len;
1041 ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
1042 torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
1043 torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
1045 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
1046 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
1047 NT_STATUS_ACCESS_DENIED, "Get GUID");
1052 static bool test_RestoreGUID_badhashaccesscheck(struct torture_context *tctx,
1053 struct dcerpc_pipe *p)
1055 enum ndr_err_code ndr_err;
1056 struct dcerpc_binding_handle *b = p->binding_handle;
1058 struct bkrp_client_side_unwrapped resp;
1059 enum dcerpc_AuthType auth_type;
1060 enum dcerpc_AuthLevel auth_level;
1062 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
1064 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1065 struct bkrp_BackupKey *r = createRestoreGUIDStruct(tctx, p, 2, &out_blob,
1066 false, false, false, false, false, true, false);
1067 torture_assert(tctx, r != NULL, "createRestoreGUIDStruct failed");
1068 torture_assert_ntstatus_ok(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r), "Restore GUID");
1069 out_blob.length = *r->out.data_out_len;
1070 ndr_err = ndr_pull_struct_blob(&out_blob, tctx, &resp, (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_unwrapped);
1071 torture_assert_int_equal(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), 0, "Unable to unmarshall bkrp_client_side_unwrapped");
1072 torture_assert_werr_equal(tctx, r->out.result, WERR_INVALID_DATA, "Bad error code on wrong has in access check");
1074 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
1075 torture_assert_ntstatus_equal(tctx, dcerpc_bkrp_BackupKey_r(b, tctx, r),
1076 NT_STATUS_ACCESS_DENIED, "Get GUID");
1082 * Check that the RSA modulus in the certificate of the DCs has 2048 bits.
1084 static bool test_RetreiveBackupKeyGUID_2048bits(struct torture_context *tctx,
1085 struct dcerpc_pipe *p)
1087 struct dcerpc_binding_handle *b = p->binding_handle;
1089 struct bkrp_BackupKey *r = createRetreiveBackupKeyGUIDStruct(tctx, p, 2, &out_blob);
1090 enum dcerpc_AuthType auth_type;
1091 enum dcerpc_AuthLevel auth_level;
1096 SubjectPublicKeyInfo spki;
1098 int RSA_returned_bits;
1100 torture_assert(tctx, r != NULL, "createRetreiveBackupKeyGUIDStruct failed");
1102 hx509_context_init(&hctx);
1108 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
1110 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1111 const unsigned char *spki_spk_data;
1112 torture_assert_ntstatus_ok(tctx,
1113 dcerpc_bkrp_BackupKey_r(b, tctx, r),
1116 torture_assert_werr_ok(tctx, r->out.result,
1119 out_blob.length = *r->out.data_out_len;
1121 hret = hx509_cert_init_data(hctx, out_blob.data, out_blob.length, &cert);
1122 torture_assert_int_equal(tctx, hret, 0, "hx509_cert_init_data failed");
1124 hret = hx509_cert_get_SPKI(hctx, cert , &spki);
1125 torture_assert_int_equal(tctx, hret, 0, "hx509_cert_get_SPKI failed");
1127 /* We must take a copy, as d2i_RSAPublicKey *changes* the input parameter */
1128 spki_spk_data = spki.subjectPublicKey.data;
1129 rsa = d2i_RSAPublicKey(NULL, &spki_spk_data, spki.subjectPublicKey.length / 8);
1130 torture_assert_int_equal(tctx, rsa != NULL, 1, "d2i_RSAPublicKey failed");
1132 RSA_returned_bits = BN_num_bits(rsa->n);
1133 torture_assert_int_equal(tctx,
1136 "RSA Key doesn't have 2048 bits");
1141 * Because we prevented spki from being changed above,
1142 * we can now safely call this to free it
1144 free_SubjectPublicKeyInfo(&spki);
1145 hx509_cert_free(cert);
1146 hx509_context_free(&hctx);
1149 torture_assert_ntstatus_equal(tctx,
1150 dcerpc_bkrp_BackupKey_r(b, tctx, r),
1151 NT_STATUS_ACCESS_DENIED,
1157 static bool test_ServerWrap_encrypt_decrypt(struct torture_context *tctx,
1158 struct dcerpc_pipe *p)
1160 struct bkrp_BackupKey r;
1162 DATA_BLOB plaintext = data_blob_const(secret, sizeof(secret));
1163 DATA_BLOB encrypted;
1165 DATA_BLOB decrypted;
1167 struct dcerpc_binding_handle *b = p->binding_handle;
1168 enum dcerpc_AuthType auth_type;
1169 enum dcerpc_AuthLevel auth_level;
1172 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
1175 torture_assert_ntstatus_ok(tctx,
1176 GUID_from_string(BACKUPKEY_BACKUP_GUID, &guid),
1179 r.in.guidActionAgent = &guid;
1180 r.in.data_in = plaintext.data;
1181 r.in.data_in_len = plaintext.length;
1183 r.out.data_out = &encrypted.data;
1184 r.out.data_out_len = &enclen;
1185 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1186 torture_assert_ntstatus_ok(tctx,
1187 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1190 torture_assert_ntstatus_equal(tctx,
1191 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1192 NT_STATUS_ACCESS_DENIED,
1196 torture_assert_werr_ok(tctx,
1199 encrypted.length = *r.out.data_out_len;
1202 torture_assert_ntstatus_ok(tctx,
1203 GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
1206 r.in.guidActionAgent = &guid;
1207 r.in.data_in = encrypted.data;
1208 r.in.data_in_len = encrypted.length;
1210 r.out.data_out = &(decrypted.data);
1211 r.out.data_out_len = &declen;
1212 torture_assert_ntstatus_ok(tctx,
1213 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1215 torture_assert_werr_ok(tctx,
1218 decrypted.length = *r.out.data_out_len;
1221 torture_assert_data_blob_equal(tctx, plaintext, decrypted, "Decrypt failed");
1224 torture_assert_ntstatus_ok(tctx,
1225 GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid),
1228 r.in.guidActionAgent = &guid;
1229 r.in.data_in = encrypted.data;
1230 r.in.data_in_len = encrypted.length;
1232 r.out.data_out = &(decrypted.data);
1233 r.out.data_out_len = &declen;
1234 torture_assert_ntstatus_ok(tctx,
1235 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1237 torture_assert_werr_ok(tctx,
1240 decrypted.length = *r.out.data_out_len;
1243 torture_assert_data_blob_equal(tctx, plaintext, decrypted, "Decrypt failed");
1247 static bool test_ServerWrap_decrypt_wrong_keyGUID(struct torture_context *tctx,
1248 struct dcerpc_pipe *p)
1250 struct bkrp_BackupKey r;
1252 DATA_BLOB plaintext = data_blob_const(secret, sizeof(secret));
1253 DATA_BLOB encrypted;
1255 DATA_BLOB decrypted;
1257 struct dcerpc_binding_handle *b = p->binding_handle;
1258 enum ndr_err_code ndr_err;
1259 struct bkrp_server_side_wrapped server_side_wrapped;
1260 enum dcerpc_AuthType auth_type;
1261 enum dcerpc_AuthLevel auth_level;
1264 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
1267 torture_assert_ntstatus_ok(tctx,
1268 GUID_from_string(BACKUPKEY_BACKUP_GUID, &guid),
1271 r.in.guidActionAgent = &guid;
1272 r.in.data_in = plaintext.data;
1273 r.in.data_in_len = plaintext.length;
1275 r.out.data_out = &encrypted.data;
1276 r.out.data_out_len = &enclen;
1277 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1278 torture_assert_ntstatus_ok(tctx,
1279 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1282 torture_assert_ntstatus_equal(tctx,
1283 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1284 NT_STATUS_ACCESS_DENIED,
1288 torture_assert_werr_ok(tctx,
1291 encrypted.length = *r.out.data_out_len;
1293 ndr_err = ndr_pull_struct_blob(&encrypted, tctx, &server_side_wrapped,
1294 (ndr_pull_flags_fn_t)ndr_pull_bkrp_server_side_wrapped);
1295 torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "pull of server_side_wrapped");
1297 /* Change the GUID */
1298 server_side_wrapped.guid = GUID_random();
1300 ndr_err = ndr_push_struct_blob(&encrypted, tctx, &server_side_wrapped,
1301 (ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped);
1302 torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "push of server_side_wrapped");
1305 torture_assert_ntstatus_ok(tctx,
1306 GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
1309 r.in.guidActionAgent = &guid;
1310 r.in.data_in = encrypted.data;
1311 r.in.data_in_len = encrypted.length;
1313 r.out.data_out = &(decrypted.data);
1314 r.out.data_out_len = &declen;
1315 torture_assert_ntstatus_ok(tctx,
1316 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1318 torture_assert_werr_equal(tctx,
1321 "decrypt should fail with WERR_INVALID_DATA");
1324 torture_assert_ntstatus_ok(tctx,
1325 GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid),
1328 r.in.guidActionAgent = &guid;
1329 r.in.data_in = encrypted.data;
1330 r.in.data_in_len = encrypted.length;
1332 r.out.data_out = &(decrypted.data);
1333 r.out.data_out_len = &declen;
1334 torture_assert_ntstatus_ok(tctx,
1335 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1337 torture_assert_werr_equal(tctx,
1340 "decrypt should fail with WERR_INVALID_DATA");
1345 static bool test_ServerWrap_decrypt_empty_request(struct torture_context *tctx,
1346 struct dcerpc_pipe *p)
1348 struct bkrp_BackupKey r;
1350 DATA_BLOB decrypted;
1352 struct dcerpc_binding_handle *b = p->binding_handle;
1353 uint8_t short_request[4] = { 1, 0, 0, 0 };
1354 enum dcerpc_AuthType auth_type;
1355 enum dcerpc_AuthLevel auth_level;
1358 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
1361 torture_assert_ntstatus_ok(tctx,
1362 GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
1365 r.in.guidActionAgent = &guid;
1366 r.in.data_in = short_request;
1367 r.in.data_in_len = 0;
1369 r.out.data_out = &(decrypted.data);
1370 r.out.data_out_len = &declen;
1371 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1372 torture_assert_ntstatus_ok(tctx,
1373 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1376 torture_assert_ntstatus_equal(tctx,
1377 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1378 NT_STATUS_ACCESS_DENIED,
1382 torture_assert_werr_equal(tctx,
1385 "decrypt should fail with WERR_INVALID_PARAM");
1388 torture_assert_ntstatus_ok(tctx,
1389 GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid),
1392 r.in.guidActionAgent = &guid;
1393 r.in.data_in = short_request;
1394 r.in.data_in_len = 0;
1396 r.out.data_out = &(decrypted.data);
1397 r.out.data_out_len = &declen;
1398 torture_assert_ntstatus_ok(tctx,
1399 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1401 torture_assert_werr_equal(tctx,
1404 "decrypt should fail with WERR_INVALID_PARAM");
1407 torture_assert_ntstatus_ok(tctx,
1408 GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
1411 r.in.guidActionAgent = &guid;
1412 r.in.data_in = NULL;
1413 r.in.data_in_len = 0;
1415 r.out.data_out = &(decrypted.data);
1416 r.out.data_out_len = &declen;
1417 torture_assert_ntstatus_equal(tctx,
1418 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1419 NT_STATUS_INVALID_PARAMETER_MIX,
1423 torture_assert_ntstatus_ok(tctx,
1424 GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid),
1427 r.in.guidActionAgent = &guid;
1428 r.in.data_in = NULL;
1429 r.in.data_in_len = 0;
1431 r.out.data_out = &(decrypted.data);
1432 r.out.data_out_len = &declen;
1433 torture_assert_ntstatus_equal(tctx,
1434 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1435 NT_STATUS_INVALID_PARAMETER_MIX,
1442 static bool test_ServerWrap_decrypt_short_request(struct torture_context *tctx,
1443 struct dcerpc_pipe *p)
1445 struct bkrp_BackupKey r;
1447 DATA_BLOB decrypted;
1449 struct dcerpc_binding_handle *b = p->binding_handle;
1450 uint8_t short_request[4] = { 1, 0, 0, 0 };
1451 enum dcerpc_AuthType auth_type;
1452 enum dcerpc_AuthLevel auth_level;
1455 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
1458 torture_assert_ntstatus_ok(tctx,
1459 GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
1462 r.in.guidActionAgent = &guid;
1463 r.in.data_in = short_request;
1464 r.in.data_in_len = 4;
1466 r.out.data_out = &(decrypted.data);
1467 r.out.data_out_len = &declen;
1468 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1469 torture_assert_ntstatus_ok(tctx,
1470 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1473 torture_assert_ntstatus_equal(tctx,
1474 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1475 NT_STATUS_ACCESS_DENIED,
1479 torture_assert_werr_equal(tctx,
1482 "decrypt should fail with WERR_INVALID_PARM");
1485 torture_assert_ntstatus_ok(tctx,
1486 GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid),
1489 r.in.guidActionAgent = &guid;
1490 r.in.data_in = short_request;
1491 r.in.data_in_len = 4;
1493 r.out.data_out = &(decrypted.data);
1494 r.out.data_out_len = &declen;
1495 torture_assert_ntstatus_ok(tctx,
1496 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1498 torture_assert_werr_equal(tctx,
1501 "decrypt should fail with WERR_INVALID_PARAM");
1504 torture_assert_ntstatus_ok(tctx,
1505 GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
1508 r.in.guidActionAgent = &guid;
1509 r.in.data_in = short_request;
1510 r.in.data_in_len = 1;
1512 r.out.data_out = &(decrypted.data);
1513 r.out.data_out_len = &declen;
1514 torture_assert_ntstatus_ok(tctx,
1515 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1517 torture_assert_werr_equal(tctx,
1520 "decrypt should fail with WERR_INVALID_PARAM");
1523 torture_assert_ntstatus_ok(tctx,
1524 GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid),
1527 r.in.guidActionAgent = &guid;
1528 r.in.data_in = short_request;
1529 r.in.data_in_len = 1;
1531 r.out.data_out = &(decrypted.data);
1532 r.out.data_out_len = &declen;
1533 torture_assert_ntstatus_ok(tctx,
1534 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1536 torture_assert_werr_equal(tctx,
1539 "decrypt should fail with WERR_INVALID_PARAM");
1544 static bool test_ServerWrap_encrypt_decrypt_manual(struct torture_context *tctx,
1545 struct bkrp_server_side_wrapped *server_side_wrapped,
1546 enum test_wrong wrong)
1548 struct dcerpc_pipe *lsa_p;
1549 struct dcerpc_binding_handle *lsa_b;
1550 struct lsa_OpenSecret r_secret;
1551 struct lsa_QuerySecret r_query_secret;
1552 struct policy_handle *handle, sec_handle;
1553 struct bkrp_BackupKey r;
1554 struct GUID preferred_key_guid;
1555 DATA_BLOB plaintext = data_blob_const(secret, sizeof(secret));
1556 DATA_BLOB preferred_key, preferred_key_clear, session_key,
1557 decrypt_key, decrypt_key_clear, encrypted_blob, symkey_blob,
1559 struct bkrp_dc_serverwrap_key server_key;
1560 struct lsa_DATA_BUF_PTR bufp1;
1561 char *key_guid_string;
1562 struct bkrp_rc4encryptedpayload rc4payload;
1563 struct dom_sid *caller_sid;
1564 uint8_t symkey[20]; /* SHA-1 hash len */
1565 uint8_t mackey[20]; /* SHA-1 hash len */
1566 uint8_t mac[20]; /* SHA-1 hash len */
1567 unsigned int hash_len;
1570 ZERO_STRUCT(r_secret);
1571 ZERO_STRUCT(r_query_secret);
1573 /* Now read BCKUPKEY_P and prove we can do a matching decrypt and encrypt */
1575 torture_assert_ntstatus_ok(tctx,
1576 torture_rpc_connection(tctx, &lsa_p, &ndr_table_lsarpc),
1577 "Opening LSA pipe");
1578 lsa_b = lsa_p->binding_handle;
1580 torture_assert(tctx, test_lsa_OpenPolicy2(lsa_b, tctx, &handle), "OpenPolicy failed");
1581 r_secret.in.name.string = "G$BCKUPKEY_P";
1583 r_secret.in.handle = handle;
1584 r_secret.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1585 r_secret.out.sec_handle = &sec_handle;
1587 torture_comment(tctx, "Testing OpenSecret\n");
1589 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(lsa_b, tctx, &r_secret),
1590 "OpenSecret failed");
1591 torture_assert_ntstatus_ok(tctx, r_secret.out.result,
1592 "OpenSecret failed");
1594 r_query_secret.in.sec_handle = &sec_handle;
1595 r_query_secret.in.new_val = &bufp1;
1598 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(lsa_b, tctx, &r_query_secret),
1599 "QuerySecret failed");
1600 torture_assert_ntstatus_ok(tctx, r_query_secret.out.result,
1601 "QuerySecret failed");
1604 preferred_key.data = r_query_secret.out.new_val->buf->data;
1605 preferred_key.length = r_query_secret.out.new_val->buf->size;
1606 torture_assert_ntstatus_ok(tctx, dcerpc_fetch_session_key(lsa_p, &session_key),
1607 "dcerpc_fetch_session_key failed");
1609 torture_assert_ntstatus_ok(tctx,
1610 sess_decrypt_blob(tctx,
1611 &preferred_key, &session_key, &preferred_key_clear),
1612 "sess_decrypt_blob failed");
1614 torture_assert_ntstatus_ok(tctx, GUID_from_ndr_blob(&preferred_key_clear, &preferred_key_guid),
1615 "GUID parse failed");
1617 torture_assert_guid_equal(tctx, server_side_wrapped->guid,
1619 "GUID didn't match value pointed at by G$BCKUPKEY_P");
1621 /* And read BCKUPKEY_<guid> and get the actual key */
1623 key_guid_string = GUID_string(tctx, &server_side_wrapped->guid);
1624 r_secret.in.name.string = talloc_asprintf(tctx, "G$BCKUPKEY_%s", key_guid_string);
1626 r_secret.in.handle = handle;
1627 r_secret.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1628 r_secret.out.sec_handle = &sec_handle;
1630 torture_comment(tctx, "Testing OpenSecret\n");
1632 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(lsa_b, tctx, &r_secret),
1633 "OpenSecret failed");
1634 torture_assert_ntstatus_ok(tctx, r_secret.out.result,
1635 "OpenSecret failed");
1637 r_query_secret.in.sec_handle = &sec_handle;
1638 r_query_secret.in.new_val = &bufp1;
1640 torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(lsa_b, tctx, &r_query_secret),
1641 "QuerySecret failed");
1642 torture_assert_ntstatus_ok(tctx, r_query_secret.out.result,
1643 "QuerySecret failed");
1646 decrypt_key.data = r_query_secret.out.new_val->buf->data;
1647 decrypt_key.length = r_query_secret.out.new_val->buf->size;
1649 torture_assert_ntstatus_ok(tctx,
1650 sess_decrypt_blob(tctx,
1651 &decrypt_key, &session_key, &decrypt_key_clear),
1652 "sess_decrypt_blob failed");
1654 torture_assert_ndr_err_equal(tctx, ndr_pull_struct_blob(&decrypt_key_clear, tctx, &server_key,
1655 (ndr_pull_flags_fn_t)ndr_pull_bkrp_dc_serverwrap_key),
1656 NDR_ERR_SUCCESS, "Failed to parse server_key");
1658 torture_assert_int_equal(tctx, server_key.magic, 1, "Failed to correctly decrypt server key");
1661 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
1662 * BACKUPKEY_BACKUP_GUID, it really is the whole key
1664 HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key),
1665 server_side_wrapped->r2, sizeof(server_side_wrapped->r2),
1668 /* rc4 decrypt sid and secret using sym key */
1669 symkey_blob = data_blob_const(symkey, sizeof(symkey));
1671 encrypted_blob = data_blob_talloc(tctx, server_side_wrapped->rc4encryptedpayload,
1672 server_side_wrapped->ciphertext_length);
1674 arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob);
1676 torture_assert_ndr_err_equal(tctx, ndr_pull_struct_blob(&encrypted_blob, tctx, &rc4payload,
1677 (ndr_pull_flags_fn_t)ndr_pull_bkrp_rc4encryptedpayload),
1678 NDR_ERR_SUCCESS, "Failed to parse rc4encryptedpayload");
1680 torture_assert_int_equal(tctx, rc4payload.secret_data.length,
1681 server_side_wrapped->payload_length,
1682 "length of decrypted payload not the length declared in surrounding structure");
1685 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
1686 * BACKUPKEY_BACKUP_GUID, it really is the whole key
1688 HMAC(EVP_sha1(), server_key.key, sizeof(server_key.key),
1689 rc4payload.r3, sizeof(rc4payload.r3),
1692 torture_assert_ndr_err_equal(tctx, ndr_push_struct_blob(&sid_blob, tctx, &rc4payload.sid,
1693 (ndr_push_flags_fn_t)ndr_push_dom_sid),
1694 NDR_ERR_SUCCESS, "unable to push SID");
1696 HMAC_CTX_init(&ctx);
1697 HMAC_Init_ex(&ctx, mackey, hash_len, EVP_sha1(), NULL);
1699 HMAC_Update(&ctx, sid_blob.data, sid_blob.length);
1701 HMAC_Update(&ctx, rc4payload.secret_data.data, rc4payload.secret_data.length);
1702 HMAC_Final(&ctx, mac, &hash_len);
1703 HMAC_CTX_cleanup(&ctx);
1705 torture_assert_mem_equal(tctx, mac, rc4payload.mac, sizeof(mac), "mac not correct");
1706 torture_assert_int_equal(tctx, rc4payload.secret_data.length,
1707 plaintext.length, "decrypted data is not correct length");
1708 torture_assert_mem_equal(tctx, rc4payload.secret_data.data,
1709 plaintext.data, plaintext.length,
1710 "decrypted data is not correct");
1712 /* Not strictly correct all the time, but good enough for this test */
1713 caller_sid = get_user_sid(tctx, tctx, cli_credentials_get_username(cmdline_credentials));
1715 torture_assert_sid_equal(tctx, &rc4payload.sid, caller_sid, "Secret saved with wrong SID");
1720 if (wrong == WRONG_SID) {
1721 rc4payload.sid.sub_auths[rc4payload.sid.num_auths - 1] = DOMAIN_RID_KRBTGT;
1724 dump_data_pw("mackey: \n", mackey, sizeof(mackey));
1726 torture_assert_ndr_err_equal(tctx,
1727 ndr_push_struct_blob(&sid_blob, tctx, &rc4payload.sid,
1728 (ndr_push_flags_fn_t)ndr_push_dom_sid),
1730 "push of sid failed");
1732 HMAC_CTX_init(&ctx);
1733 HMAC_Init_ex(&ctx, mackey, 20, EVP_sha1(), NULL);
1735 HMAC_Update(&ctx, sid_blob.data, sid_blob.length);
1737 HMAC_Update(&ctx, rc4payload.secret_data.data, rc4payload.secret_data.length);
1738 HMAC_Final(&ctx, rc4payload.mac, &hash_len);
1739 HMAC_CTX_cleanup(&ctx);
1741 dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac));
1743 torture_assert_ndr_err_equal(tctx,
1744 ndr_push_struct_blob(&encrypted_blob, tctx, &rc4payload,
1745 (ndr_push_flags_fn_t)ndr_push_bkrp_rc4encryptedpayload),
1747 "push of rc4payload failed");
1749 if (wrong == WRONG_KEY) {
1750 symkey_blob.data[0] = 78;
1751 symkey_blob.data[1] = 78;
1752 symkey_blob.data[2] = 78;
1755 /* rc4 encrypt sid and secret using sym key */
1756 arcfour_crypt_blob(encrypted_blob.data, encrypted_blob.length, &symkey_blob);
1758 /* re-create server wrap structure */
1760 torture_assert_int_equal(tctx, encrypted_blob.length,
1761 server_side_wrapped->ciphertext_length,
1762 "expected encrypted length not to change");
1763 if (wrong == RIGHT_KEY) {
1764 torture_assert_mem_equal(tctx, server_side_wrapped->rc4encryptedpayload,
1765 encrypted_blob.data,
1766 encrypted_blob.length,
1767 "expected encrypted data not to change");
1770 server_side_wrapped->payload_length = rc4payload.secret_data.length;
1771 server_side_wrapped->ciphertext_length = encrypted_blob.length;
1772 server_side_wrapped->rc4encryptedpayload = encrypted_blob.data;
1778 static bool test_ServerWrap_decrypt_wrong_stuff(struct torture_context *tctx,
1779 struct dcerpc_pipe *p,
1780 enum test_wrong wrong)
1782 struct bkrp_BackupKey r;
1784 DATA_BLOB plaintext = data_blob_const(secret, sizeof(secret));
1785 DATA_BLOB encrypted;
1787 DATA_BLOB decrypted;
1789 struct dcerpc_binding_handle *b = p->binding_handle;
1790 enum ndr_err_code ndr_err;
1791 struct bkrp_server_side_wrapped server_side_wrapped;
1792 bool repush = false;
1793 enum dcerpc_AuthType auth_type;
1794 enum dcerpc_AuthLevel auth_level;
1797 dcerpc_binding_handle_auth_info(b, &auth_type, &auth_level);
1800 torture_assert_ntstatus_ok(tctx,
1801 GUID_from_string(BACKUPKEY_BACKUP_GUID, &guid),
1804 r.in.guidActionAgent = &guid;
1805 r.in.data_in = plaintext.data;
1806 r.in.data_in_len = plaintext.length;
1808 r.out.data_out = &encrypted.data;
1809 r.out.data_out_len = &enclen;
1810 if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
1811 torture_assert_ntstatus_ok(tctx,
1812 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1815 torture_assert_ntstatus_equal(tctx,
1816 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1817 NT_STATUS_ACCESS_DENIED,
1821 torture_assert_werr_ok(tctx,
1824 encrypted.length = *r.out.data_out_len;
1826 ndr_err = ndr_pull_struct_blob(&encrypted, tctx, &server_side_wrapped,
1827 (ndr_pull_flags_fn_t)ndr_pull_bkrp_server_side_wrapped);
1828 torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "pull of server_side_wrapped");
1830 torture_assert_int_equal(tctx, server_side_wrapped.payload_length, plaintext.length,
1831 "wrong payload length");
1835 /* Change the magic. Forced by our NDR layer, so do it raw */
1836 SIVAL(encrypted.data, 0, 78); /* valid values are 1-3 */
1839 server_side_wrapped.r2[0] = 78;
1840 server_side_wrapped.r2[1] = 78;
1841 server_side_wrapped.r2[3] = 78;
1844 case WRONG_PAYLOAD_LENGTH:
1845 server_side_wrapped.payload_length = UINT32_MAX - 8;
1848 case WRONG_CIPHERTEXT_LENGTH:
1850 * Change the ciphertext len. We can't push this if
1851 * we have it wrong, so do it raw
1853 SIVAL(encrypted.data, 8, UINT32_MAX - 8); /* valid values are 1-3 */
1855 case SHORT_PAYLOAD_LENGTH:
1856 server_side_wrapped.payload_length = server_side_wrapped.payload_length - 8;
1859 case SHORT_CIPHERTEXT_LENGTH:
1861 * Change the ciphertext len. We can't push this if
1862 * we have it wrong, so do it raw
1864 SIVAL(encrypted.data, 8, server_side_wrapped.ciphertext_length - 8); /* valid values are 1-3 */
1866 case ZERO_PAYLOAD_LENGTH:
1867 server_side_wrapped.payload_length = 0;
1870 case ZERO_CIPHERTEXT_LENGTH:
1872 * Change the ciphertext len. We can't push this if
1873 * we have it wrong, so do it raw
1875 SIVAL(encrypted.data, 8, 0); /* valid values are 1-3 */
1881 torture_assert(tctx,
1882 test_ServerWrap_encrypt_decrypt_manual(tctx, &server_side_wrapped, wrong),
1883 "test_ServerWrap_encrypt_decrypt_manual failed");
1889 ndr_err = ndr_push_struct_blob(&encrypted, tctx, &server_side_wrapped,
1890 (ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped);
1891 torture_assert_ndr_err_equal(tctx, ndr_err, NDR_ERR_SUCCESS, "push of server_side_wrapped");
1895 torture_assert_ntstatus_ok(tctx,
1896 GUID_from_string(BACKUPKEY_RESTORE_GUID, &guid),
1899 r.in.guidActionAgent = &guid;
1900 r.in.data_in = encrypted.data;
1901 r.in.data_in_len = encrypted.length;
1903 r.out.data_out = &(decrypted.data);
1904 r.out.data_out_len = &declen;
1905 torture_assert_ntstatus_ok(tctx,
1906 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1909 if ((wrong == WRONG_R2 || wrong == WRONG_KEY)
1910 && W_ERROR_EQUAL(r.out.result, WERR_INVALID_SID)) {
1911 torture_assert_werr_equal(tctx,
1914 "decrypt should fail with WERR_INVALID_SID or WERR_INVALID_PARAM");
1915 } else if (wrong == RIGHT_KEY) {
1916 torture_assert_werr_equal(tctx,
1919 "decrypt should succeed!");
1920 } else if (wrong == WRONG_SID) {
1921 torture_assert_werr_equal(tctx,
1923 WERR_INVALID_ACCESS,
1924 "decrypt should fail with WERR_INVALID_ACCESS");
1926 torture_assert_werr_equal(tctx,
1929 "decrypt should fail with WERR_INVALID_PARAM");
1933 torture_assert_ntstatus_ok(tctx,
1934 GUID_from_string(BACKUPKEY_RESTORE_GUID_WIN2K, &guid),
1937 r.in.guidActionAgent = &guid;
1938 r.in.data_in = encrypted.data;
1939 r.in.data_in_len = encrypted.length;
1941 r.out.data_out = &(decrypted.data);
1942 r.out.data_out_len = &declen;
1943 torture_assert_ntstatus_ok(tctx,
1944 dcerpc_bkrp_BackupKey_r(b, tctx, &r),
1947 if ((wrong == WRONG_R2 || wrong == WRONG_KEY)
1948 && W_ERROR_EQUAL(r.out.result, WERR_INVALID_SID)) {
1949 torture_assert_werr_equal(tctx,
1952 "decrypt should fail with WERR_INVALID_SID or WERR_INVALID_PARAM");
1953 } else if (wrong == RIGHT_KEY) {
1954 torture_assert_werr_equal(tctx,
1957 "decrypt should succeed!");
1958 } else if (wrong == WRONG_SID) {
1959 torture_assert_werr_equal(tctx,
1961 WERR_INVALID_ACCESS,
1962 "decrypt should fail with WERR_INVALID_ACCESS");
1964 torture_assert_werr_equal(tctx,
1967 "decrypt should fail with WERR_INVALID_PARAM");
1973 static bool test_ServerWrap_decrypt_wrong_magic(struct torture_context *tctx,
1974 struct dcerpc_pipe *p)
1976 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_MAGIC);
1979 static bool test_ServerWrap_decrypt_wrong_r2(struct torture_context *tctx,
1980 struct dcerpc_pipe *p)
1982 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_R2);
1985 static bool test_ServerWrap_decrypt_wrong_payload_length(struct torture_context *tctx,
1986 struct dcerpc_pipe *p)
1988 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_PAYLOAD_LENGTH);
1991 static bool test_ServerWrap_decrypt_short_payload_length(struct torture_context *tctx,
1992 struct dcerpc_pipe *p)
1994 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, SHORT_PAYLOAD_LENGTH);
1997 static bool test_ServerWrap_decrypt_zero_payload_length(struct torture_context *tctx,
1998 struct dcerpc_pipe *p)
2000 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, ZERO_PAYLOAD_LENGTH);
2003 static bool test_ServerWrap_decrypt_wrong_ciphertext_length(struct torture_context *tctx,
2004 struct dcerpc_pipe *p)
2006 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_CIPHERTEXT_LENGTH);
2009 static bool test_ServerWrap_decrypt_short_ciphertext_length(struct torture_context *tctx,
2010 struct dcerpc_pipe *p)
2012 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, SHORT_CIPHERTEXT_LENGTH);
2015 static bool test_ServerWrap_decrypt_zero_ciphertext_length(struct torture_context *tctx,
2016 struct dcerpc_pipe *p)
2018 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, ZERO_CIPHERTEXT_LENGTH);
2021 static bool test_ServerWrap_encrypt_decrypt_remote_key(struct torture_context *tctx,
2022 struct dcerpc_pipe *p)
2024 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, RIGHT_KEY);
2027 static bool test_ServerWrap_encrypt_decrypt_wrong_key(struct torture_context *tctx,
2028 struct dcerpc_pipe *p)
2030 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_KEY);
2033 static bool test_ServerWrap_encrypt_decrypt_wrong_sid(struct torture_context *tctx,
2034 struct dcerpc_pipe *p)
2036 return test_ServerWrap_decrypt_wrong_stuff(tctx, p, WRONG_SID);
2039 static bool test_skip(struct torture_context *tctx,
2042 torture_skip(tctx, "Skip backupkey test with MIT Kerberos");
2048 struct torture_suite *torture_rpc_backupkey(TALLOC_CTX *mem_ctx)
2050 struct torture_suite *suite = torture_suite_create(mem_ctx, "backupkey");
2052 #ifdef SAMBA4_USES_HEIMDAL
2053 struct torture_rpc_tcase *tcase;
2055 tcase = torture_suite_add_rpc_iface_tcase(suite, "backupkey",
2056 &ndr_table_backupkey);
2058 torture_rpc_tcase_add_test(tcase, "retreive_backup_key_guid",
2059 test_RetreiveBackupKeyGUID);
2061 torture_rpc_tcase_add_test(tcase, "restore_guid",
2064 torture_rpc_tcase_add_test(tcase, "restore_guid version 3",
2065 test_RestoreGUID_v3);
2067 /* We double the test in order to be sure that we don't mess stuff (ie. freeing static stuff) */
2069 torture_rpc_tcase_add_test(tcase, "restore_guid_2nd",
2072 torture_rpc_tcase_add_test(tcase, "unable_to_decrypt_secret",
2073 test_RestoreGUID_ko);
2075 torture_rpc_tcase_add_test(tcase, "wrong_user_restore_guid",
2076 test_RestoreGUID_wronguser);
2078 torture_rpc_tcase_add_test(tcase, "wrong_version_restore_guid",
2079 test_RestoreGUID_wrongversion);
2081 torture_rpc_tcase_add_test(tcase, "bad_magic_on_secret_restore_guid",
2082 test_RestoreGUID_badmagiconsecret);
2084 torture_rpc_tcase_add_test(tcase, "bad_hash_on_secret_restore_guid",
2085 test_RestoreGUID_badhashaccesscheck);
2087 torture_rpc_tcase_add_test(tcase, "bad_magic_on_accesscheck_restore_guid",
2088 test_RestoreGUID_badmagicaccesscheck);
2090 torture_rpc_tcase_add_test(tcase, "bad_cert_guid_restore_guid",
2091 test_RestoreGUID_badcertguid);
2093 torture_rpc_tcase_add_test(tcase, "empty_request_restore_guid",
2094 test_RestoreGUID_emptyrequest);
2096 torture_rpc_tcase_add_test(tcase, "retreive_backup_key_guid_2048_bits",
2097 test_RetreiveBackupKeyGUID_2048bits);
2099 torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt",
2100 test_ServerWrap_encrypt_decrypt);
2102 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_keyGUID",
2103 test_ServerWrap_decrypt_wrong_keyGUID);
2105 torture_rpc_tcase_add_test(tcase, "server_wrap_empty_request",
2106 test_ServerWrap_decrypt_empty_request);
2108 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_short_request",
2109 test_ServerWrap_decrypt_short_request);
2111 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_magic",
2112 test_ServerWrap_decrypt_wrong_magic);
2114 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_r2",
2115 test_ServerWrap_decrypt_wrong_r2);
2117 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_payload_length",
2118 test_ServerWrap_decrypt_wrong_payload_length);
2120 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_short_payload_length",
2121 test_ServerWrap_decrypt_short_payload_length);
2123 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_zero_payload_length",
2124 test_ServerWrap_decrypt_zero_payload_length);
2126 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_wrong_ciphertext_length",
2127 test_ServerWrap_decrypt_wrong_ciphertext_length);
2129 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_short_ciphertext_length",
2130 test_ServerWrap_decrypt_short_ciphertext_length);
2132 torture_rpc_tcase_add_test(tcase, "server_wrap_decrypt_zero_ciphertext_length",
2133 test_ServerWrap_decrypt_zero_ciphertext_length);
2135 torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_remote_key",
2136 test_ServerWrap_encrypt_decrypt_remote_key);
2138 torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_wrong_key",
2139 test_ServerWrap_encrypt_decrypt_wrong_key);
2141 torture_rpc_tcase_add_test(tcase, "server_wrap_encrypt_decrypt_wrong_sid",
2142 test_ServerWrap_encrypt_decrypt_wrong_sid);
2144 struct torture_tcase *tcase;
2146 tcase = torture_suite_add_tcase(suite, "backupkey");
2148 torture_tcase_add_simple_test(tcase, "skip",