The branch, master has been updated
via f29d31a7e0f7b397cbcbb83d1b1c0ce233e948e9 (commit)
via c0b67b4aa6253434ebbb71bf78f599ace351803f (commit)
via 97c3ae12cff3d301d0bb0b259d7bcee4a55a6e4d (commit)
from b514da4afd73251dfcce24162f33803d5d0ca616 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f29d31a7e0f7b397cbcbb83d1b1c0ce233e948e9
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Fri Dec 5 16:11:15 2008 +0100
s4-smbtorture: do full level 18, 21, 23, 24, 25, 26 testing in pwdlastset
test.
Guenther
commit c0b67b4aa6253434ebbb71bf78f599ace351803f
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Fri Dec 5 16:07:06 2008 +0100
s4-smbtorture: add support for level 18 and 21 in test_SetUserPass_level_ex.
Guenther
commit 97c3ae12cff3d301d0bb0b259d7bcee4a55a6e4d
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Tue Dec 2 23:22:14 2008 +0100
s4-smbtorture: more tests for RPC-SAMR-PASSWORDS-PWDLASTSET.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source4/torture/rpc/samr.c | 452 ++++++++++++++++++++++++++------------------
1 files changed, 268 insertions(+), 184 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 2e59a06..d29c864 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -1041,9 +1041,11 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe
*p,
uint16_t level,
uint32_t fields_present,
char **password, uint8_t password_expired,
- bool use_setinfo2, NTSTATUS
expected_error)
+ bool use_setinfo2,
+ bool *matched_expected_error)
{
NTSTATUS status;
+ NTSTATUS expected_error = NT_STATUS_OK;
struct samr_SetUserInfo s;
struct samr_SetUserInfo2 s2;
union samr_UserInfo u;
@@ -1057,6 +1059,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe
*p,
struct samr_PwInfo info;
int policy_min_pw_len = 0;
const char *comment = NULL;
+ uint8_t lm_hash[16], nt_hash[16];
pwp.in.user_handle = handle;
pwp.out.info = &info;
@@ -1084,11 +1087,40 @@ static bool test_SetUserPass_level_ex(struct
dcerpc_pipe *p,
ZERO_STRUCT(u);
switch (level) {
+ case 18:
+ E_md4hash(newpass, nt_hash);
+ E_deshash(newpass, lm_hash);
+
+ u.info18.nt_pwd_active = true;
+ u.info18.lm_pwd_active = true;
+ u.info18.password_expired = password_expired;
+
+ memcpy(u.info18.lm_pwd.hash, lm_hash, 16);
+ memcpy(u.info18.nt_pwd.hash, nt_hash, 16);
+
+ break;
case 21:
+ E_md4hash(newpass, nt_hash);
+ E_deshash(newpass, lm_hash);
+
u.info21.fields_present = fields_present;
u.info21.password_expired = password_expired;
u.info21.comment.string = comment;
+ if (fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
+ u.info21.lm_owf_password.length = 16;
+ u.info21.lm_owf_password.size = 16;
+ u.info21.lm_owf_password.array = (uint16_t *)lm_hash;
+ u.info21.lm_password_set = true;
+ }
+
+ if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
+ u.info21.nt_owf_password.length = 16;
+ u.info21.nt_owf_password.size = 16;
+ u.info21.nt_owf_password.array = (uint16_t *)nt_hash;
+ u.info21.nt_password_set = true;
+ }
+
break;
case 23:
u.info23.info.fields_present = fields_present;
@@ -1135,6 +1167,41 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe
*p,
MD5Final(confounded_session_key.data, &ctx);
switch (level) {
+ case 18:
+ {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info18.nt_pwd.hash, 16);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ memcpy(u.info18.nt_pwd.hash, out.data, out.length);
+ }
+ {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info18.lm_pwd.hash, 16);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ memcpy(u.info18.lm_pwd.hash, out.data, out.length);
+ }
+
+ break;
+ case 21:
+ if (fields_present & SAMR_FIELD_LM_PASSWORD_PRESENT) {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info21.lm_owf_password.array,
+ u.info21.lm_owf_password.length);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ u.info21.lm_owf_password.array = (uint16_t *)out.data;
+ }
+ if (fields_present & SAMR_FIELD_NT_PASSWORD_PRESENT) {
+ DATA_BLOB in,out;
+ in = data_blob_const(u.info21.nt_owf_password.array,
+ u.info21.nt_owf_password.length);
+ out = data_blob_talloc_zero(tctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ u.info21.nt_owf_password.array = (uint16_t *)out.data;
+ }
+ break;
case 23:
arcfour_crypt_blob(u.info23.password.data, 516, &session_key);
break;
@@ -1157,6 +1224,15 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe
*p,
status = dcerpc_samr_SetUserInfo(p, tctx, &s);
}
+ if (!NT_STATUS_IS_OK(status)) {
+ if (fields_present == 0) {
+ expected_error = NT_STATUS_INVALID_PARAMETER;
+ }
+ if (fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+ expected_error = NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
if (!NT_STATUS_IS_OK(expected_error)) {
if (use_setinfo2) {
torture_assert_ntstatus_equal(tctx,
@@ -1167,6 +1243,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe
*p,
s.out.result,
expected_error, "SetUserInfo failed");
}
+ *matched_expected_error = true;
return true;
}
@@ -1175,9 +1252,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe
*p,
use_setinfo2 ? "2":"", level, nt_errstr(status));
ret = false;
} else {
- if (level != 21) {
- *password = newpass;
- }
+ *password = newpass;
}
return ret;
@@ -2550,7 +2625,7 @@ static bool test_SetPassword_level(struct dcerpc_pipe *p,
uint16_t level,
uint32_t fields_present,
uint8_t password_expired,
- NTSTATUS expected_error,
+ bool *matched_expected_error,
bool use_setinfo2,
char **password,
bool use_queryinfo2,
@@ -2575,23 +2650,13 @@ static bool test_SetPassword_level(struct dcerpc_pipe
*p,
use_setinfo2 ? "2":"", level, password_expired,
fields ? fields : "");
- switch (level) {
- case 21:
- case 23:
- case 24:
- case 25:
- case 26:
- if (!test_SetUserPass_level_ex(p, tctx, handle, level,
- fields_present,
- password,
- password_expired,
- use_setinfo2,
- expected_error)) {
- ret = false;
- }
- break;
- default:
- return false;
+ if (!test_SetUserPass_level_ex(p, tctx, handle, level,
+ fields_present,
+ password,
+ password_expired,
+ use_setinfo2,
+ matched_expected_error)) {
+ ret = false;
}
if (!test_QueryUserInfo_pwdlastset(p, tctx, handle,
@@ -2609,144 +2674,26 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
struct policy_handle *handle,
char **password)
{
- int i, s = 0, q = 0;
+ int i, s = 0, q = 0, f = 0, l = 0, z = 0;
bool ret = true;
int delay = 500000;
bool set_levels[] = { false, true };
bool query_levels[] = { false, true };
-
- struct {
- uint16_t level;
- uint8_t password_expired_nonzero;
- uint32_t fields_present;
- bool query_info2;
- bool set_info2;
- NTSTATUS set_error;
- } pwd_tests[] = {
-
- /* level 21 */
- {
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_EXPIRED_FLAG
- },{
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_LAST_PWD_CHANGE,
- .set_error =
NT_STATUS_ACCESS_DENIED
- },{
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present = 0,
- .set_error =
NT_STATUS_INVALID_PARAMETER
- },{
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_COMMENT,
-
-#if 0
- /* FIXME */
- },{
- .level = 21,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_NT_PASSWORD_PRESENT |
-
SAMR_FIELD_LM_PASSWORD_PRESENT |
-
SAMR_FIELD_LAST_PWD_CHANGE,
- .query_info2 = false,
- .set_error =
NT_STATUS_ACCESS_DENIED
-#endif
-
- /* level 23 */
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_EXPIRED_FLAG
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_LAST_PWD_CHANGE,
- .set_error =
NT_STATUS_ACCESS_DENIED
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_LAST_PWD_CHANGE |
-
SAMR_FIELD_NT_PASSWORD_PRESENT |
-
SAMR_FIELD_LM_PASSWORD_PRESENT,
- .set_error =
NT_STATUS_ACCESS_DENIED
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_LAST_PWD_CHANGE |
-
SAMR_FIELD_NT_PASSWORD_PRESENT |
-
SAMR_FIELD_LM_PASSWORD_PRESENT |
-
SAMR_FIELD_EXPIRED_FLAG,
- .set_error =
NT_STATUS_ACCESS_DENIED
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_NT_PASSWORD_PRESENT |
-
SAMR_FIELD_LM_PASSWORD_PRESENT |
-
SAMR_FIELD_EXPIRED_FLAG
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_NT_PASSWORD_PRESENT |
-
SAMR_FIELD_LM_PASSWORD_PRESENT,
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_COMMENT,
- },{
- .level = 23,
- .password_expired_nonzero = 1,
- .fields_present = 0,
- .set_error =
NT_STATUS_INVALID_PARAMETER
- },{
-
- /* level 24 */
-
- .level = 24,
- .password_expired_nonzero = 1
- },{
- .level = 24,
- .password_expired_nonzero = 24
- },{
-
- /* level 25 */
-
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_LAST_PWD_CHANGE,
- .set_error =
NT_STATUS_ACCESS_DENIED
- },{
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_EXPIRED_FLAG,
- },{
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_NT_PASSWORD_PRESENT |
-
SAMR_FIELD_LM_PASSWORD_PRESENT |
-
SAMR_FIELD_EXPIRED_FLAG
- },{
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present =
SAMR_FIELD_NT_PASSWORD_PRESENT |
-
SAMR_FIELD_LM_PASSWORD_PRESENT,
- },{
- .level = 25,
- .password_expired_nonzero = 1,
- .fields_present = SAMR_FIELD_COMMENT,
- },{
-
- /* level 26 */
-
- .level = 26,
- .password_expired_nonzero = 1
- },{
- .level = 26,
- .password_expired_nonzero = 24
- }
+ uint32_t levels[] = { 18, 21, 23, 24, 25, 26 };
+ uint32_t nonzeros[] = { 1, 24 };
+ uint32_t fields_present[] = {
+ 0,
+ SAMR_FIELD_EXPIRED_FLAG,
+ SAMR_FIELD_LAST_PWD_CHANGE,
+ SAMR_FIELD_EXPIRED_FLAG | SAMR_FIELD_LAST_PWD_CHANGE,
+ SAMR_FIELD_COMMENT,
+ SAMR_FIELD_NT_PASSWORD_PRESENT,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LAST_PWD_CHANGE,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT
| SAMR_FIELD_LAST_PWD_CHANGE,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_EXPIRED_FLAG,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT
| SAMR_FIELD_EXPIRED_FLAG,
+ SAMR_FIELD_NT_PASSWORD_PRESENT | SAMR_FIELD_LM_PASSWORD_PRESENT
| SAMR_FIELD_LAST_PWD_CHANGE | SAMR_FIELD_EXPIRED_FLAG
};
if (torture_setting_bool(tctx, "samba3", false)) {
@@ -2762,7 +2709,9 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
#define TEST_SET_LEVELS 1
#define TEST_QUERY_LEVELS 1
#endif
- for (i=0; i<ARRAY_SIZE(pwd_tests); i++) {
+ for (l=0; l<ARRAY_SIZE(levels); l++) {
+ for (z=0; z<ARRAY_SIZE(nonzeros); z++) {
+ for (f=0; f<ARRAY_SIZE(fields_present); f++) {
#ifdef TEST_SET_LEVELS
for (s=0; s<ARRAY_SIZE(set_levels); s++) {
#endif
@@ -2771,11 +2720,12 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
#endif
NTTIME pwdlastset_old = 0;
NTTIME pwdlastset_new = 0;
+ bool matched_expected_error = false;
torture_comment(tctx, "------------------------------\n"
"Testing pwdLastSet attribute for flags: 0x%08x
"
"(s: %d (l: %d), q: %d)\n",
- acct_flags, s, pwd_tests[i].level, q);
+ acct_flags, s, levels[l], q);
/* set #1 */
@@ -2783,10 +2733,10 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
* setting the password expired flag to a non-0 value */
if (!test_SetPassword_level(p, tctx, handle,
- pwd_tests[i].level,
- pwd_tests[i].fields_present,
-
pwd_tests[i].password_expired_nonzero,
- pwd_tests[i].set_error,
+ levels[l],
+ fields_present[f],
+ nonzeros[z],
+ &matched_expected_error,
set_levels[s],
password,
query_levels[q],
@@ -2794,7 +2744,7 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
ret = false;
}
- if (!NT_STATUS_IS_OK(pwd_tests[i].set_error)) {
+ if (matched_expected_error == true) {
/* skipping on expected failure */
continue;
}
@@ -2802,12 +2752,12 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
/* pwdlastset must be 0 afterwards, except for a level 21, 23
and 25
* set without the SAMR_FIELD_EXPIRED_FLAG */
- switch (pwd_tests[i].level) {
+ switch (levels[l]) {
case 21:
case 23:
case 25:
if ((pwdlastset_new != 0) &&
- !(pwd_tests[i].fields_present &
SAMR_FIELD_EXPIRED_FLAG)) {
+ !(fields_present[f] & SAMR_FIELD_EXPIRED_FLAG)) {
torture_comment(tctx, "not considering a non-0 "
"pwdLastSet as a an error as the "
"SAMR_FIELD_EXPIRED_FLAG has not "
@@ -2824,6 +2774,27 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
break;
}
+ switch (levels[l]) {
+ case 21:
+ case 23:
+ case 25:
+ if (((fields_present[f] &
SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] &
SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
+ (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not
increasing\n");
+ ret = false;
+ }
+ break;
+ default:
+ if ((pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not
increasing\n");
+ ret = false;
+ }
+ break;
+ }
+
usleep(delay);
/* set #2 */
@@ -2831,22 +2802,22 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
/* set a password, pwdlastset needs to get updated (increased
* value), password_expired value used here is 0 */
- if (!test_SetPassword_level(p, tctx, handle, pwd_tests[i].level,
- pwd_tests[i].fields_present,
+ if (!test_SetPassword_level(p, tctx, handle,
+ levels[l],
+ fields_present[f],
0,
- pwd_tests[i].set_error,
+ &matched_expected_error,
set_levels[s],
password,
query_levels[q],
&pwdlastset_new)) {
-
ret = false;
}
/* when a password has been changed, pwdlastset must not be 0
afterwards
* and must be larger then the old value */
- switch (pwd_tests[i].level) {
+ switch (levels[l]) {
case 21:
case 23:
case 25:
@@ -2855,9 +2826,9 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
* password has been changed, old and new pwdlastset
* need to be the same value */
- if (!(pwd_tests[i].fields_present &
SAMR_FIELD_EXPIRED_FLAG) &&
- !((pwd_tests[i].fields_present &
SAMR_FIELD_NT_PASSWORD_PRESENT) ||
- (pwd_tests[i].fields_present &
SAMR_FIELD_LM_PASSWORD_PRESENT)))
+ if (!(fields_present[f] & SAMR_FIELD_EXPIRED_FLAG) &&
+ !((fields_present[f] &
SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] &
SAMR_FIELD_LM_PASSWORD_PRESENT)))
{
torture_assert_int_equal(tctx, pwdlastset_old,
pwdlastset_new, "pwdlastset must be
equal");
@@ -2878,19 +2849,91 @@ static bool test_SetPassword_pwdlastset(struct
dcerpc_pipe *p,
}
}
+ switch (levels[l]) {
+ case 21:
+ case 23:
+ case 25:
+ if (((fields_present[f] &
SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+ (fields_present[f] &
SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
+ (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not
increasing\n");
+ ret = false;
+ }
+ break;
+ default:
+ if ((pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+ (pwdlastset_old >= pwdlastset_new)) {
+ torture_warning(tctx, "pwdlastset not
increasing\n");
+ ret = false;
+ }
+ break;
--
Samba Shared Repository
