|
 |
1524bc |
From f0d05dc2dce30f851f9e1eb6a1952730dfe907f6 Mon Sep 17 00:00:00 2001
|
|
|
1524bc |
From: Andrew Bartlett <abartlet@samba.org>
|
|
|
1524bc |
Date: Thu, 25 Jul 2019 17:18:50 +1200
|
|
|
1524bc |
Subject: [PATCH 051/187] s4:torture: clarify comments and variable names in
|
|
|
1524bc |
"ChangePasswordUser3 tests
|
|
|
1524bc |
|
|
|
1524bc |
There is no session key here, the buffers are directly encrypted
|
|
|
1524bc |
with the long-term passwords.
|
|
|
1524bc |
|
|
|
1524bc |
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
1524bc |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
1524bc |
(cherry picked from commit 8380668be7963b74cbbd31bfab3d01d1f3089034)
|
|
|
1524bc |
---
|
|
|
1524bc |
source4/torture/rpc/samr.c | 43 +++++++++++++++++++++++++++++---------
|
|
|
1524bc |
1 file changed, 33 insertions(+), 10 deletions(-)
|
|
|
1524bc |
|
|
|
1524bc |
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
|
|
|
1524bc |
index 55059a26b43..20afa9392e2 100644
|
|
|
1524bc |
--- a/source4/torture/rpc/samr.c
|
|
|
1524bc |
+++ b/source4/torture/rpc/samr.c
|
|
|
1524bc |
@@ -2472,7 +2472,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
|
|
|
1524bc |
NTTIME t;
|
|
|
1524bc |
struct samr_DomInfo1 *dominfo = NULL;
|
|
|
1524bc |
struct userPwdChangeFailureInformation *reject = NULL;
|
|
|
1524bc |
- DATA_BLOB session_key = data_blob_const(old_nt_hash, 16);
|
|
|
1524bc |
+ DATA_BLOB old_nt_hash_blob = data_blob_const(old_nt_hash, 16);
|
|
|
1524bc |
NTSTATUS status;
|
|
|
1524bc |
|
|
|
1524bc |
torture_comment(tctx, "Testing ChangePasswordUser3\n");
|
|
|
1524bc |
@@ -2502,22 +2502,45 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
|
|
|
1524bc |
E_deshash(oldpass, old_lm_hash);
|
|
|
1524bc |
E_deshash(newpass, new_lm_hash);
|
|
|
1524bc |
|
|
|
1524bc |
+ /*
|
|
|
1524bc |
+ * The new plaintext password is encrypted using RC4 with the
|
|
|
1524bc |
+ * old NT password hash (directly, with no confounder). The
|
|
|
1524bc |
+ * password is at the end of the random padded buffer,
|
|
|
1524bc |
+ * offering a little protection.
|
|
|
1524bc |
+ *
|
|
|
1524bc |
+ * This is almost certainly wrong, it should be the old LM
|
|
|
1524bc |
+ * hash, it was switched in an unrelated commit
|
|
|
1524bc |
+ * 579c13da43d5b40ac6d6c1436399fbc1d8dfd054 in 2004.
|
|
|
1524bc |
+ */
|
|
|
1524bc |
status = init_samr_CryptPassword(newpass,
|
|
|
1524bc |
- &session_key,
|
|
|
1524bc |
+ &old_nt_hash_blob,
|
|
|
1524bc |
&lm_pass);
|
|
|
1524bc |
torture_assert_ntstatus_ok(tctx,
|
|
|
1524bc |
status,
|
|
|
1524bc |
"init_samr_CryptPassword");
|
|
|
1524bc |
|
|
|
1524bc |
+ /*
|
|
|
1524bc |
+ * Now we prepare a DES cross-hash of the old LM and new NT
|
|
|
1524bc |
+ * passwords to link the two buffers
|
|
|
1524bc |
+ */
|
|
|
1524bc |
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
|
|
|
1524bc |
+ /*
|
|
|
1524bc |
+ * The new plaintext password is also encrypted using RC4 with
|
|
|
1524bc |
+ * the old NT password hash (directly, with no confounder).
|
|
|
1524bc |
+ * The password is at the end of the random padded buffer,
|
|
|
1524bc |
+ * offering a little protection.
|
|
|
1524bc |
+ */
|
|
|
1524bc |
status = init_samr_CryptPassword(newpass,
|
|
|
1524bc |
- &session_key,
|
|
|
1524bc |
+ &old_nt_hash_blob,
|
|
|
1524bc |
&nt_pass);
|
|
|
1524bc |
torture_assert_ntstatus_ok(tctx,
|
|
|
1524bc |
status,
|
|
|
1524bc |
"init_samr_CryptPassword");
|
|
|
1524bc |
|
|
|
1524bc |
+ /*
|
|
|
1524bc |
+ * Another DES based cross-hash
|
|
|
1524bc |
+ */
|
|
|
1524bc |
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
|
|
|
1524bc |
|
|
|
1524bc |
/* Break the verification */
|
|
|
1524bc |
@@ -2547,7 +2570,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
|
|
|
1524bc |
}
|
|
|
1524bc |
|
|
|
1524bc |
status = init_samr_CryptPassword(newpass,
|
|
|
1524bc |
- &session_key,
|
|
|
1524bc |
+ &old_nt_hash_blob,
|
|
|
1524bc |
&lm_pass);
|
|
|
1524bc |
torture_assert_ntstatus_ok(tctx,
|
|
|
1524bc |
status,
|
|
|
1524bc |
@@ -2555,18 +2578,18 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
|
|
|
1524bc |
|
|
|
1524bc |
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
|
|
|
1524bc |
- /* Break the session key */
|
|
|
1524bc |
- session_key.data[0]++;
|
|
|
1524bc |
+ /* Break the NT Hash */
|
|
|
1524bc |
+ old_nt_hash[0]++;
|
|
|
1524bc |
|
|
|
1524bc |
status = init_samr_CryptPassword(newpass,
|
|
|
1524bc |
- &session_key,
|
|
|
1524bc |
+ &old_nt_hash_blob,
|
|
|
1524bc |
&nt_pass);
|
|
|
1524bc |
torture_assert_ntstatus_ok(tctx,
|
|
|
1524bc |
status,
|
|
|
1524bc |
"init_samr_CryptPassword");
|
|
|
1524bc |
|
|
|
1524bc |
/* Unbreak it again */
|
|
|
1524bc |
- session_key.data[0]--;
|
|
|
1524bc |
+ old_nt_hash[0]--;
|
|
|
1524bc |
|
|
|
1524bc |
E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
|
|
|
1524bc |
|
|
|
1524bc |
@@ -2615,7 +2638,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
|
|
|
1524bc |
E_deshash(newpass, new_lm_hash);
|
|
|
1524bc |
|
|
|
1524bc |
status = init_samr_CryptPassword(newpass,
|
|
|
1524bc |
- &session_key,
|
|
|
1524bc |
+ &old_nt_hash_blob,
|
|
|
1524bc |
&lm_pass);
|
|
|
1524bc |
torture_assert_ntstatus_ok(tctx,
|
|
|
1524bc |
status,
|
|
|
1524bc |
@@ -2624,7 +2647,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
|
|
|
1524bc |
E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
|
|
|
1524bc |
|
|
|
1524bc |
status = init_samr_CryptPassword(newpass,
|
|
|
1524bc |
- &session_key,
|
|
|
1524bc |
+ &old_nt_hash_blob,
|
|
|
1524bc |
&nt_pass);
|
|
|
1524bc |
torture_assert_ntstatus_ok(tctx,
|
|
|
1524bc |
status,
|
|
|
1524bc |
--
|
|
|
1524bc |
2.23.0
|
|
|
1524bc |
|