#include "lib/util/util_net.h"
#include "libcli/resolve/resolve.h"
#include "source3/rpc_client/init_lsa.h"
+#include "librpc/gen_ndr/ndr_lsa.h"
+#include "librpc/rpc/dcerpc_lsa.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
};
struct lsa_revision_info1 in_rinfo1 = {
.revision = 1,
- .supported_features = 0,
+ .supported_features = LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER,
};
union lsa_revision_info in_rinfo = {
.info1 = in_rinfo1,
out_rinfo1.revision,
1,
"Invalid revision");
-#if 0 /* TODO: Enable as soon as it is supported */
torture_assert_int_equal(tctx,
out_rinfo1.supported_features,
LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER,
"Invalid supported feature set");
-#endif
return true;
}
return true;
}
+enum ex_call {
+ CREATE_TRUSTED_DOMAIN_EX1 = 1,
+ CREATE_TRUSTED_DOMAIN_EX2 = 2,
+ CREATE_TRUSTED_DOMAIN_EX3 = 3,
+};
+
static bool test_CreateTrustedDomainEx_common(struct dcerpc_pipe *p,
struct torture_context *tctx,
struct policy_handle *handle,
uint32_t num_trusts,
- bool ex2_call)
+ enum ex_call ex_call)
{
NTSTATUS status;
bool ret = true;
union lsa_PolicyInformation *our_info = NULL;
struct lsa_CreateTrustedDomainEx r;
struct lsa_CreateTrustedDomainEx2 r2;
+ struct lsa_CreateTrustedDomainEx3 r3 = {
+ .in = {
+ .access_mask = 0,
+ }
+ };
struct lsa_TrustDomainInfoInfoEx trustinfo;
struct lsa_TrustDomainInfoAuthInfoInternal *authinfo_internal = NULL;
+ struct lsa_TrustDomainInfoAuthInfoInternalAES
+ *authinfo_internal_aes = NULL;
struct lsa_TrustDomainInfoAuthInfo *authinfo = NULL;
struct dom_sid **domsid;
struct policy_handle *trustdom_handle;
DATA_BLOB session_key;
int i;
struct dcerpc_binding_handle *b = p->binding_handle;
- const char *id;
+ const char *id = "0";
const char *incoming_v00 = TRUSTPW "InV00";
const char *incoming_v0 = TRUSTPW "InV0";
const char *incoming_v1 = TRUSTPW "InV1";
const char *outgoing_v00 = TRUSTPW "OutV00";
const char *outgoing_v0 = TRUSTPW "OutV0";
- if (ex2_call) {
- torture_comment(tctx, "\nTesting CreateTrustedDomainEx2 for %d domains\n", num_trusts);
+ switch (ex_call) {
+ case CREATE_TRUSTED_DOMAIN_EX3:
+ torture_comment(
+ tctx,
+ "\nTesting CreateTrustedDomainEx3 for %d domains\n",
+ num_trusts
+ );
+ id = "4";
+ break;
+ case CREATE_TRUSTED_DOMAIN_EX2:
+ torture_comment(
+ tctx,
+ "\nTesting CreateTrustedDomainEx2 for %d domains\n",
+ num_trusts
+ );
id = "3";
- } else {
- torture_comment(tctx, "\nTesting CreateTrustedDomainEx for %d domains\n", num_trusts);
+ break;
+ case CREATE_TRUSTED_DOMAIN_EX1:
+ torture_comment(
+ tctx,
+ "\nTesting CreateTrustedDomainEx for %d domains\n",
+ num_trusts
+ );
id = "2";
+ break;
}
domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION;
- ok = rpc_lsa_encrypt_trustdom_info(tctx,
- incoming_v00,
- incoming_v0,
- outgoing_v00,
- outgoing_v0,
- session_key,
- &authinfo_internal);
- if (!ok) {
- torture_comment(tctx,
- "rpc_lsa_encrypt_trustdom_info failed");
- ret = false;
- }
+ switch(ex_call) {
+ case CREATE_TRUSTED_DOMAIN_EX3:
+ ok = rpc_lsa_encrypt_trustdom_info_aes(
+ tctx,
+ incoming_v00,
+ incoming_v0,
+ outgoing_v00,
+ outgoing_v0,
+ session_key,
+ &authinfo_internal_aes);
+ if (!ok) {
+ torture_comment(tctx,
+ "gen_authinfo_internal failed");
+ ret = false;
+ }
- ok = gen_authinfo(tctx, incoming_v00, incoming_v0,
- outgoing_v00, outgoing_v0,
- &authinfo);
- if (!ok) {
- torture_comment(tctx, "gen_authinfonfo failed");
- ret = false;
- }
+ r3.in.policy_handle = handle;
+ r3.in.info = &trustinfo;
+ r3.in.auth_info_internal = authinfo_internal_aes;
+ r3.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ r3.out.trustdom_handle = &trustdom_handle[i];
- if (ex2_call) {
+ torture_assert_ntstatus_ok(
+ tctx,
+ dcerpc_lsa_CreateTrustedDomainEx3_r(b,
+ tctx,
+ &r3),
+ "CreateTrustedDomainEx3 failed");
+
+ status = r3.out.result;
+ break;
+ case CREATE_TRUSTED_DOMAIN_EX2:
+ ok = rpc_lsa_encrypt_trustdom_info(tctx,
+ incoming_v00,
+ incoming_v0,
+ outgoing_v00,
+ outgoing_v0,
+ session_key,
+ &authinfo_internal);
+ if (!ok) {
+ torture_comment(
+ tctx,
+ "rpc_lsa_encrypt_trustdom_info failed");
+ ret = false;
+ }
r2.in.policy_handle = handle;
r2.in.info = &trustinfo;
"CreateTrustedDomainEx2 failed");
status = r2.out.result;
- } else {
+ break;
+ case CREATE_TRUSTED_DOMAIN_EX1:
+ ok = gen_authinfo(tctx,
+ incoming_v00,
+ incoming_v0,
+ outgoing_v00,
+ outgoing_v0,
+ &authinfo);
+ if (!ok) {
+ torture_comment(tctx, "gen_authinfonfo failed");
+ ret = false;
+ }
r.in.policy_handle = handle;
r.in.info = &trustinfo;
"CreateTrustedDomainEx failed");
status = r.out.result;
+ break;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
test_DeleteTrustedDomain(b, tctx, handle, trustinfo.netbios_name);
- if (ex2_call) {
- torture_assert_ntstatus_ok(tctx,
- dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2),
+
+ switch (ex_call) {
+ case CREATE_TRUSTED_DOMAIN_EX3:
+ torture_assert_ntstatus_ok(
+ tctx,
+ dcerpc_lsa_CreateTrustedDomainEx3_r(
+ b, tctx, &r3),
+ "CreateTrustedDomainEx3 failed");
+ status = r3.out.result;
+ break;
+ case CREATE_TRUSTED_DOMAIN_EX2:
+ torture_assert_ntstatus_ok(
+ tctx,
+ dcerpc_lsa_CreateTrustedDomainEx2_r(
+ b, tctx, &r2),
"CreateTrustedDomainEx2 failed");
status = r2.out.result;
- } else {
- torture_assert_ntstatus_ok(tctx,
- dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
- "CreateTrustedDomainEx2 failed");
+ break;
+ case CREATE_TRUSTED_DOMAIN_EX1:
+ torture_assert_ntstatus_ok(
+ tctx,
+ dcerpc_lsa_CreateTrustedDomainEx_r(b,
+ tctx,
+ &r),
+ "CreateTrustedDomainEx failed");
status = r.out.result;
+ break;
}
}
if (!NT_STATUS_IS_OK(status)) {
- torture_comment(tctx, "CreateTrustedDomainEx failed2 - %s\n", nt_errstr(status));
+ torture_comment(tctx,
+ "CreateTrustedDomainEx(2|3) failed "
+ "with status: %s\n",
+ nt_errstr(status));
ret = false;
- } else {
- /* For outbound and MIT trusts there is no trust account */
+ } else { /* For outbound and MIT trusts there is no trust account */
if (trustinfo.trust_direction != 2 &&
trustinfo.trust_type != 3) {
if (torture_setting_bool(tctx, "samba3", false)) {
torture_comment(tctx, "skipping trusted domain auth tests against samba3\n");
- } else if (ex2_call == false &&
+ } else if (ex_call == CREATE_TRUSTED_DOMAIN_EX1 &&
torture_setting_bool(tctx, "samba4", false)) {
torture_comment(tctx, "skipping CreateTrustedDomainEx trusted domain auth tests against samba4\n");
return ret;
}
+static bool test_CreateTrustedDomainEx3(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle,
+ uint32_t num_trusts)
+{
+ return test_CreateTrustedDomainEx_common(
+ p,
+ tctx,
+ handle,
+ num_trusts,
+ CREATE_TRUSTED_DOMAIN_EX3
+ );
+}
+
static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
struct torture_context *tctx,
struct policy_handle *handle,
uint32_t num_trusts)
{
- return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, true);
+ return test_CreateTrustedDomainEx_common(
+ p,
+ tctx,
+ handle,
+ num_trusts,
+ CREATE_TRUSTED_DOMAIN_EX2
+ );
}
static bool test_CreateTrustedDomainEx(struct dcerpc_pipe *p,
struct policy_handle *handle,
uint32_t num_trusts)
{
- return test_CreateTrustedDomainEx_common(p, tctx, handle, num_trusts, false);
+ return test_CreateTrustedDomainEx_common(
+ p,
+ tctx,
+ handle,
+ num_trusts,
+ CREATE_TRUSTED_DOMAIN_EX1
+ );
}
static bool test_QueryDomainInfoPolicy(struct dcerpc_binding_handle *b,
ret = false;
}
+ if (!test_lsa_OpenPolicy3(b, tctx, &handle)) {
+ ret = false;
+ }
+
if (!handle) {
ret = false;
}
ret = false;
}
+ if (!test_CreateTrustedDomainEx3(p, tctx, handle, state->num_trusts)) {
+ ret = false;
+ }
+
if (!test_lsa_Close(b, tctx, handle)) {
ret = false;
}