source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  24 #include "librpc/gen_ndr/ndr_lsa_c.h"
  25 #include "librpc/gen_ndr/ndr_samr_c.h"
  26 #include "auth/credentials/credentials.h"
  27 #include "torture/rpc/rpc.h"
  28 #include "lib/cmdline/popt_common.h"
  29 #include "auth/gensec/schannel_proto.h"
  30 #include "libcli/auth/libcli_auth.h"
  31 #include "libcli/security/security.h"
  32 #include "system/filesys.h"
  33 #include "param/param.h"
  34
  35 #define TEST_MACHINE_NAME "schannel"
  36
  37 /*
  38   try a netlogon SamLogon
  39 */
  40 bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
  41                           struct cli_credentials *credentials,
  42                           struct creds_CredentialState *creds)
  43 {
  44         NTSTATUS status;
  45         struct netr_LogonSamLogonEx r;
  46         struct netr_NetworkInfo ninfo;
  47         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
  48         int i;
  49         int flags = CLI_CRED_NTLM_AUTH;
  50         if (lp_client_lanman_auth()) {
  51                 flags |= CLI_CRED_LANMAN_AUTH;
  52         }
  53
  54         if (lp_client_ntlmv2_auth()) {
  55                 flags |= CLI_CRED_NTLMv2_AUTH;
  56         }
  57
  58         cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
  59                                                  &ninfo.identity_info.account_name.string,
  60                                                  &ninfo.identity_info.domain_name.string);
  61
  62         generate_random_buffer(ninfo.challenge,
  63                                sizeof(ninfo.challenge));
  64         chal = data_blob_const(ninfo.challenge,
  65                                sizeof(ninfo.challenge));
  66
  67         names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
  68                                                 cli_credentials_get_domain(credentials));
  69
  70         status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
  71                                                    &flags,
  72                                                    chal,
  73                                                    names_blob,
  74                                                    &lm_resp, &nt_resp,
  75                                                    NULL, NULL);
  76         torture_assert_ntstatus_ok(tctx, status,
  77                                    "cli_credentials_get_ntlm_response failed");
  78
  79         ninfo.lm.data = lm_resp.data;
  80         ninfo.lm.length = lm_resp.length;
  81
  82         ninfo.nt.data = nt_resp.data;
  83         ninfo.nt.length = nt_resp.length;
  84
  85         ninfo.identity_info.parameter_control = 0;
  86         ninfo.identity_info.logon_id_low = 0;
  87         ninfo.identity_info.logon_id_high = 0;
  88         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
  89
  90         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
  91         r.in.computer_name = cli_credentials_get_workstation(credentials);
  92         r.in.logon_level = 2;
  93         r.in.logon.network = &ninfo;
  94         r.in.flags = 0;
  95
  96         torture_comment(tctx,
  97                         "Testing LogonSamLogonEx with name %s\n",
  98                         ninfo.identity_info.account_name.string);
  99
 100         for (i=2;i<3;i++) {
 101                 r.in.validation_level = i;
 102
 103                 status = dcerpc_netr_LogonSamLogonEx(p, tctx, &r);
 104                 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
 105         }
 106
 107         return true;
 108 }
 109
 110 /*
 111   do some samr ops using the schannel connection
 112  */
 113 static bool test_samr_ops(struct torture_context *tctx,
 114                           struct dcerpc_pipe *p)
 115 {
 116         NTSTATUS status;
 117         struct samr_GetDomPwInfo r;
 118         struct samr_Connect connect;
 119         struct samr_OpenDomain opendom;
 120         int i;
 121         struct lsa_String name;
 122         struct policy_handle handle;
 123         struct policy_handle domain_handle;
 124
 125         name.string = lp_workgroup();
 126         r.in.domain_name = &name;
 127
 128         connect.in.system_name = 0;
 129         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 130         connect.out.connect_handle = &handle;
 131
 132         printf("Testing Connect and OpenDomain on BUILTIN\n");
 133
 134         status = dcerpc_samr_Connect(p, tctx, &connect);
 135         if (!NT_STATUS_IS_OK(status)) {
 136                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 137                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
 138                                nt_errstr(status));
 139                 } else {
 140                         printf("Connect failed - %s\n", nt_errstr(status));
 141                         return false;
 142                 }
 143         } else {
 144                 opendom.in.connect_handle = &handle;
 145                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 146                 opendom.in.sid = dom_sid_parse_talloc(tctx, "S-1-5-32");
 147                 opendom.out.domain_handle = &domain_handle;
 148
 149                 status = dcerpc_samr_OpenDomain(p, tctx, &opendom);
 150                 if (!NT_STATUS_IS_OK(status)) {
 151                         printf("OpenDomain failed - %s\n", nt_errstr(status));
 152                         return false;
 153                 }
 154         }
 155
 156         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
 157
 158         /* do several ops to test credential chaining */
 159         for (i=0;i<5;i++) {
 160                 status = dcerpc_samr_GetDomPwInfo(p, tctx, &r);
 161                 if (!NT_STATUS_IS_OK(status)) {
 162                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 163                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
 164                                 return False;
 165                         }
 166                 }
 167         }
 168
 169         return True;
 170 }
 171
 172
 173 /*
 174   do some lsa ops using the schannel connection
 175  */
 176 static bool test_lsa_ops(struct torture_context *tctx, struct dcerpc_pipe *p)
 177 {
 178         struct lsa_GetUserName r;
 179         NTSTATUS status;
 180         BOOL ret = True;
 181         struct lsa_StringPointer authority_name_p;
 182
 183         printf("\nTesting GetUserName\n");
 184
 185         r.in.system_name = "\\";
 186         r.in.account_name = NULL;
 187         r.in.authority_name = &authority_name_p;
 188         authority_name_p.string = NULL;
 189
 190         /* do several ops to test credential chaining and various operations */
 191         status = dcerpc_lsa_GetUserName(p, tctx, &r);
 192
 193         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
 194                 printf("not considering %s to be an error\n", nt_errstr(status));
 195         } else if (!NT_STATUS_IS_OK(status)) {
 196                 printf("GetUserName failed - %s\n", nt_errstr(status));
 197                 return False;
 198         } else {
 199                 if (!r.out.account_name) {
 200                         return False;
 201                 }
 202
 203                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 204                         printf("GetUserName returned wrong user: %s, expected %s\n",
 205                                r.out.account_name->string, "ANONYMOUS LOGON");
 206                         return False;
 207                 }
 208                 if (!r.out.authority_name || !r.out.authority_name->string) {
 209                         return False;
 210                 }
 211
 212                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 213                         printf("GetUserName returned wrong user: %s, expected %s\n",
 214                                r.out.authority_name->string->string, "NT AUTHORITY");
 215                         return False;
 216                 }
 217         }
 218         if (!test_many_LookupSids(p, tctx, NULL)) {
 219                 printf("LsaLookupSids3 failed!\n");
 220                 return False;
 221         }
 222
 223         return ret;
 224 }
 225
 226
 227 /*
 228   test a schannel connection with the given flags
 229  */
 230 static bool test_schannel(struct torture_context *tctx,
 231                           uint16_t acct_flags, uint32_t dcerpc_flags,
 232                           int i)
 233 {
 234         struct test_join *join_ctx;
 235         NTSTATUS status;
 236         const char *binding = lp_parm_string(-1, "torture", "binding");
 237         struct dcerpc_binding *b;
 238         struct dcerpc_pipe *p = NULL;
 239         struct dcerpc_pipe *p_netlogon = NULL;
 240         struct dcerpc_pipe *p_netlogon2 = NULL;
 241         struct dcerpc_pipe *p_netlogon3 = NULL;
 242         struct dcerpc_pipe *p_samr2 = NULL;
 243         struct dcerpc_pipe *p_lsa = NULL;
 244         struct creds_CredentialState *creds;
 245         struct cli_credentials *credentials;
 246
 247         join_ctx = torture_join_domain(talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
 248                                        acct_flags, &credentials);
 249         torture_assert(tctx, join_ctx != NULL, "Failed to join domain");
 250
 251         status = dcerpc_parse_binding(tctx, binding, &b);
 252         torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
 253
 254         b->flags &= ~DCERPC_AUTH_OPTIONS;
 255         b->flags |= dcerpc_flags;
 256
 257         status = dcerpc_pipe_connect_b(tctx, &p, b, &ndr_table_samr,
 258                                        credentials, NULL);
 259         torture_assert_ntstatus_ok(tctx, status,
 260                 "Failed to connect with schannel");
 261
 262         torture_assert(tctx, test_samr_ops(tctx, p),
 263                        "Failed to process schannel secured SAMR ops");
 264
 265         /* Also test that when we connect to the netlogon pipe, that
 266          * the credentials we setup on the first pipe are valid for
 267          * the second */
 268
 269         /* Swap the binding details from SAMR to NETLOGON */
 270         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, NULL);
 271         torture_assert_ntstatus_ok(tctx, status, "epm map");
 272
 273         status = dcerpc_secondary_connection(p, &p_netlogon,
 274                                              b);
 275         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
 276
 277         status = dcerpc_bind_auth(p_netlogon, &ndr_table_netlogon,
 278                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 279                                   dcerpc_auth_level(p->conn),
 280                                   NULL);
 281
 282         torture_assert_ntstatus_ok(tctx, status, "bind auth");
 283
 284         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
 285         torture_assert_ntstatus_ok(tctx, status, "schannel creds");
 286
 287         /* do a couple of logins */
 288         torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds),
 289                 "Failed to process schannel secured NETLOGON ops");
 290
 291         torture_assert(tctx, test_netlogon_ex_ops(p_netlogon, tctx, credentials, creds),
 292                 "Failed to process schannel secured NETLOGON EX ops");
 293
 294         /* Swap the binding details from SAMR to LSARPC */
 295         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, NULL);
 296         torture_assert_ntstatus_ok(tctx, status, "epm map");
 297
 298         status = dcerpc_secondary_connection(p, &p_lsa,
 299                                              b);
 300
 301         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
 302
 303         status = dcerpc_bind_auth(p_lsa, &ndr_table_lsarpc,
 304                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 305                                   dcerpc_auth_level(p->conn),
 306                                   NULL);
 307
 308         torture_assert_ntstatus_ok(tctx, status, "bind auth");
 309
 310         torture_assert(tctx, test_lsa_ops(tctx, p_lsa),
 311                 "Failed to process schannel secured LSA ops");
 312
 313         /* Drop the socket, we want to start from scratch */
 314         talloc_free(p);
 315         p = NULL;
 316
 317         /* Now see what we are still allowed to do */
 318
 319         status = dcerpc_parse_binding(tctx, binding, &b);
 320         torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
 321
 322         b->flags &= ~DCERPC_AUTH_OPTIONS;
 323         b->flags |= dcerpc_flags;
 324
 325         status = dcerpc_pipe_connect_b(tctx, &p_samr2, b, &ndr_table_samr,
 326                                        credentials, NULL);
 327         torture_assert_ntstatus_ok(tctx, status,
 328                 "Failed to connect with schannel");
 329
 330         /* do a some SAMR operations.  We have *not* done a new serverauthenticate */
 331         torture_assert (tctx, test_samr_ops(tctx, p_samr2),
 332                         "Failed to process schannel secured SAMR ops (on fresh connection)");
 333
 334         /* Swap the binding details from SAMR to NETLOGON */
 335         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, NULL);
 336         torture_assert_ntstatus_ok(tctx, status, "epm");
 337
 338         status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
 339                                              b);
 340         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
 341
 342         /* and now setup an SCHANNEL bind on netlogon */
 343         status = dcerpc_bind_auth(p_netlogon2, &ndr_table_netlogon,
 344                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 345                                   dcerpc_auth_level(p_samr2->conn),
 346                                   NULL);
 347
 348         torture_assert_ntstatus_ok(tctx, status, "auth failed");
 349
 350         /* Try the schannel-only SamLogonEx operation */
 351         torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds),
 352                        "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
 353
 354
 355         /* And the more traditional style, proving that the
 356          * credentials chaining state is fully present */
 357         torture_assert(tctx, test_netlogon_ops(p_netlogon2, tctx, credentials, creds),
 358                              "Failed to process schannel secured NETLOGON ops (on fresh connection)");
 359
 360         /* Drop the socket, we want to start from scratch (again) */
 361         talloc_free(p_samr2);
 362
 363         /* We don't want schannel for this test */
 364         b->flags &= ~DCERPC_AUTH_OPTIONS;
 365
 366         status = dcerpc_pipe_connect_b(tctx, &p_netlogon3, b, &ndr_table_netlogon,
 367                                        credentials, NULL);
 368         torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
 369
 370         torture_assert(tctx, !test_netlogon_ex_ops(p_netlogon3, tctx, credentials, creds),
 371                         "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
 372
 373         /* Required because the previous call will mark the current context as having failed */
 374         tctx->last_result = TORTURE_OK;
 375         tctx->last_reason = NULL;
 376
 377         torture_assert(tctx, test_netlogon_ops(p_netlogon3, tctx, credentials, creds),
 378                         "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
 379
 380         torture_leave_domain(join_ctx);
 381         return true;
 382 }
 383
 384
 385
 386 /*
 387   a schannel test suite
 388  */
 389 bool torture_rpc_schannel(struct torture_context *torture)
 390 {
 391         BOOL ret = True;
 392         struct {
 393                 uint16_t acct_flags;
 394                 uint32_t dcerpc_flags;
 395         } tests[] = {
 396                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
 397                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
 398                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
 399                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
 400                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
 401                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
 402                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
 403                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 404         };
 405         int i;
 406
 407         for (i=0;i<ARRAY_SIZE(tests);i++) {
 408                 if (!test_schannel(torture,
 409                                    tests[i].acct_flags, tests[i].dcerpc_flags,
 410                                    i)) {
 411                         torture_comment(torture, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
 412                                tests[i].acct_flags, tests[i].dcerpc_flags);
 413                         ret = false;
 414                 }
 415         }
 416
 417         return ret;
 418 }
 419
 420 /*
 421   test two schannel connections
 422  */
 423 bool torture_rpc_schannel2(struct torture_context *torture)
 424 {
 425         struct test_join *join_ctx;
 426         NTSTATUS status;
 427         const char *binding = torture_setting_string(torture, "binding", NULL);
 428         struct dcerpc_binding *b;
 429         struct dcerpc_pipe *p1 = NULL, *p2 = NULL;
 430         struct cli_credentials *credentials1, *credentials2;
 431         uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN;
 432
 433         join_ctx = torture_join_domain(talloc_asprintf(torture, "%s2", TEST_MACHINE_NAME),
 434                                        ACB_WSTRUST, &credentials1);
 435         torture_assert(torture, join_ctx != NULL,
 436                        "Failed to join domain with acct_flags=ACB_WSTRUST");
 437
 438         credentials2 = talloc_memdup(torture, credentials1, sizeof(*credentials1));
 439         credentials1->netlogon_creds = NULL;
 440         credentials2->netlogon_creds = NULL;
 441
 442         status = dcerpc_parse_binding(torture, binding, &b);
 443         torture_assert_ntstatus_ok(torture, status, "Bad binding string");
 444
 445         b->flags &= ~DCERPC_AUTH_OPTIONS;
 446         b->flags |= dcerpc_flags;
 447
 448         printf("Opening first connection\n");
 449         status = dcerpc_pipe_connect_b(torture, &p1, b, &ndr_table_netlogon,
 450                                        credentials1, NULL);
 451         torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
 452
 453         torture_comment(torture, "Opening second connection\n");
 454         status = dcerpc_pipe_connect_b(torture, &p2, b, &ndr_table_netlogon,
 455                                        credentials2, NULL);
 456         torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
 457
 458         credentials1->netlogon_creds = NULL;
 459         credentials2->netlogon_creds = NULL;
 460
 461         torture_comment(torture, "Testing logon on pipe1\n");
 462         if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
 463                 return false;
 464
 465         torture_comment(torture, "Testing logon on pipe2\n");
 466         if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
 467                 return false;
 468
 469         torture_comment(torture, "Again on pipe1\n");
 470         if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
 471                 return false;
 472
 473         torture_comment(torture, "Again on pipe2\n");
 474         if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
 475                 return false;
 476
 477         torture_leave_domain(join_ctx);
 478         return true;
 479 }
 480