source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_samr.h"
  25 #include "librpc/gen_ndr/ndr_netlogon.h"
  26
  27 #define TEST_MACHINE_NAME "schanneltest"
  28
  29 /*
  30   do some samr ops using the schannel connection
  31  */
  32 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  33 {
  34         NTSTATUS status;
  35         struct samr_GetDomPwInfo r;
  36         int i;
  37         struct samr_String name;
  38
  39         name.string = lp_workgroup();
  40         r.in.domain_name = &name;
  41
  42         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
  43
  44         /* do several ops to test credential chaining */
  45         for (i=0;i<5;i++) {
  46                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
  47                 if (!NT_STATUS_IS_OK(status)) {
  48                         printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
  49                         return False;
  50                 }
  51         }
  52
  53         return True;
  54 }
  55
  56
  57 /*
  58   try a netlogon SamLogon
  59 */
  60 static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  61                                   struct creds_CredentialState *creds)
  62 {
  63         NTSTATUS status;
  64         struct netr_LogonSamLogon r;
  65         struct netr_Authenticator auth, auth2;
  66         struct netr_NetworkInfo ninfo;
  67         const char *username = lp_parm_string(-1, "torture", "username");
  68         const char *password = lp_parm_string(-1, "torture", "password");
  69
  70         int i;
  71         BOOL ret = True;
  72
  73         ninfo.identity_info.domain_name.string = lp_workgroup();
  74         ninfo.identity_info.parameter_control = 0;
  75         ninfo.identity_info.logon_id_low = 0;
  76         ninfo.identity_info.logon_id_high = 0;
  77         ninfo.identity_info.account_name.string = username;
  78         ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
  79         generate_random_buffer(ninfo.challenge,
  80                                sizeof(ninfo.challenge));
  81         ninfo.nt.length = 24;
  82         ninfo.nt.data = talloc_size(mem_ctx, 24);
  83         SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
  84         ninfo.lm.length = 24;
  85         ninfo.lm.data = talloc_size(mem_ctx, 24);
  86         SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
  87
  88
  89         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  90         r.in.workstation = TEST_MACHINE_NAME;
  91         r.in.credential = &auth;
  92         r.in.return_authenticator = &auth2;
  93         r.in.logon_level = 2;
  94         r.in.logon.network = &ninfo;
  95
  96         printf("Testing LogonSamLogon with name %s\n", username);
  97
  98         for (i=2;i<3;i++) {
  99                 ZERO_STRUCT(auth2);
 100                 creds_client_authenticator(creds, &auth);
 101
 102                 r.in.validation_level = i;
 103
 104                 status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
 105
 106                 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
 107                         printf("Credential chaining failed\n");
 108                         ret = False;
 109                 }
 110
 111         }
 112         return ret;
 113 }
 114
 115 /*
 116   test a schannel connection with the given flags
 117  */
 118 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 119                           uint16_t acct_flags, uint32_t dcerpc_flags,
 120                           uint32_t schannel_type)
 121 {
 122         void *join_ctx;
 123         const char *machine_password;
 124         NTSTATUS status;
 125         const char *binding = lp_parm_string(-1, "torture", "binding");
 126         struct dcerpc_binding *b;
 127         struct dcerpc_pipe *p = NULL;
 128         struct dcerpc_pipe *p_netlogon = NULL;
 129         struct creds_CredentialState *creds;
 130         struct cli_credentials credentials;
 131         char *test_machine_account = talloc_asprintf(NULL, "%s$", TEST_MACHINE_NAME);
 132
 133         join_ctx = torture_create_testuser(test_machine_account, lp_workgroup(),
 134                                            acct_flags, &machine_password);
 135         if (!join_ctx) {
 136                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 137                 return False;
 138         }
 139
 140         status = dcerpc_parse_binding(mem_ctx, binding, &b);
 141         if (!NT_STATUS_IS_OK(status)) {
 142                 printf("Bad binding string %s\n", binding);
 143                 goto failed;
 144         }
 145
 146         b->flags &= ~DCERPC_AUTH_OPTIONS;
 147         b->flags |= dcerpc_flags;
 148
 149         cli_credentials_set_domain(&credentials, lp_workgroup(), CRED_SPECIFIED);
 150         cli_credentials_set_workstation(&credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
 151         cli_credentials_set_username(&credentials, test_machine_account, CRED_SPECIFIED);
 152         cli_credentials_set_password(&credentials, machine_password, CRED_SPECIFIED);
 153         status = dcerpc_pipe_connect_b(&p, b,
 154                                        DCERPC_SAMR_UUID,
 155                                        DCERPC_SAMR_VERSION,
 156                                            &credentials);
 157         if (!NT_STATUS_IS_OK(status)) {
 158                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 159                 goto failed;
 160         }
 161
 162         if (!test_samr_ops(p, mem_ctx)) {
 163                 printf("Failed to process schannel secured ops\n");
 164                 goto failed;
 165         }
 166
 167         status = dcerpc_schannel_creds(p->conn->security_state.generic_state, mem_ctx, &creds);
 168         if (!NT_STATUS_IS_OK(status)) {
 169                 goto failed;
 170         }
 171
 172         /* Also test that when we connect to the netlogon pipe, that
 173          * the credentials we setup on the first pipe are valid for
 174          * the second */
 175
 176         /* Swap the binding details from SAMR to NETLOGON */
 177         status = dcerpc_epm_map_binding(mem_ctx, b, DCERPC_NETLOGON_UUID,
 178                                         DCERPC_NETLOGON_VERSION);
 179         if (!NT_STATUS_IS_OK(status)) {
 180                 goto failed;
 181         }
 182
 183         status = dcerpc_secondary_connection(p, &p_netlogon,
 184                                              b);
 185
 186         if (!NT_STATUS_IS_OK(status)) {
 187                 goto failed;
 188         }
 189
 190         status = dcerpc_bind_auth_schannel_withkey(p_netlogon,
 191                                                    DCERPC_NETLOGON_UUID,
 192                                                    DCERPC_NETLOGON_VERSION,
 193                                                    creds);
 194
 195         if (!NT_STATUS_IS_OK(status)) {
 196                 goto failed;
 197         }
 198
 199         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, mem_ctx, &creds);
 200         if (!NT_STATUS_IS_OK(status)) {
 201                 goto failed;
 202         }
 203
 204         /* do a couple of logins */
 205         if (!test_netlogon_ops(p_netlogon, mem_ctx, creds)) {
 206                 printf("Failed to process schannel secured ops\n");
 207                 goto failed;
 208         }
 209
 210         torture_leave_domain(join_ctx);
 211         dcerpc_pipe_close(p_netlogon);
 212         dcerpc_pipe_close(p);
 213         return True;
 214
 215 failed:
 216         torture_leave_domain(join_ctx);
 217         dcerpc_pipe_close(p_netlogon);
 218         dcerpc_pipe_close(p);
 219         return False;
 220 }
 221
 222 /*
 223   a schannel test suite
 224  */
 225 BOOL torture_rpc_schannel(void)
 226 {
 227         TALLOC_CTX *mem_ctx;
 228         BOOL ret = True;
 229         struct {
 230                 uint16_t acct_flags;
 231                 uint32_t dcerpc_flags;
 232                 uint32_t schannel_type;
 233         } tests[] = {
 234                 { ACB_WSTRUST,   DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN,                       3 },
 235                 { ACB_WSTRUST,   DCERPC_SCHANNEL_WORKSTATION | DCERPC_SEAL,                       3 },
 236                 { ACB_WSTRUST,   DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
 237                 { ACB_WSTRUST,   DCERPC_SCHANNEL_WORKSTATION | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 },
 238                 { ACB_SVRTRUST,  DCERPC_SCHANNEL_BDC | DCERPC_SIGN,                               3 },
 239                 { ACB_SVRTRUST,  DCERPC_SCHANNEL_BDC | DCERPC_SEAL,                               3 },
 240                 { ACB_SVRTRUST,  DCERPC_SCHANNEL_BDC | DCERPC_SIGN | DCERPC_SCHANNEL_128,         3 },
 241                 { ACB_SVRTRUST,  DCERPC_SCHANNEL_BDC | DCERPC_SEAL | DCERPC_SCHANNEL_128,         3 }
 242         };
 243         int i;
 244
 245         mem_ctx = talloc_init("torture_rpc_schannel");
 246
 247         for (i=0;i<ARRAY_SIZE(tests);i++) {
 248                 if (!test_schannel(mem_ctx,
 249                                    tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type)) {
 250                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x schannel_type=%d\n",
 251                                tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type);
 252                         ret = False;
 253                         break;
 254                 }
 255         }
 256
 257         talloc_free(mem_ctx);
 258
 259         return ret;
 260 }