source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_samr.h"
  25 #include "librpc/gen_ndr/ndr_netlogon.h"
  26 #include "lib/cmdline/popt_common.h"
  27
  28 #define TEST_MACHINE_NAME "schanneltest"
  29
  30 /*
  31   do some samr ops using the schannel connection
  32  */
  33 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  34 {
  35         NTSTATUS status;
  36         struct samr_GetDomPwInfo r;
  37         int i;
  38         struct samr_String name;
  39
  40         name.string = lp_workgroup();
  41         r.in.domain_name = &name;
  42
  43         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
  44
  45         /* do several ops to test credential chaining */
  46         for (i=0;i<5;i++) {
  47                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
  48                 if (!NT_STATUS_IS_OK(status)) {
  49                         printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
  50                         return False;
  51                 }
  52         }
  53
  54         return True;
  55 }
  56
  57
  58 /*
  59   try a netlogon SamLogon
  60 */
  61 static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  62                                   struct creds_CredentialState *creds)
  63 {
  64         NTSTATUS status;
  65         struct netr_LogonSamLogon r;
  66         struct netr_Authenticator auth, auth2;
  67         struct netr_NetworkInfo ninfo;
  68         const char *username = cli_credentials_get_username(cmdline_credentials);
  69         const char *password = cli_credentials_get_password(cmdline_credentials);
  70         int i;
  71         BOOL ret = True;
  72
  73         ninfo.identity_info.domain_name.string = lp_workgroup();
  74         ninfo.identity_info.parameter_control = 0;
  75         ninfo.identity_info.logon_id_low = 0;
  76         ninfo.identity_info.logon_id_high = 0;
  77         ninfo.identity_info.account_name.string = username;
  78         ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
  79         generate_random_buffer(ninfo.challenge,
  80                                sizeof(ninfo.challenge));
  81         ninfo.nt.length = 24;
  82         ninfo.nt.data = talloc_size(mem_ctx, 24);
  83         SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
  84         ninfo.lm.length = 24;
  85         ninfo.lm.data = talloc_size(mem_ctx, 24);
  86         SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
  87
  88
  89         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  90         r.in.workstation = TEST_MACHINE_NAME;
  91         r.in.credential = &auth;
  92         r.in.return_authenticator = &auth2;
  93         r.in.logon_level = 2;
  94         r.in.logon.network = &ninfo;
  95
  96         printf("Testing LogonSamLogon with name %s\n", username);
  97
  98         for (i=2;i<3;i++) {
  99                 ZERO_STRUCT(auth2);
 100                 creds_client_authenticator(creds, &auth);
 101
 102                 r.in.validation_level = i;
 103
 104                 status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
 105
 106                 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
 107                         printf("Credential chaining failed\n");
 108                         ret = False;
 109                 }
 110
 111         }
 112         return ret;
 113 }
 114
 115 /*
 116   test a schannel connection with the given flags
 117  */
 118 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 119                           uint16_t acct_flags, uint32_t dcerpc_flags,
 120                           uint32_t schannel_type)
 121 {
 122         void *join_ctx;
 123         const char *machine_password;
 124         NTSTATUS status;
 125         const char *binding = lp_parm_string(-1, "torture", "binding");
 126         struct dcerpc_binding *b;
 127         struct dcerpc_pipe *p = NULL;
 128         struct dcerpc_pipe *p_netlogon = NULL;
 129         struct creds_CredentialState *creds;
 130         struct cli_credentials *credentials;
 131
 132         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 133         char *test_machine_account = talloc_asprintf(NULL, "%s$", TEST_MACHINE_NAME);
 134
 135         credentials = cli_credentials_init(mem_ctx);
 136
 137         join_ctx = torture_create_testuser(test_machine_account, lp_workgroup(),
 138                                            acct_flags, &machine_password);
 139         if (!join_ctx) {
 140                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 141                 talloc_free(test_ctx);
 142                 return False;
 143         }
 144
 145         status = dcerpc_parse_binding(test_ctx, binding, &b);
 146         if (!NT_STATUS_IS_OK(status)) {
 147                 printf("Bad binding string %s\n", binding);
 148                 goto failed;
 149         }
 150
 151         b->flags &= ~DCERPC_AUTH_OPTIONS;
 152         b->flags |= dcerpc_flags;
 153
 154         cli_credentials_set_domain(credentials, lp_workgroup(), CRED_SPECIFIED);
 155         cli_credentials_set_workstation(credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
 156         cli_credentials_set_username(credentials, test_machine_account, CRED_SPECIFIED);
 157         cli_credentials_set_password(credentials, machine_password, CRED_SPECIFIED);
 158
 159         status = dcerpc_pipe_connect_b(test_ctx,
 160                                        &p, b,
 161                                        DCERPC_SAMR_UUID,
 162                                        DCERPC_SAMR_VERSION,
 163                                        credentials);
 164         if (!NT_STATUS_IS_OK(status)) {
 165                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 166                 goto failed;
 167         }
 168
 169         if (!test_samr_ops(p, test_ctx)) {
 170                 printf("Failed to process schannel secured ops\n");
 171                 goto failed;
 172         }
 173
 174         status = dcerpc_schannel_creds(p->conn->security_state.generic_state, test_ctx, &creds);
 175         if (!NT_STATUS_IS_OK(status)) {
 176                 goto failed;
 177         }
 178
 179         /* Also test that when we connect to the netlogon pipe, that
 180          * the credentials we setup on the first pipe are valid for
 181          * the second */
 182
 183         /* Swap the binding details from SAMR to NETLOGON */
 184         status = dcerpc_epm_map_binding(test_ctx, b, DCERPC_NETLOGON_UUID,
 185                                         DCERPC_NETLOGON_VERSION);
 186         if (!NT_STATUS_IS_OK(status)) {
 187                 goto failed;
 188         }
 189
 190         status = dcerpc_secondary_connection(p, &p_netlogon,
 191                                              b);
 192
 193         if (!NT_STATUS_IS_OK(status)) {
 194                 goto failed;
 195         }
 196
 197         status = dcerpc_bind_auth_password(p_netlogon,
 198                                            DCERPC_NETLOGON_UUID,
 199                                            DCERPC_NETLOGON_VERSION,
 200                                            credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 201                                            NULL);
 202
 203         if (!NT_STATUS_IS_OK(status)) {
 204                 goto failed;
 205         }
 206
 207         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 208         if (!NT_STATUS_IS_OK(status)) {
 209                 goto failed;
 210         }
 211
 212         /* do a couple of logins */
 213         if (!test_netlogon_ops(p_netlogon, test_ctx, creds)) {
 214                 printf("Failed to process schannel secured ops\n");
 215                 goto failed;
 216         }
 217
 218         torture_leave_domain(join_ctx);
 219         talloc_free(test_ctx);
 220         return True;
 221
 222 failed:
 223         torture_leave_domain(join_ctx);
 224         talloc_free(test_ctx);
 225         return False;
 226 }
 227
 228 /*
 229   a schannel test suite
 230  */
 231 BOOL torture_rpc_schannel(void)
 232 {
 233         TALLOC_CTX *mem_ctx;
 234         BOOL ret = True;
 235         struct {
 236                 uint16_t acct_flags;
 237                 uint32_t dcerpc_flags;
 238                 uint32_t schannel_type;
 239         } tests[] = {
 240                 { ACB_WSTRUST,   DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN,                       3 },
 241                 { ACB_WSTRUST,   DCERPC_SCHANNEL_WORKSTATION | DCERPC_SEAL,                       3 },
 242                 { ACB_WSTRUST,   DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
 243                 { ACB_WSTRUST,   DCERPC_SCHANNEL_WORKSTATION | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 },
 244                 { ACB_SVRTRUST,  DCERPC_SCHANNEL_BDC | DCERPC_SIGN,                               3 },
 245                 { ACB_SVRTRUST,  DCERPC_SCHANNEL_BDC | DCERPC_SEAL,                               3 },
 246                 { ACB_SVRTRUST,  DCERPC_SCHANNEL_BDC | DCERPC_SIGN | DCERPC_SCHANNEL_128,         3 },
 247                 { ACB_SVRTRUST,  DCERPC_SCHANNEL_BDC | DCERPC_SEAL | DCERPC_SCHANNEL_128,         3 }
 248         };
 249         int i;
 250
 251         mem_ctx = talloc_init("torture_rpc_schannel");
 252
 253         for (i=0;i<ARRAY_SIZE(tests);i++) {
 254                 if (!test_schannel(mem_ctx,
 255                                    tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type)) {
 256                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x schannel_type=%d\n",
 257                                tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type);
 258                         ret = False;
 259                         break;
 260                 }
 261         }
 262
 263         talloc_free(mem_ctx);
 264
 265         return ret;
 266 }