source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_samr.h"
  25 #include "librpc/gen_ndr/ndr_netlogon.h"
  26 #include "lib/cmdline/popt_common.h"
  27
  28 #define TEST_MACHINE_NAME "schanneltest"
  29
  30 /*
  31   do some samr ops using the schannel connection
  32  */
  33 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  34 {
  35         NTSTATUS status;
  36         struct samr_GetDomPwInfo r;
  37         int i;
  38         struct samr_String name;
  39
  40         name.string = lp_workgroup();
  41         r.in.domain_name = &name;
  42
  43         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
  44
  45         /* do several ops to test credential chaining */
  46         for (i=0;i<5;i++) {
  47                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
  48                 if (!NT_STATUS_IS_OK(status)) {
  49                         printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
  50                         return False;
  51                 }
  52         }
  53
  54         return True;
  55 }
  56
  57
  58 /*
  59   try a netlogon SamLogon
  60 */
  61 static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  62                                   struct creds_CredentialState *creds)
  63 {
  64         NTSTATUS status;
  65         struct netr_LogonSamLogon r;
  66         struct netr_Authenticator auth, auth2;
  67         struct netr_NetworkInfo ninfo;
  68         const char *username = cli_credentials_get_username(cmdline_credentials);
  69         const char *password = cli_credentials_get_password(cmdline_credentials);
  70         int i;
  71         BOOL ret = True;
  72
  73         ninfo.identity_info.domain_name.string = lp_workgroup();
  74         ninfo.identity_info.parameter_control = 0;
  75         ninfo.identity_info.logon_id_low = 0;
  76         ninfo.identity_info.logon_id_high = 0;
  77         ninfo.identity_info.account_name.string = username;
  78         ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
  79         generate_random_buffer(ninfo.challenge,
  80                                sizeof(ninfo.challenge));
  81         ninfo.nt.length = 24;
  82         ninfo.nt.data = talloc_size(mem_ctx, 24);
  83         SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
  84         ninfo.lm.length = 24;
  85         ninfo.lm.data = talloc_size(mem_ctx, 24);
  86         SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
  87
  88
  89         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  90         r.in.workstation = TEST_MACHINE_NAME;
  91         r.in.credential = &auth;
  92         r.in.return_authenticator = &auth2;
  93         r.in.logon_level = 2;
  94         r.in.logon.network = &ninfo;
  95
  96         printf("Testing LogonSamLogon with name %s\n", username);
  97
  98         for (i=2;i<3;i++) {
  99                 ZERO_STRUCT(auth2);
 100                 creds_client_authenticator(creds, &auth);
 101
 102                 r.in.validation_level = i;
 103
 104                 status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
 105
 106                 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
 107                         printf("Credential chaining failed\n");
 108                         ret = False;
 109                 }
 110
 111         }
 112         return ret;
 113 }
 114
 115 /*
 116   test a schannel connection with the given flags
 117  */
 118 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 119                           uint16_t acct_flags, uint32_t dcerpc_flags,
 120                           uint32_t schannel_type)
 121 {
 122         void *join_ctx;
 123         const char *machine_password;
 124         NTSTATUS status;
 125         const char *binding = lp_parm_string(-1, "torture", "binding");
 126         struct dcerpc_binding *b;
 127         struct dcerpc_pipe *p = NULL;
 128         struct dcerpc_pipe *p_netlogon = NULL;
 129         struct creds_CredentialState *creds;
 130         struct cli_credentials *credentials;
 131
 132         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 133         char *test_machine_account = talloc_asprintf(NULL, "%s$", TEST_MACHINE_NAME);
 134
 135         join_ctx = torture_create_testuser(test_machine_account, lp_workgroup(),
 136                                            acct_flags, &machine_password);
 137         if (!join_ctx) {
 138                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 139                 talloc_free(test_ctx);
 140                 return False;
 141         }
 142
 143         status = dcerpc_parse_binding(test_ctx, binding, &b);
 144         if (!NT_STATUS_IS_OK(status)) {
 145                 printf("Bad binding string %s\n", binding);
 146                 goto failed;
 147         }
 148
 149         b->flags &= ~DCERPC_AUTH_OPTIONS;
 150         b->flags |= dcerpc_flags;
 151
 152         credentials = cli_credentials_init(mem_ctx);
 153         cli_credentials_set_conf(credentials);
 154
 155         cli_credentials_set_domain(credentials, lp_workgroup(), CRED_SPECIFIED);
 156         cli_credentials_set_workstation(credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
 157         cli_credentials_set_username(credentials, test_machine_account, CRED_SPECIFIED);
 158         cli_credentials_set_password(credentials, machine_password, CRED_SPECIFIED);
 159
 160         if (acct_flags == ACB_WSTRUST) {
 161                 cli_credentials_set_secure_channel_type(credentials,
 162                                                         SEC_CHAN_WKSTA);
 163         } else if (acct_flags == ACB_SVRTRUST) {
 164                 cli_credentials_set_secure_channel_type(credentials,
 165                                                         SEC_CHAN_BDC);
 166         } else {
 167                 goto failed;
 168         }
 169
 170         status = dcerpc_pipe_connect_b(test_ctx,
 171                                        &p, b,
 172                                        DCERPC_SAMR_UUID,
 173                                        DCERPC_SAMR_VERSION,
 174                                        credentials);
 175         if (!NT_STATUS_IS_OK(status)) {
 176                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 177                 goto failed;
 178         }
 179
 180         if (!test_samr_ops(p, test_ctx)) {
 181                 printf("Failed to process schannel secured ops\n");
 182                 goto failed;
 183         }
 184
 185         status = dcerpc_schannel_creds(p->conn->security_state.generic_state, test_ctx, &creds);
 186         if (!NT_STATUS_IS_OK(status)) {
 187                 goto failed;
 188         }
 189
 190         /* Also test that when we connect to the netlogon pipe, that
 191          * the credentials we setup on the first pipe are valid for
 192          * the second */
 193
 194         /* Swap the binding details from SAMR to NETLOGON */
 195         status = dcerpc_epm_map_binding(test_ctx, b, DCERPC_NETLOGON_UUID,
 196                                         DCERPC_NETLOGON_VERSION);
 197         if (!NT_STATUS_IS_OK(status)) {
 198                 goto failed;
 199         }
 200
 201         status = dcerpc_secondary_connection(p, &p_netlogon,
 202                                              b);
 203
 204         if (!NT_STATUS_IS_OK(status)) {
 205                 goto failed;
 206         }
 207
 208         status = dcerpc_bind_auth_password(p_netlogon,
 209                                            DCERPC_NETLOGON_UUID,
 210                                            DCERPC_NETLOGON_VERSION,
 211                                            credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 212                                            NULL);
 213
 214         if (!NT_STATUS_IS_OK(status)) {
 215                 goto failed;
 216         }
 217
 218         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 219         if (!NT_STATUS_IS_OK(status)) {
 220                 goto failed;
 221         }
 222
 223         /* do a couple of logins */
 224         if (!test_netlogon_ops(p_netlogon, test_ctx, creds)) {
 225                 printf("Failed to process schannel secured ops\n");
 226                 goto failed;
 227         }
 228
 229         torture_leave_domain(join_ctx);
 230         talloc_free(test_ctx);
 231         return True;
 232
 233 failed:
 234         torture_leave_domain(join_ctx);
 235         talloc_free(test_ctx);
 236         return False;
 237 }
 238
 239 /*
 240   a schannel test suite
 241  */
 242 BOOL torture_rpc_schannel(void)
 243 {
 244         TALLOC_CTX *mem_ctx;
 245         BOOL ret = True;
 246         struct {
 247                 uint16_t acct_flags;
 248                 uint32_t dcerpc_flags;
 249                 uint32_t schannel_type;
 250         } tests[] = {
 251                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN,                       3 },
 252                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL,                       3 },
 253                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
 254                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 },
 255                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN,                               3 },
 256                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL,                               3 },
 257                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128,         3 },
 258                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128,         3 }
 259         };
 260         int i;
 261
 262         mem_ctx = talloc_init("torture_rpc_schannel");
 263
 264         for (i=0;i<ARRAY_SIZE(tests);i++) {
 265                 if (!test_schannel(mem_ctx,
 266                                    tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type)) {
 267                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x schannel_type=%d\n",
 268                                tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type);
 269                         ret = False;
 270                         break;
 271                 }
 272         }
 273
 274         talloc_free(mem_ctx);
 275
 276         return ret;
 277 }