source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  24 #include "librpc/gen_ndr/ndr_lsa_c.h"
  25 #include "librpc/gen_ndr/ndr_samr_c.h"
  26 #include "auth/credentials/credentials.h"
  27 #include "torture/rpc/rpc.h"
  28 #include "lib/cmdline/popt_common.h"
  29 #include "auth/gensec/schannel_proto.h"
  30 #include "libcli/auth/libcli_auth.h"
  31 #include "libcli/security/security.h"
  32 #include "system/filesys.h"
  33
  34 #define TEST_MACHINE_NAME "schannel"
  35
  36 /*
  37   try a netlogon SamLogon
  38 */
  39 bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
  40                           struct cli_credentials *credentials,
  41                           struct creds_CredentialState *creds)
  42 {
  43         NTSTATUS status;
  44         struct netr_LogonSamLogonEx r;
  45         struct netr_NetworkInfo ninfo;
  46         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
  47         int i;
  48         int flags = CLI_CRED_NTLM_AUTH;
  49         if (lp_client_lanman_auth()) {
  50                 flags |= CLI_CRED_LANMAN_AUTH;
  51         }
  52
  53         if (lp_client_ntlmv2_auth()) {
  54                 flags |= CLI_CRED_NTLMv2_AUTH;
  55         }
  56
  57         cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
  58                                                  &ninfo.identity_info.account_name.string,
  59                                                  &ninfo.identity_info.domain_name.string);
  60
  61         generate_random_buffer(ninfo.challenge,
  62                                sizeof(ninfo.challenge));
  63         chal = data_blob_const(ninfo.challenge,
  64                                sizeof(ninfo.challenge));
  65
  66         names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
  67                                                 cli_credentials_get_domain(credentials));
  68
  69         status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
  70                                                    &flags,
  71                                                    chal,
  72                                                    names_blob,
  73                                                    &lm_resp, &nt_resp,
  74                                                    NULL, NULL);
  75         torture_assert_ntstatus_ok(tctx, status,
  76                                    "cli_credentials_get_ntlm_response failed");
  77
  78         ninfo.lm.data = lm_resp.data;
  79         ninfo.lm.length = lm_resp.length;
  80
  81         ninfo.nt.data = nt_resp.data;
  82         ninfo.nt.length = nt_resp.length;
  83
  84         ninfo.identity_info.parameter_control = 0;
  85         ninfo.identity_info.logon_id_low = 0;
  86         ninfo.identity_info.logon_id_high = 0;
  87         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
  88
  89         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
  90         r.in.computer_name = cli_credentials_get_workstation(credentials);
  91         r.in.logon_level = 2;
  92         r.in.logon.network = &ninfo;
  93         r.in.flags = 0;
  94
  95         torture_comment(tctx,
  96                         "Testing LogonSamLogonEx with name %s\n",
  97                         ninfo.identity_info.account_name.string);
  98
  99         for (i=2;i<3;i++) {
 100                 r.in.validation_level = i;
 101
 102                 status = dcerpc_netr_LogonSamLogonEx(p, tctx, &r);
 103                 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
 104         }
 105
 106         return true;
 107 }
 108
 109 /*
 110   do some samr ops using the schannel connection
 111  */
 112 static bool test_samr_ops(struct torture_context *tctx,
 113                           struct dcerpc_pipe *p)
 114 {
 115         NTSTATUS status;
 116         struct samr_GetDomPwInfo r;
 117         struct samr_Connect connect;
 118         struct samr_OpenDomain opendom;
 119         int i;
 120         struct lsa_String name;
 121         struct policy_handle handle;
 122         struct policy_handle domain_handle;
 123
 124         name.string = lp_workgroup();
 125         r.in.domain_name = &name;
 126
 127         connect.in.system_name = 0;
 128         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 129         connect.out.connect_handle = &handle;
 130
 131         printf("Testing Connect and OpenDomain on BUILTIN\n");
 132
 133         status = dcerpc_samr_Connect(p, tctx, &connect);
 134         if (!NT_STATUS_IS_OK(status)) {
 135                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 136                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
 137                                nt_errstr(status));
 138                 } else {
 139                         printf("Connect failed - %s\n", nt_errstr(status));
 140                         return false;
 141                 }
 142         } else {
 143                 opendom.in.connect_handle = &handle;
 144                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 145                 opendom.in.sid = dom_sid_parse_talloc(tctx, "S-1-5-32");
 146                 opendom.out.domain_handle = &domain_handle;
 147
 148                 status = dcerpc_samr_OpenDomain(p, tctx, &opendom);
 149                 if (!NT_STATUS_IS_OK(status)) {
 150                         printf("OpenDomain failed - %s\n", nt_errstr(status));
 151                         return false;
 152                 }
 153         }
 154
 155         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
 156
 157         /* do several ops to test credential chaining */
 158         for (i=0;i<5;i++) {
 159                 status = dcerpc_samr_GetDomPwInfo(p, tctx, &r);
 160                 if (!NT_STATUS_IS_OK(status)) {
 161                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 162                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
 163                                 return False;
 164                         }
 165                 }
 166         }
 167
 168         return True;
 169 }
 170
 171
 172 /*
 173   do some lsa ops using the schannel connection
 174  */
 175 static bool test_lsa_ops(struct torture_context *tctx, struct dcerpc_pipe *p)
 176 {
 177         struct lsa_GetUserName r;
 178         NTSTATUS status;
 179         BOOL ret = True;
 180         struct lsa_StringPointer authority_name_p;
 181
 182         printf("\nTesting GetUserName\n");
 183
 184         r.in.system_name = "\\";
 185         r.in.account_name = NULL;
 186         r.in.authority_name = &authority_name_p;
 187         authority_name_p.string = NULL;
 188
 189         /* do several ops to test credential chaining and various operations */
 190         status = dcerpc_lsa_GetUserName(p, tctx, &r);
 191
 192         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
 193                 printf("not considering %s to be an error\n", nt_errstr(status));
 194         } else if (!NT_STATUS_IS_OK(status)) {
 195                 printf("GetUserName failed - %s\n", nt_errstr(status));
 196                 return False;
 197         } else {
 198                 if (!r.out.account_name) {
 199                         return False;
 200                 }
 201
 202                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 203                         printf("GetUserName returned wrong user: %s, expected %s\n",
 204                                r.out.account_name->string, "ANONYMOUS LOGON");
 205                         return False;
 206                 }
 207                 if (!r.out.authority_name || !r.out.authority_name->string) {
 208                         return False;
 209                 }
 210
 211                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 212                         printf("GetUserName returned wrong user: %s, expected %s\n",
 213                                r.out.authority_name->string->string, "NT AUTHORITY");
 214                         return False;
 215                 }
 216         }
 217         if (!test_many_LookupSids(p, tctx, NULL)) {
 218                 printf("LsaLookupSids3 failed!\n");
 219                 return False;
 220         }
 221
 222         return ret;
 223 }
 224
 225
 226 /*
 227   test a schannel connection with the given flags
 228  */
 229 static bool test_schannel(struct torture_context *tctx,
 230                           uint16_t acct_flags, uint32_t dcerpc_flags,
 231                           int i)
 232 {
 233         struct test_join *join_ctx;
 234         NTSTATUS status;
 235         const char *binding = lp_parm_string(-1, "torture", "binding");
 236         struct dcerpc_binding *b;
 237         struct dcerpc_pipe *p = NULL;
 238         struct dcerpc_pipe *p_netlogon = NULL;
 239         struct dcerpc_pipe *p_netlogon2 = NULL;
 240         struct dcerpc_pipe *p_netlogon3 = NULL;
 241         struct dcerpc_pipe *p_samr2 = NULL;
 242         struct dcerpc_pipe *p_lsa = NULL;
 243         struct creds_CredentialState *creds;
 244         struct cli_credentials *credentials;
 245
 246         join_ctx = torture_join_domain(talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
 247                                        acct_flags, &credentials);
 248         torture_assert(tctx, join_ctx != NULL, "Failed to join domain");
 249
 250         status = dcerpc_parse_binding(tctx, binding, &b);
 251         torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
 252
 253         b->flags &= ~DCERPC_AUTH_OPTIONS;
 254         b->flags |= dcerpc_flags;
 255
 256         status = dcerpc_pipe_connect_b(tctx, &p, b, &ndr_table_samr,
 257                                        credentials, NULL);
 258         torture_assert_ntstatus_ok(tctx, status,
 259                 "Failed to connect with schannel");
 260
 261         torture_assert(tctx, test_samr_ops(tctx, p),
 262                        "Failed to process schannel secured SAMR ops");
 263
 264         /* Also test that when we connect to the netlogon pipe, that
 265          * the credentials we setup on the first pipe are valid for
 266          * the second */
 267
 268         /* Swap the binding details from SAMR to NETLOGON */
 269         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, NULL);
 270         torture_assert_ntstatus_ok(tctx, status, "epm map");
 271
 272         status = dcerpc_secondary_connection(p, &p_netlogon,
 273                                              b);
 274         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
 275
 276         status = dcerpc_bind_auth(p_netlogon, &ndr_table_netlogon,
 277                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 278                                   dcerpc_auth_level(p->conn),
 279                                   NULL);
 280
 281         torture_assert_ntstatus_ok(tctx, status, "bind auth");
 282
 283         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
 284         torture_assert_ntstatus_ok(tctx, status, "schannel creds");
 285
 286         /* do a couple of logins */
 287         torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds),
 288                 "Failed to process schannel secured NETLOGON ops");
 289
 290         torture_assert(tctx, test_netlogon_ex_ops(p_netlogon, tctx, credentials, creds),
 291                 "Failed to process schannel secured NETLOGON EX ops");
 292
 293         /* Swap the binding details from SAMR to LSARPC */
 294         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, NULL);
 295         torture_assert_ntstatus_ok(tctx, status, "epm map");
 296
 297         status = dcerpc_secondary_connection(p, &p_lsa,
 298                                              b);
 299
 300         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
 301
 302         status = dcerpc_bind_auth(p_lsa, &ndr_table_lsarpc,
 303                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 304                                   dcerpc_auth_level(p->conn),
 305                                   NULL);
 306
 307         torture_assert_ntstatus_ok(tctx, status, "bind auth");
 308
 309         torture_assert(tctx, test_lsa_ops(tctx, p_lsa),
 310                 "Failed to process schannel secured LSA ops");
 311
 312         /* Drop the socket, we want to start from scratch */
 313         talloc_free(p);
 314         p = NULL;
 315
 316         /* Now see what we are still allowed to do */
 317
 318         status = dcerpc_parse_binding(tctx, binding, &b);
 319         torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
 320
 321         b->flags &= ~DCERPC_AUTH_OPTIONS;
 322         b->flags |= dcerpc_flags;
 323
 324         status = dcerpc_pipe_connect_b(tctx, &p_samr2, b, &ndr_table_samr,
 325                                        credentials, NULL);
 326         torture_assert_ntstatus_ok(tctx, status,
 327                 "Failed to connect with schannel");
 328
 329         /* do a some SAMR operations.  We have *not* done a new serverauthenticate */
 330         torture_assert (tctx, test_samr_ops(tctx, p_samr2),
 331                         "Failed to process schannel secured SAMR ops (on fresh connection)");
 332
 333         /* Swap the binding details from SAMR to NETLOGON */
 334         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, NULL);
 335         torture_assert_ntstatus_ok(tctx, status, "epm");
 336
 337         status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
 338                                              b);
 339         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
 340
 341         /* and now setup an SCHANNEL bind on netlogon */
 342         status = dcerpc_bind_auth(p_netlogon2, &ndr_table_netlogon,
 343                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 344                                   dcerpc_auth_level(p_samr2->conn),
 345                                   NULL);
 346
 347         torture_assert_ntstatus_ok(tctx, status, "auth failed");
 348
 349         /* Try the schannel-only SamLogonEx operation */
 350         torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds),
 351                        "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
 352
 353
 354         /* And the more traditional style, proving that the
 355          * credentials chaining state is fully present */
 356         torture_assert(tctx, test_netlogon_ops(p_netlogon2, tctx, credentials, creds),
 357                              "Failed to process schannel secured NETLOGON ops (on fresh connection)");
 358
 359         /* Drop the socket, we want to start from scratch (again) */
 360         talloc_free(p_samr2);
 361
 362         /* We don't want schannel for this test */
 363         b->flags &= ~DCERPC_AUTH_OPTIONS;
 364
 365         status = dcerpc_pipe_connect_b(tctx, &p_netlogon3, b, &ndr_table_netlogon,
 366                                        credentials, NULL);
 367         torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
 368
 369         torture_assert(tctx, !test_netlogon_ex_ops(p_netlogon3, tctx, credentials, creds),
 370                         "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
 371
 372         /* Required because the previous call will mark the current context as having failed */
 373         tctx->last_result = TORTURE_OK;
 374         tctx->last_reason = NULL;
 375
 376         torture_assert(tctx, test_netlogon_ops(p_netlogon3, tctx, credentials, creds),
 377                         "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
 378
 379         torture_leave_domain(join_ctx);
 380         return true;
 381 }
 382
 383
 384
 385 /*
 386   a schannel test suite
 387  */
 388 bool torture_rpc_schannel(struct torture_context *torture)
 389 {
 390         BOOL ret = True;
 391         struct {
 392                 uint16_t acct_flags;
 393                 uint32_t dcerpc_flags;
 394         } tests[] = {
 395                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
 396                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
 397                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
 398                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
 399                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
 400                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
 401                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
 402                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 403         };
 404         int i;
 405
 406         for (i=0;i<ARRAY_SIZE(tests);i++) {
 407                 if (!test_schannel(torture,
 408                                    tests[i].acct_flags, tests[i].dcerpc_flags,
 409                                    i)) {
 410                         torture_comment(torture, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
 411                                tests[i].acct_flags, tests[i].dcerpc_flags);
 412                         ret = false;
 413                 }
 414         }
 415
 416         return ret;
 417 }
 418
 419 /*
 420   test two schannel connections
 421  */
 422 bool torture_rpc_schannel2(struct torture_context *torture)
 423 {
 424         struct test_join *join_ctx;
 425         NTSTATUS status;
 426         const char *binding = torture_setting_string(torture, "binding", NULL);
 427         struct dcerpc_binding *b;
 428         struct dcerpc_pipe *p1 = NULL, *p2 = NULL;
 429         struct cli_credentials *credentials1, *credentials2;
 430         uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN;
 431
 432         join_ctx = torture_join_domain(talloc_asprintf(torture, "%s2", TEST_MACHINE_NAME),
 433                                        ACB_WSTRUST, &credentials1);
 434         torture_assert(torture, join_ctx != NULL,
 435                        "Failed to join domain with acct_flags=ACB_WSTRUST");
 436
 437         credentials2 = talloc_memdup(torture, credentials1, sizeof(*credentials1));
 438         credentials1->netlogon_creds = NULL;
 439         credentials2->netlogon_creds = NULL;
 440
 441         status = dcerpc_parse_binding(torture, binding, &b);
 442         torture_assert_ntstatus_ok(torture, status, "Bad binding string");
 443
 444         b->flags &= ~DCERPC_AUTH_OPTIONS;
 445         b->flags |= dcerpc_flags;
 446
 447         printf("Opening first connection\n");
 448         status = dcerpc_pipe_connect_b(torture, &p1, b, &ndr_table_netlogon,
 449                                        credentials1, NULL);
 450         torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
 451
 452         torture_comment(torture, "Opening second connection\n");
 453         status = dcerpc_pipe_connect_b(torture, &p2, b, &ndr_table_netlogon,
 454                                        credentials2, NULL);
 455         torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
 456
 457         credentials1->netlogon_creds = NULL;
 458         credentials2->netlogon_creds = NULL;
 459
 460         torture_comment(torture, "Testing logon on pipe1\n");
 461         if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
 462                 return false;
 463
 464         torture_comment(torture, "Testing logon on pipe2\n");
 465         if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
 466                 return false;
 467
 468         torture_comment(torture, "Again on pipe1\n");
 469         if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
 470                 return false;
 471
 472         torture_comment(torture, "Again on pipe2\n");
 473         if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
 474                 return false;
 475
 476         torture_leave_domain(join_ctx);
 477         return true;
 478 }
 479