source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_netlogon.h"
  25 #include "torture/rpc/proto.h"
  26 #include "lib/cmdline/popt_common.h"
  27
  28 #define TEST_MACHINE_NAME "schannel"
  29
  30 /*
  31   try a netlogon SamLogon
  32 */
  33 BOOL test_netlogon_ex_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  34                           struct cli_credentials *credentials,
  35                           struct creds_CredentialState *creds)
  36 {
  37         NTSTATUS status;
  38         struct netr_LogonSamLogonEx r;
  39         struct netr_NetworkInfo ninfo;
  40         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
  41         int i;
  42         BOOL ret = True;
  43         int flags = CLI_CRED_NTLM_AUTH;
  44         if (lp_client_lanman_auth()) {
  45                 flags |= CLI_CRED_LANMAN_AUTH;
  46         }
  47
  48         if (lp_client_ntlmv2_auth()) {
  49                 flags |= CLI_CRED_NTLMv2_AUTH;
  50         }
  51
  52         cli_credentials_get_ntlm_username_domain(cmdline_credentials, mem_ctx,
  53                                                  &ninfo.identity_info.account_name.string,
  54                                                  &ninfo.identity_info.domain_name.string);
  55
  56         generate_random_buffer(ninfo.challenge,
  57                                sizeof(ninfo.challenge));
  58         chal = data_blob_const(ninfo.challenge,
  59                                sizeof(ninfo.challenge));
  60
  61         names_blob = NTLMv2_generate_names_blob(mem_ctx, cli_credentials_get_workstation(credentials),
  62                                                 cli_credentials_get_domain(credentials));
  63
  64         status = cli_credentials_get_ntlm_response(cmdline_credentials, mem_ctx,
  65                                                    &flags,
  66                                                    chal,
  67                                                    names_blob,
  68                                                    &lm_resp, &nt_resp,
  69                                                    NULL, NULL);
  70         if (!NT_STATUS_IS_OK(status)) {
  71                 printf("cli_credentials_get_ntlm_response failed: %s\n",
  72                        nt_errstr(status));
  73                 return False;
  74         }
  75
  76         ninfo.lm.data = lm_resp.data;
  77         ninfo.lm.length = lm_resp.length;
  78
  79         ninfo.nt.data = nt_resp.data;
  80         ninfo.nt.length = nt_resp.length;
  81
  82         ninfo.identity_info.parameter_control = 0;
  83         ninfo.identity_info.logon_id_low = 0;
  84         ninfo.identity_info.logon_id_high = 0;
  85         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
  86
  87         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  88         r.in.workstation = cli_credentials_get_workstation(credentials);
  89         r.in.logon_level = 2;
  90         r.in.logon.network = &ninfo;
  91         r.in.flags = 0;
  92
  93         printf("Testing LogonSamLogonEx with name %s\n", ninfo.identity_info.account_name.string);
  94
  95         for (i=2;i<3;i++) {
  96                 r.in.validation_level = i;
  97
  98                 status = dcerpc_netr_LogonSamLogonEx(p, mem_ctx, &r);
  99                 if (!NT_STATUS_IS_OK(status)) {
 100                         printf("LogonSamLogon failed: %s\n",
 101                                nt_errstr(status));
 102                         return False;
 103                 }
 104         }
 105
 106         return ret;
 107 }
 108
 109 /*
 110   do some samr ops using the schannel connection
 111  */
 112 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 113 {
 114         NTSTATUS status;
 115         struct samr_GetDomPwInfo r;
 116         struct samr_Connect connect;
 117         struct samr_OpenDomain opendom;
 118         int i;
 119         struct lsa_String name;
 120         struct policy_handle handle;
 121         struct policy_handle domain_handle;
 122
 123         name.string = lp_workgroup();
 124         r.in.domain_name = &name;
 125
 126         connect.in.system_name = 0;
 127         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 128         connect.out.connect_handle = &handle;
 129
 130         printf("Testing Connect and OpenDomain on BUILTIN\n");
 131
 132         status = dcerpc_samr_Connect(p, mem_ctx, &connect);
 133         if (!NT_STATUS_IS_OK(status)) {
 134                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 135                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
 136                                nt_errstr(status));
 137                 } else {
 138                         printf("Connect failed - %s\n", nt_errstr(status));
 139                         return False;
 140                 }
 141         } else {
 142                 opendom.in.connect_handle = &handle;
 143                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 144                 opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
 145                 opendom.out.domain_handle = &domain_handle;
 146
 147                 status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
 148                 if (!NT_STATUS_IS_OK(status)) {
 149                         printf("OpenDomain failed - %s\n", nt_errstr(status));
 150                         return False;
 151                 }
 152         }
 153
 154         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
 155
 156         /* do several ops to test credential chaining */
 157         for (i=0;i<5;i++) {
 158                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
 159                 if (!NT_STATUS_IS_OK(status)) {
 160                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 161                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
 162                                 return False;
 163                         }
 164                 }
 165         }
 166
 167         return True;
 168 }
 169
 170
 171 /*
 172   do some lsa ops using the schannel connection
 173  */
 174 static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 175 {
 176         struct lsa_GetUserName r;
 177         NTSTATUS status;
 178         BOOL ret = True;
 179         struct lsa_StringPointer authority_name_p;
 180
 181         printf("\nTesting GetUserName\n");
 182
 183         r.in.system_name = "\\";
 184         r.in.account_name = NULL;
 185         r.in.authority_name = &authority_name_p;
 186         authority_name_p.string = NULL;
 187
 188         /* do several ops to test credential chaining and various operations */
 189         status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
 190
 191         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
 192                 printf("not considering %s to be an error\n", nt_errstr(status));
 193         } else if (!NT_STATUS_IS_OK(status)) {
 194                 printf("GetUserName failed - %s\n", nt_errstr(status));
 195                 return False;
 196         } else {
 197                 if (!r.out.account_name) {
 198                         return False;
 199                 }
 200
 201                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 202                         printf("GetUserName returned wrong user: %s, expected %s\n",
 203                                r.out.account_name->string, "ANONYMOUS LOGON");
 204                         return False;
 205                 }
 206                 if (!r.out.authority_name || !r.out.authority_name->string) {
 207                         return False;
 208                 }
 209
 210                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 211                         printf("GetUserName returned wrong user: %s, expected %s\n",
 212                                r.out.authority_name->string->string, "NT AUTHORITY");
 213                         return False;
 214                 }
 215         }
 216         if (!test_many_LookupSids(p, mem_ctx, NULL)) {
 217                 printf("LsaLookupSids3 failed!\n");
 218                 return False;
 219         }
 220
 221         return ret;
 222 }
 223
 224
 225 /*
 226   test a schannel connection with the given flags
 227  */
 228 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 229                           uint16_t acct_flags, uint32_t dcerpc_flags,
 230                           int i)
 231 {
 232         BOOL ret = True;
 233
 234         struct test_join *join_ctx;
 235         NTSTATUS status;
 236         const char *binding = lp_parm_string(-1, "torture", "binding");
 237         struct dcerpc_binding *b;
 238         struct dcerpc_pipe *p = NULL;
 239         struct dcerpc_pipe *p_netlogon = NULL;
 240         struct dcerpc_pipe *p_netlogon2 = NULL;
 241         struct dcerpc_pipe *p_samr2 = NULL;
 242         struct dcerpc_pipe *p_lsa = NULL;
 243         struct creds_CredentialState *creds;
 244         struct cli_credentials *credentials;
 245
 246         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 247
 248         join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i),
 249                                        acct_flags, &credentials);
 250         if (!join_ctx) {
 251                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 252                 talloc_free(test_ctx);
 253                 return False;
 254         }
 255
 256         status = dcerpc_parse_binding(test_ctx, binding, &b);
 257         if (!NT_STATUS_IS_OK(status)) {
 258                 printf("Bad binding string %s\n", binding);
 259                 goto failed;
 260         }
 261
 262         b->flags &= ~DCERPC_AUTH_OPTIONS;
 263         b->flags |= dcerpc_flags;
 264
 265         status = dcerpc_pipe_connect_b(test_ctx, &p, b, &dcerpc_table_samr,
 266                                        credentials, NULL);
 267         if (!NT_STATUS_IS_OK(status)) {
 268                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 269                 goto failed;
 270         }
 271
 272         if (!test_samr_ops(p, test_ctx)) {
 273                 printf("Failed to process schannel secured SAMR ops\n");
 274                 ret = False;
 275         }
 276
 277         /* Also test that when we connect to the netlogon pipe, that
 278          * the credentials we setup on the first pipe are valid for
 279          * the second */
 280
 281         /* Swap the binding details from SAMR to NETLOGON */
 282         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 283         if (!NT_STATUS_IS_OK(status)) {
 284                 goto failed;
 285         }
 286
 287         status = dcerpc_secondary_connection(p, &p_netlogon,
 288                                              b);
 289
 290         if (!NT_STATUS_IS_OK(status)) {
 291                 goto failed;
 292         }
 293
 294         status = dcerpc_bind_auth(p_netlogon, &dcerpc_table_netlogon,
 295                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 296                                   dcerpc_auth_level(p->conn),
 297                                   NULL);
 298
 299         if (!NT_STATUS_IS_OK(status)) {
 300                 goto failed;
 301         }
 302
 303         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 304         if (!NT_STATUS_IS_OK(status)) {
 305                 goto failed;
 306         }
 307
 308         /* do a couple of logins */
 309         if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
 310                 printf("Failed to process schannel secured NETLOGON ops\n");
 311                 ret = False;
 312         }
 313
 314         if (!test_netlogon_ex_ops(p_netlogon, test_ctx, credentials, creds)) {
 315                 printf("Failed to process schannel secured NETLOGON EX ops\n");
 316                 ret = False;
 317         }
 318
 319         /* Swap the binding details from SAMR to LSARPC */
 320         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_lsarpc, NULL);
 321         if (!NT_STATUS_IS_OK(status)) {
 322                 goto failed;
 323         }
 324
 325         status = dcerpc_secondary_connection(p, &p_lsa,
 326                                              b);
 327
 328         if (!NT_STATUS_IS_OK(status)) {
 329                 goto failed;
 330         }
 331
 332         status = dcerpc_bind_auth(p_lsa, &dcerpc_table_lsarpc,
 333                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 334                                   dcerpc_auth_level(p->conn),
 335                                   NULL);
 336
 337         if (!NT_STATUS_IS_OK(status)) {
 338                 goto failed;
 339         }
 340
 341         if (!test_lsa_ops(p_lsa, test_ctx)) {
 342                 printf("Failed to process schannel secured LSA ops\n");
 343                 ret = False;
 344         }
 345
 346         /* Drop the socket, we want to start from scratch */
 347         talloc_free(p);
 348         p = NULL;
 349
 350         /* Now see what we are still allowed to do */
 351
 352         status = dcerpc_parse_binding(test_ctx, binding, &b);
 353         if (!NT_STATUS_IS_OK(status)) {
 354                 printf("Bad binding string %s\n", binding);
 355                 goto failed;
 356         }
 357
 358         b->flags &= ~DCERPC_AUTH_OPTIONS;
 359         b->flags |= dcerpc_flags;
 360
 361         status = dcerpc_pipe_connect_b(test_ctx, &p_samr2, b, &dcerpc_table_samr,
 362                                        credentials, NULL);
 363         if (!NT_STATUS_IS_OK(status)) {
 364                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 365                 goto failed;
 366         }
 367
 368         /* do a some SAMR operations.  We have *not* done a new serverauthenticate */
 369         if (!test_samr_ops(p_samr2, test_ctx)) {
 370                 printf("Failed to process schannel secured SAMR ops (on fresh connection)\n");
 371                 goto failed;
 372         }
 373
 374         /* Swap the binding details from SAMR to NETLOGON */
 375         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 376         if (!NT_STATUS_IS_OK(status)) {
 377                 goto failed;
 378         }
 379
 380         status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
 381                                              b);
 382         if (!NT_STATUS_IS_OK(status)) {
 383                 goto failed;
 384         }
 385
 386         /* and now setup an SCHANNEL bind on netlogon */
 387         status = dcerpc_bind_auth(p_netlogon2, &dcerpc_table_netlogon,
 388                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 389                                   dcerpc_auth_level(p_samr2->conn),
 390                                   NULL);
 391
 392         if (!NT_STATUS_IS_OK(status)) {
 393                 goto failed;
 394         }
 395
 396         /* Try the schannel-only SamLogonEx operation */
 397         if (!test_netlogon_ex_ops(p_netlogon2, test_ctx, credentials, creds)) {
 398                 printf("Failed to process schannel secured NETLOGON EX ops\n");
 399                 ret = False;
 400         }
 401
 402         /* And the more traditional style, proving that the
 403          * credentials chaining state is fully present */
 404         if (!test_netlogon_ops(p_netlogon2, test_ctx, credentials, creds)) {
 405                 printf("Failed to process schannel secured NETLOGON EX ops\n");
 406                 ret = False;
 407         }
 408
 409         torture_leave_domain(join_ctx);
 410         talloc_free(test_ctx);
 411         return ret;
 412
 413 failed:
 414         torture_leave_domain(join_ctx);
 415         talloc_free(test_ctx);
 416         return False;
 417 }
 418
 419 /*
 420   a schannel test suite
 421  */
 422 BOOL torture_rpc_schannel(void)
 423 {
 424         TALLOC_CTX *mem_ctx;
 425         BOOL ret = True;
 426         struct {
 427                 uint16_t acct_flags;
 428                 uint32_t dcerpc_flags;
 429         } tests[] = {
 430                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
 431                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
 432                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
 433                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
 434                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
 435                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
 436                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
 437                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 438         };
 439         int i;
 440
 441         mem_ctx = talloc_init("torture_rpc_schannel");
 442
 443         for (i=0;i<ARRAY_SIZE(tests);i++) {
 444                 if (!test_schannel(mem_ctx,
 445                                    tests[i].acct_flags, tests[i].dcerpc_flags,
 446                                    i)) {
 447                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
 448                                tests[i].acct_flags, tests[i].dcerpc_flags);
 449                         ret = False;
 450                         break;
 451                 }
 452         }
 453
 454         talloc_free(mem_ctx);
 455
 456         return ret;
 457 }