source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_netlogon.h"
  25 #include "torture/rpc/proto.h"
  26 #include "lib/cmdline/popt_common.h"
  27 #include "auth/gensec/schannel_proto.h"
  28
  29 #define TEST_MACHINE_NAME "schannel"
  30
  31 /*
  32   try a netlogon SamLogon
  33 */
  34 BOOL test_netlogon_ex_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  35                           struct cli_credentials *credentials,
  36                           struct creds_CredentialState *creds)
  37 {
  38         NTSTATUS status;
  39         struct netr_LogonSamLogonEx r;
  40         struct netr_NetworkInfo ninfo;
  41         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
  42         int i;
  43         BOOL ret = True;
  44         int flags = CLI_CRED_NTLM_AUTH;
  45         if (lp_client_lanman_auth()) {
  46                 flags |= CLI_CRED_LANMAN_AUTH;
  47         }
  48
  49         if (lp_client_ntlmv2_auth()) {
  50                 flags |= CLI_CRED_NTLMv2_AUTH;
  51         }
  52
  53         cli_credentials_get_ntlm_username_domain(cmdline_credentials, mem_ctx,
  54                                                  &ninfo.identity_info.account_name.string,
  55                                                  &ninfo.identity_info.domain_name.string);
  56
  57         generate_random_buffer(ninfo.challenge,
  58                                sizeof(ninfo.challenge));
  59         chal = data_blob_const(ninfo.challenge,
  60                                sizeof(ninfo.challenge));
  61
  62         names_blob = NTLMv2_generate_names_blob(mem_ctx, cli_credentials_get_workstation(credentials),
  63                                                 cli_credentials_get_domain(credentials));
  64
  65         status = cli_credentials_get_ntlm_response(cmdline_credentials, mem_ctx,
  66                                                    &flags,
  67                                                    chal,
  68                                                    names_blob,
  69                                                    &lm_resp, &nt_resp,
  70                                                    NULL, NULL);
  71         if (!NT_STATUS_IS_OK(status)) {
  72                 printf("cli_credentials_get_ntlm_response failed: %s\n",
  73                        nt_errstr(status));
  74                 return False;
  75         }
  76
  77         ninfo.lm.data = lm_resp.data;
  78         ninfo.lm.length = lm_resp.length;
  79
  80         ninfo.nt.data = nt_resp.data;
  81         ninfo.nt.length = nt_resp.length;
  82
  83         ninfo.identity_info.parameter_control = 0;
  84         ninfo.identity_info.logon_id_low = 0;
  85         ninfo.identity_info.logon_id_high = 0;
  86         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
  87
  88         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  89         r.in.computer_name = cli_credentials_get_workstation(credentials);
  90         r.in.logon_level = 2;
  91         r.in.logon.network = &ninfo;
  92         r.in.flags = 0;
  93
  94         printf("Testing LogonSamLogonEx with name %s\n", ninfo.identity_info.account_name.string);
  95
  96         for (i=2;i<3;i++) {
  97                 r.in.validation_level = i;
  98
  99                 status = dcerpc_netr_LogonSamLogonEx(p, mem_ctx, &r);
 100                 if (!NT_STATUS_IS_OK(status)) {
 101                         printf("LogonSamLogon failed: %s\n",
 102                                nt_errstr(status));
 103                         return False;
 104                 }
 105         }
 106
 107         return ret;
 108 }
 109
 110 /*
 111   do some samr ops using the schannel connection
 112  */
 113 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 114 {
 115         NTSTATUS status;
 116         struct samr_GetDomPwInfo r;
 117         struct samr_Connect connect;
 118         struct samr_OpenDomain opendom;
 119         int i;
 120         struct lsa_String name;
 121         struct policy_handle handle;
 122         struct policy_handle domain_handle;
 123
 124         name.string = lp_workgroup();
 125         r.in.domain_name = &name;
 126
 127         connect.in.system_name = 0;
 128         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 129         connect.out.connect_handle = &handle;
 130
 131         printf("Testing Connect and OpenDomain on BUILTIN\n");
 132
 133         status = dcerpc_samr_Connect(p, mem_ctx, &connect);
 134         if (!NT_STATUS_IS_OK(status)) {
 135                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 136                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
 137                                nt_errstr(status));
 138                 } else {
 139                         printf("Connect failed - %s\n", nt_errstr(status));
 140                         return False;
 141                 }
 142         } else {
 143                 opendom.in.connect_handle = &handle;
 144                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 145                 opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
 146                 opendom.out.domain_handle = &domain_handle;
 147
 148                 status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
 149                 if (!NT_STATUS_IS_OK(status)) {
 150                         printf("OpenDomain failed - %s\n", nt_errstr(status));
 151                         return False;
 152                 }
 153         }
 154
 155         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
 156
 157         /* do several ops to test credential chaining */
 158         for (i=0;i<5;i++) {
 159                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
 160                 if (!NT_STATUS_IS_OK(status)) {
 161                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 162                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
 163                                 return False;
 164                         }
 165                 }
 166         }
 167
 168         return True;
 169 }
 170
 171
 172 /*
 173   do some lsa ops using the schannel connection
 174  */
 175 static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 176 {
 177         struct lsa_GetUserName r;
 178         NTSTATUS status;
 179         BOOL ret = True;
 180         struct lsa_StringPointer authority_name_p;
 181
 182         printf("\nTesting GetUserName\n");
 183
 184         r.in.system_name = "\\";
 185         r.in.account_name = NULL;
 186         r.in.authority_name = &authority_name_p;
 187         authority_name_p.string = NULL;
 188
 189         /* do several ops to test credential chaining and various operations */
 190         status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
 191
 192         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
 193                 printf("not considering %s to be an error\n", nt_errstr(status));
 194         } else if (!NT_STATUS_IS_OK(status)) {
 195                 printf("GetUserName failed - %s\n", nt_errstr(status));
 196                 return False;
 197         } else {
 198                 if (!r.out.account_name) {
 199                         return False;
 200                 }
 201
 202                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 203                         printf("GetUserName returned wrong user: %s, expected %s\n",
 204                                r.out.account_name->string, "ANONYMOUS LOGON");
 205                         return False;
 206                 }
 207                 if (!r.out.authority_name || !r.out.authority_name->string) {
 208                         return False;
 209                 }
 210
 211                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 212                         printf("GetUserName returned wrong user: %s, expected %s\n",
 213                                r.out.authority_name->string->string, "NT AUTHORITY");
 214                         return False;
 215                 }
 216         }
 217         if (!test_many_LookupSids(p, mem_ctx, NULL)) {
 218                 printf("LsaLookupSids3 failed!\n");
 219                 return False;
 220         }
 221
 222         return ret;
 223 }
 224
 225
 226 /*
 227   test a schannel connection with the given flags
 228  */
 229 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 230                           uint16_t acct_flags, uint32_t dcerpc_flags,
 231                           int i)
 232 {
 233         BOOL ret = True;
 234
 235         struct test_join *join_ctx;
 236         NTSTATUS status;
 237         const char *binding = lp_parm_string(-1, "torture", "binding");
 238         struct dcerpc_binding *b;
 239         struct dcerpc_pipe *p = NULL;
 240         struct dcerpc_pipe *p_netlogon = NULL;
 241         struct dcerpc_pipe *p_netlogon2 = NULL;
 242         struct dcerpc_pipe *p_netlogon3 = NULL;
 243         struct dcerpc_pipe *p_samr2 = NULL;
 244         struct dcerpc_pipe *p_lsa = NULL;
 245         struct creds_CredentialState *creds;
 246         struct cli_credentials *credentials;
 247
 248         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 249
 250         join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i),
 251                                        acct_flags, &credentials);
 252         if (!join_ctx) {
 253                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 254                 talloc_free(test_ctx);
 255                 return False;
 256         }
 257
 258         status = dcerpc_parse_binding(test_ctx, binding, &b);
 259         if (!NT_STATUS_IS_OK(status)) {
 260                 printf("Bad binding string %s\n", binding);
 261                 goto failed;
 262         }
 263
 264         b->flags &= ~DCERPC_AUTH_OPTIONS;
 265         b->flags |= dcerpc_flags;
 266
 267         status = dcerpc_pipe_connect_b(test_ctx, &p, b, &dcerpc_table_samr,
 268                                        credentials, NULL);
 269         if (!NT_STATUS_IS_OK(status)) {
 270                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 271                 goto failed;
 272         }
 273
 274         if (!test_samr_ops(p, test_ctx)) {
 275                 printf("Failed to process schannel secured SAMR ops\n");
 276                 ret = False;
 277         }
 278
 279         /* Also test that when we connect to the netlogon pipe, that
 280          * the credentials we setup on the first pipe are valid for
 281          * the second */
 282
 283         /* Swap the binding details from SAMR to NETLOGON */
 284         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 285         if (!NT_STATUS_IS_OK(status)) {
 286                 goto failed;
 287         }
 288
 289         status = dcerpc_secondary_connection(p, &p_netlogon,
 290                                              b);
 291
 292         if (!NT_STATUS_IS_OK(status)) {
 293                 goto failed;
 294         }
 295
 296         status = dcerpc_bind_auth(p_netlogon, &dcerpc_table_netlogon,
 297                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 298                                   dcerpc_auth_level(p->conn),
 299                                   NULL);
 300
 301         if (!NT_STATUS_IS_OK(status)) {
 302                 goto failed;
 303         }
 304
 305         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 306         if (!NT_STATUS_IS_OK(status)) {
 307                 goto failed;
 308         }
 309
 310         /* do a couple of logins */
 311         if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
 312                 printf("Failed to process schannel secured NETLOGON ops\n");
 313                 ret = False;
 314         }
 315
 316         if (!test_netlogon_ex_ops(p_netlogon, test_ctx, credentials, creds)) {
 317                 printf("Failed to process schannel secured NETLOGON EX ops\n");
 318                 ret = False;
 319         }
 320
 321         /* Swap the binding details from SAMR to LSARPC */
 322         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_lsarpc, NULL);
 323         if (!NT_STATUS_IS_OK(status)) {
 324                 goto failed;
 325         }
 326
 327         status = dcerpc_secondary_connection(p, &p_lsa,
 328                                              b);
 329
 330         if (!NT_STATUS_IS_OK(status)) {
 331                 goto failed;
 332         }
 333
 334         status = dcerpc_bind_auth(p_lsa, &dcerpc_table_lsarpc,
 335                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 336                                   dcerpc_auth_level(p->conn),
 337                                   NULL);
 338
 339         if (!NT_STATUS_IS_OK(status)) {
 340                 goto failed;
 341         }
 342
 343         if (!test_lsa_ops(p_lsa, test_ctx)) {
 344                 printf("Failed to process schannel secured LSA ops\n");
 345                 ret = False;
 346         }
 347
 348         /* Drop the socket, we want to start from scratch */
 349         talloc_free(p);
 350         p = NULL;
 351
 352         /* Now see what we are still allowed to do */
 353
 354         status = dcerpc_parse_binding(test_ctx, binding, &b);
 355         if (!NT_STATUS_IS_OK(status)) {
 356                 printf("Bad binding string %s\n", binding);
 357                 goto failed;
 358         }
 359
 360         b->flags &= ~DCERPC_AUTH_OPTIONS;
 361         b->flags |= dcerpc_flags;
 362
 363         status = dcerpc_pipe_connect_b(test_ctx, &p_samr2, b, &dcerpc_table_samr,
 364                                        credentials, NULL);
 365         if (!NT_STATUS_IS_OK(status)) {
 366                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 367                 goto failed;
 368         }
 369
 370         /* do a some SAMR operations.  We have *not* done a new serverauthenticate */
 371         if (!test_samr_ops(p_samr2, test_ctx)) {
 372                 printf("Failed to process schannel secured SAMR ops (on fresh connection)\n");
 373                 goto failed;
 374         }
 375
 376         /* Swap the binding details from SAMR to NETLOGON */
 377         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 378         if (!NT_STATUS_IS_OK(status)) {
 379                 goto failed;
 380         }
 381
 382         status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
 383                                              b);
 384         if (!NT_STATUS_IS_OK(status)) {
 385                 goto failed;
 386         }
 387
 388         /* and now setup an SCHANNEL bind on netlogon */
 389         status = dcerpc_bind_auth(p_netlogon2, &dcerpc_table_netlogon,
 390                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 391                                   dcerpc_auth_level(p_samr2->conn),
 392                                   NULL);
 393
 394         if (!NT_STATUS_IS_OK(status)) {
 395                 goto failed;
 396         }
 397
 398         /* Try the schannel-only SamLogonEx operation */
 399         if (!test_netlogon_ex_ops(p_netlogon2, test_ctx, credentials, creds)) {
 400                 printf("Failed to process schannel secured NETLOGON EX ops (on fresh connection)\n");
 401                 ret = False;
 402         }
 403
 404         /* And the more traditional style, proving that the
 405          * credentials chaining state is fully present */
 406         if (!test_netlogon_ops(p_netlogon2, test_ctx, credentials, creds)) {
 407                 printf("Failed to process schannel secured NETLOGON ops (on fresh connection)\n");
 408                 ret = False;
 409         }
 410
 411         /* Drop the socket, we want to start from scratch (again) */
 412         talloc_free(p_samr2);
 413
 414         /* We don't want schannel for this test */
 415         b->flags &= ~DCERPC_AUTH_OPTIONS;
 416
 417         status = dcerpc_pipe_connect_b(test_ctx, &p_netlogon3, b, &dcerpc_table_netlogon,
 418                                        credentials, NULL);
 419         if (!NT_STATUS_IS_OK(status)) {
 420                 printf("Failed to connect without schannel: %s\n", nt_errstr(status));
 421                 goto failed;
 422         }
 423
 424         if (test_netlogon_ex_ops(p_netlogon3, test_ctx, credentials, creds)) {
 425                 printf("Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)\n");
 426                 ret = False;
 427         }
 428
 429         if (!test_netlogon_ops(p_netlogon3, test_ctx, credentials, creds)) {
 430                 printf("Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth\n");
 431                 ret = False;
 432         }
 433
 434         torture_leave_domain(join_ctx);
 435         talloc_free(test_ctx);
 436         return ret;
 437
 438 failed:
 439         torture_leave_domain(join_ctx);
 440         talloc_free(test_ctx);
 441         return False;
 442 }
 443
 444 /*
 445   a schannel test suite
 446  */
 447 BOOL torture_rpc_schannel(void)
 448 {
 449         TALLOC_CTX *mem_ctx;
 450         BOOL ret = True;
 451         struct {
 452                 uint16_t acct_flags;
 453                 uint32_t dcerpc_flags;
 454         } tests[] = {
 455                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
 456                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
 457                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
 458                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
 459                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
 460                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
 461                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
 462                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 463         };
 464         int i;
 465
 466         mem_ctx = talloc_init("torture_rpc_schannel");
 467
 468         for (i=0;i<ARRAY_SIZE(tests);i++) {
 469                 if (!test_schannel(mem_ctx,
 470                                    tests[i].acct_flags, tests[i].dcerpc_flags,
 471                                    i)) {
 472                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
 473                                tests[i].acct_flags, tests[i].dcerpc_flags);
 474                         ret = False;
 475                         break;
 476                 }
 477         }
 478
 479         talloc_free(mem_ctx);
 480
 481         return ret;
 482 }