source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_samr.h"
  25 #include "librpc/gen_ndr/ndr_netlogon.h"
  26 #include "lib/cmdline/popt_common.h"
  27
  28 #define TEST_MACHINE_NAME "schannel"
  29
  30 /*
  31   do some samr ops using the schannel connection
  32  */
  33 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  34 {
  35         NTSTATUS status;
  36         struct samr_GetDomPwInfo r;
  37         struct samr_Connect connect;
  38         struct samr_OpenDomain opendom;
  39         int i;
  40         struct lsa_String name;
  41         struct policy_handle handle;
  42         struct policy_handle domain_handle;
  43
  44         name.string = lp_workgroup();
  45         r.in.domain_name = &name;
  46
  47         connect.in.system_name = 0;
  48         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
  49         connect.out.connect_handle = &handle;
  50
  51         printf("Testing Connect and OpenDomain on BUILTIN\n");
  52
  53         status = dcerpc_samr_Connect(p, mem_ctx, &connect);
  54         if (!NT_STATUS_IS_OK(status)) {
  55                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
  56                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
  57                                nt_errstr(status));
  58                 } else {
  59                         printf("Connect failed - %s\n", nt_errstr(status));
  60                         return False;
  61                 }
  62         } else {
  63                 opendom.in.connect_handle = &handle;
  64                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
  65                 opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
  66                 opendom.out.domain_handle = &domain_handle;
  67
  68                 status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
  69                 if (!NT_STATUS_IS_OK(status)) {
  70                         printf("OpenDomain failed - %s\n", nt_errstr(status));
  71                         return False;
  72                 }
  73         }
  74
  75         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
  76
  77         /* do several ops to test credential chaining */
  78         for (i=0;i<5;i++) {
  79                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
  80                 if (!NT_STATUS_IS_OK(status)) {
  81                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
  82                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
  83                                 return False;
  84                         }
  85                 }
  86         }
  87
  88         return True;
  89 }
  90
  91
  92 /*
  93   do some lsa ops using the schannel connection
  94  */
  95 static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  96 {
  97         struct lsa_GetUserName r;
  98         NTSTATUS status;
  99         BOOL ret = True;
 100         struct lsa_StringPointer authority_name_p;
 101
 102         printf("\nTesting GetUserName\n");
 103
 104         r.in.system_name = "\\";
 105         r.in.account_name = NULL;
 106         r.in.authority_name = &authority_name_p;
 107         authority_name_p.string = NULL;
 108
 109         /* do several ops to test credential chaining and various operations */
 110         status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
 111
 112         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
 113                 printf("not considering %s to be an error\n", nt_errstr(status));
 114         } else if (!NT_STATUS_IS_OK(status)) {
 115                 printf("GetUserName failed - %s\n", nt_errstr(status));
 116                 return False;
 117         } else {
 118                 if (!r.out.account_name) {
 119                         return False;
 120                 }
 121
 122                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 123                         printf("GetUserName returned wrong user: %s, expected %s\n",
 124                                r.out.account_name->string, "ANONYMOUS LOGON");
 125                         return False;
 126                 }
 127                 if (!r.out.authority_name || !r.out.authority_name->string) {
 128                         return False;
 129                 }
 130
 131                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 132                         printf("GetUserName returned wrong user: %s, expected %s\n",
 133                                r.out.authority_name->string->string, "NT AUTHORITY");
 134                         return False;
 135                 }
 136         }
 137         if (!test_many_LookupSids(p, mem_ctx, NULL)) {
 138                 printf("LsaLookupSids3 failed!\n");
 139                 return False;
 140         }
 141
 142         return ret;
 143 }
 144
 145
 146 /*
 147   try a netlogon SamLogon
 148 */
 149 static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 150                               struct cli_credentials *credentials,
 151                               struct creds_CredentialState *creds)
 152 {
 153         NTSTATUS status;
 154         struct netr_LogonSamLogon r;
 155         struct netr_Authenticator auth, auth2;
 156         struct netr_NetworkInfo ninfo;
 157         const char *username = cli_credentials_get_username(cmdline_credentials);
 158         const char *password = cli_credentials_get_password(cmdline_credentials);
 159         int i;
 160         BOOL ret = True;
 161
 162         ninfo.identity_info.domain_name.string = cli_credentials_get_domain(cmdline_credentials);
 163         ninfo.identity_info.parameter_control = 0;
 164         ninfo.identity_info.logon_id_low = 0;
 165         ninfo.identity_info.logon_id_high = 0;
 166         ninfo.identity_info.account_name.string = username;
 167         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
 168         generate_random_buffer(ninfo.challenge,
 169                                sizeof(ninfo.challenge));
 170         ninfo.nt.length = 24;
 171         ninfo.nt.data = talloc_size(mem_ctx, 24);
 172         SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
 173         ninfo.lm.length = 24;
 174         ninfo.lm.data = talloc_size(mem_ctx, 24);
 175         SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
 176
 177
 178         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
 179         r.in.workstation = cli_credentials_get_workstation(credentials);
 180         r.in.credential = &auth;
 181         r.in.return_authenticator = &auth2;
 182         r.in.logon_level = 2;
 183         r.in.logon.network = &ninfo;
 184
 185         printf("Testing LogonSamLogon with name %s\n", username);
 186
 187         for (i=2;i<3;i++) {
 188                 ZERO_STRUCT(auth2);
 189                 creds_client_authenticator(creds, &auth);
 190
 191                 r.in.validation_level = i;
 192
 193                 status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
 194
 195                 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
 196                         printf("Credential chaining failed\n");
 197                         ret = False;
 198                 }
 199
 200         }
 201         return ret;
 202 }
 203
 204 /*
 205   test a schannel connection with the given flags
 206  */
 207 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 208                           uint16_t acct_flags, uint32_t dcerpc_flags,
 209                           int i)
 210 {
 211         BOOL ret = True;
 212
 213         void *join_ctx;
 214         NTSTATUS status;
 215         const char *binding = lp_parm_string(-1, "torture", "binding");
 216         struct dcerpc_binding *b;
 217         struct dcerpc_pipe *p = NULL;
 218         struct dcerpc_pipe *p_netlogon = NULL;
 219         struct dcerpc_pipe *p_lsa = NULL;
 220         struct creds_CredentialState *creds;
 221         struct cli_credentials *credentials;
 222
 223         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 224
 225         join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i),
 226                                        acct_flags, &credentials);
 227         if (!join_ctx) {
 228                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 229                 talloc_free(test_ctx);
 230                 return False;
 231         }
 232
 233         status = dcerpc_parse_binding(test_ctx, binding, &b);
 234         if (!NT_STATUS_IS_OK(status)) {
 235                 printf("Bad binding string %s\n", binding);
 236                 goto failed;
 237         }
 238
 239         b->flags &= ~DCERPC_AUTH_OPTIONS;
 240         b->flags |= dcerpc_flags;
 241
 242         status = dcerpc_pipe_connect_b(test_ctx,
 243                                        &p, b,
 244                                        DCERPC_SAMR_UUID,
 245                                        DCERPC_SAMR_VERSION,
 246                                        credentials, NULL);
 247         if (!NT_STATUS_IS_OK(status)) {
 248                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 249                 goto failed;
 250         }
 251
 252         if (!test_samr_ops(p, test_ctx)) {
 253                 printf("Failed to process schannel secured SAMR ops\n");
 254                 ret = False;
 255         }
 256
 257         /* Also test that when we connect to the netlogon pipe, that
 258          * the credentials we setup on the first pipe are valid for
 259          * the second */
 260
 261         /* Swap the binding details from SAMR to NETLOGON */
 262         status = dcerpc_epm_map_binding(test_ctx, b, DCERPC_NETLOGON_UUID,
 263                                         DCERPC_NETLOGON_VERSION, NULL);
 264         if (!NT_STATUS_IS_OK(status)) {
 265                 goto failed;
 266         }
 267
 268         status = dcerpc_secondary_connection(p, &p_netlogon,
 269                                              b);
 270
 271         if (!NT_STATUS_IS_OK(status)) {
 272                 goto failed;
 273         }
 274
 275         status = dcerpc_bind_auth_password(p_netlogon,
 276                                            DCERPC_NETLOGON_UUID,
 277                                            DCERPC_NETLOGON_VERSION,
 278                                            credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 279                                            NULL);
 280
 281         if (!NT_STATUS_IS_OK(status)) {
 282                 goto failed;
 283         }
 284
 285         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 286         if (!NT_STATUS_IS_OK(status)) {
 287                 goto failed;
 288         }
 289
 290         /* do a couple of logins */
 291         if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
 292                 printf("Failed to process schannel secured NETLOGON ops\n");
 293                 ret = False;
 294         }
 295
 296         /* Swap the binding details from SAMR to LSARPC */
 297         status = dcerpc_epm_map_binding(test_ctx, b, DCERPC_LSARPC_UUID,
 298                                         DCERPC_LSARPC_VERSION, NULL);
 299         if (!NT_STATUS_IS_OK(status)) {
 300                 goto failed;
 301         }
 302
 303         status = dcerpc_secondary_connection(p, &p_lsa,
 304                                              b);
 305
 306         if (!NT_STATUS_IS_OK(status)) {
 307                 goto failed;
 308         }
 309
 310         status = dcerpc_bind_auth_password(p_lsa,
 311                                            DCERPC_LSARPC_UUID,
 312                                            DCERPC_LSARPC_VERSION,
 313                                            credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 314                                            NULL);
 315
 316         if (!NT_STATUS_IS_OK(status)) {
 317                 goto failed;
 318         }
 319
 320         if (!test_lsa_ops(p_lsa, test_ctx)) {
 321                 printf("Failed to process schannel secured LSA ops\n");
 322                 ret = False;
 323         }
 324
 325         torture_leave_domain(join_ctx);
 326         talloc_free(test_ctx);
 327         return ret;
 328
 329 failed:
 330         torture_leave_domain(join_ctx);
 331         talloc_free(test_ctx);
 332         return False;
 333 }
 334
 335 /*
 336   a schannel test suite
 337  */
 338 BOOL torture_rpc_schannel(void)
 339 {
 340         TALLOC_CTX *mem_ctx;
 341         BOOL ret = True;
 342         struct {
 343                 uint16_t acct_flags;
 344                 uint32_t dcerpc_flags;
 345         } tests[] = {
 346                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
 347                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
 348                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
 349                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
 350                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
 351                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
 352                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
 353                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 354         };
 355         int i;
 356
 357         mem_ctx = talloc_init("torture_rpc_schannel");
 358
 359         for (i=0;i<ARRAY_SIZE(tests);i++) {
 360                 if (!test_schannel(mem_ctx,
 361                                    tests[i].acct_flags, tests[i].dcerpc_flags,
 362                                    i)) {
 363                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
 364                                tests[i].acct_flags, tests[i].dcerpc_flags);
 365                         ret = False;
 366                         break;
 367                 }
 368         }
 369
 370         talloc_free(mem_ctx);
 371
 372         return ret;
 373 }