source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_samr.h"
  25 #include "librpc/gen_ndr/ndr_netlogon.h"
  26 #include "lib/cmdline/popt_common.h"
  27
  28 #define TEST_MACHINE_NAME "schanneltest"
  29
  30 /*
  31   do some samr ops using the schannel connection
  32  */
  33 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  34 {
  35         NTSTATUS status;
  36         struct samr_GetDomPwInfo r;
  37         struct samr_Connect connect;
  38         struct samr_OpenDomain opendom;
  39         int i;
  40         struct lsa_String name;
  41         struct policy_handle handle;
  42         struct policy_handle domain_handle;
  43
  44         name.string = lp_workgroup();
  45         r.in.domain_name = &name;
  46
  47         connect.in.system_name = 0;
  48         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
  49         connect.out.connect_handle = &handle;
  50
  51         printf("Testing Connect and OpenDomain on BUILTIN\n");
  52
  53         status = dcerpc_samr_Connect(p, mem_ctx, &connect);
  54         if (!NT_STATUS_IS_OK(status)) {
  55                 printf("Connect failed - %s\n", nt_errstr(status));
  56                 return False;
  57         }
  58
  59         opendom.in.connect_handle = &handle;
  60         opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
  61         opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
  62         opendom.out.domain_handle = &domain_handle;
  63
  64         status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
  65         if (!NT_STATUS_IS_OK(status)) {
  66                 printf("OpenDomain failed - %s\n", nt_errstr(status));
  67                 return False;
  68         }
  69
  70         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
  71
  72         /* do several ops to test credential chaining */
  73         for (i=0;i<5;i++) {
  74                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
  75                 if (!NT_STATUS_IS_OK(status)) {
  76                         printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
  77                         return False;
  78                 }
  79         }
  80
  81         return True;
  82 }
  83
  84
  85 /*
  86   do some lsa ops using the schannel connection
  87  */
  88 static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
  89 {
  90         struct lsa_GetUserName r;
  91         NTSTATUS status;
  92         BOOL ret = True;
  93         struct lsa_StringPointer authority_name_p;
  94         int i;
  95
  96         printf("\nTesting GetUserName\n");
  97
  98         r.in.system_name = "\\";
  99         r.in.account_name = NULL;
 100         r.in.authority_name = &authority_name_p;
 101         authority_name_p.string = NULL;
 102
 103         /* do several ops to test credential chaining */
 104         for (i=0;i<5;i++) {
 105                 status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
 106
 107                 if (!NT_STATUS_IS_OK(status)) {
 108                         printf("GetUserName failed - %s\n", nt_errstr(status));
 109                         return False;
 110                 } else {
 111                         if (!r.out.account_name) {
 112                                 return False;
 113                         }
 114
 115                         if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 116                                 printf("GetUserName returned wrong user: %s, expected %s\n",
 117                                        r.out.account_name->string, "ANONYMOUS LOGON");
 118                                 return False;
 119                         }
 120                         if (!r.out.authority_name || !r.out.authority_name->string) {
 121                                 return False;
 122                         }
 123
 124                         if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 125                                 printf("GetUserName returned wrong user: %s, expected %s\n",
 126                                        r.out.authority_name->string->string, "NT AUTHORITY");
 127                                 return False;
 128                         }
 129                 }
 130         }
 131
 132         return ret;
 133 }
 134
 135
 136 /*
 137   try a netlogon SamLogon
 138 */
 139 static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
 140                               struct creds_CredentialState *creds)
 141 {
 142         NTSTATUS status;
 143         struct netr_LogonSamLogon r;
 144         struct netr_Authenticator auth, auth2;
 145         struct netr_NetworkInfo ninfo;
 146         const char *username = cli_credentials_get_username(cmdline_credentials);
 147         const char *password = cli_credentials_get_password(cmdline_credentials);
 148         int i;
 149         BOOL ret = True;
 150
 151         ninfo.identity_info.domain_name.string = lp_workgroup();
 152         ninfo.identity_info.parameter_control = 0;
 153         ninfo.identity_info.logon_id_low = 0;
 154         ninfo.identity_info.logon_id_high = 0;
 155         ninfo.identity_info.account_name.string = username;
 156         ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
 157         generate_random_buffer(ninfo.challenge,
 158                                sizeof(ninfo.challenge));
 159         ninfo.nt.length = 24;
 160         ninfo.nt.data = talloc_size(mem_ctx, 24);
 161         SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
 162         ninfo.lm.length = 24;
 163         ninfo.lm.data = talloc_size(mem_ctx, 24);
 164         SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
 165
 166
 167         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
 168         r.in.workstation = TEST_MACHINE_NAME;
 169         r.in.credential = &auth;
 170         r.in.return_authenticator = &auth2;
 171         r.in.logon_level = 2;
 172         r.in.logon.network = &ninfo;
 173
 174         printf("Testing LogonSamLogon with name %s\n", username);
 175
 176         for (i=2;i<3;i++) {
 177                 ZERO_STRUCT(auth2);
 178                 creds_client_authenticator(creds, &auth);
 179
 180                 r.in.validation_level = i;
 181
 182                 status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
 183
 184                 if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
 185                         printf("Credential chaining failed\n");
 186                         ret = False;
 187                 }
 188
 189         }
 190         return ret;
 191 }
 192
 193 /*
 194   test a schannel connection with the given flags
 195  */
 196 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 197                           uint16_t acct_flags, uint32_t dcerpc_flags,
 198                           uint32_t schannel_type)
 199 {
 200         BOOL ret = True;
 201
 202         void *join_ctx;
 203         NTSTATUS status;
 204         const char *binding = lp_parm_string(-1, "torture", "binding");
 205         struct dcerpc_binding *b;
 206         struct dcerpc_pipe *p = NULL;
 207         struct dcerpc_pipe *p_netlogon = NULL;
 208         struct dcerpc_pipe *p_lsa = NULL;
 209         struct creds_CredentialState *creds;
 210         struct cli_credentials *credentials;
 211
 212         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 213
 214         join_ctx = torture_join_domain(TEST_MACHINE_NAME,
 215                                        acct_flags, &credentials);
 216         if (!join_ctx) {
 217                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 218                 talloc_free(test_ctx);
 219                 return False;
 220         }
 221
 222         status = dcerpc_parse_binding(test_ctx, binding, &b);
 223         if (!NT_STATUS_IS_OK(status)) {
 224                 printf("Bad binding string %s\n", binding);
 225                 goto failed;
 226         }
 227
 228         b->flags &= ~DCERPC_AUTH_OPTIONS;
 229         b->flags |= dcerpc_flags;
 230
 231         status = dcerpc_pipe_connect_b(test_ctx,
 232                                        &p, b,
 233                                        DCERPC_SAMR_UUID,
 234                                        DCERPC_SAMR_VERSION,
 235                                        credentials, NULL);
 236         if (!NT_STATUS_IS_OK(status)) {
 237                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 238                 goto failed;
 239         }
 240
 241         if (!test_samr_ops(p, test_ctx)) {
 242                 printf("Failed to process schannel secured SAMR ops\n");
 243                 ret = False;
 244         }
 245
 246         status = dcerpc_schannel_creds(p->conn->security_state.generic_state, test_ctx, &creds);
 247         if (!NT_STATUS_IS_OK(status)) {
 248                 goto failed;
 249         }
 250
 251         /* Also test that when we connect to the netlogon pipe, that
 252          * the credentials we setup on the first pipe are valid for
 253          * the second */
 254
 255         /* Swap the binding details from SAMR to NETLOGON */
 256         status = dcerpc_epm_map_binding(test_ctx, b, DCERPC_NETLOGON_UUID,
 257                                         DCERPC_NETLOGON_VERSION, NULL);
 258         if (!NT_STATUS_IS_OK(status)) {
 259                 goto failed;
 260         }
 261
 262         status = dcerpc_secondary_connection(p, &p_netlogon,
 263                                              b);
 264
 265         if (!NT_STATUS_IS_OK(status)) {
 266                 goto failed;
 267         }
 268
 269         status = dcerpc_bind_auth_password(p_netlogon,
 270                                            DCERPC_NETLOGON_UUID,
 271                                            DCERPC_NETLOGON_VERSION,
 272                                            credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 273                                            NULL);
 274
 275         if (!NT_STATUS_IS_OK(status)) {
 276                 goto failed;
 277         }
 278
 279         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 280         if (!NT_STATUS_IS_OK(status)) {
 281                 goto failed;
 282         }
 283
 284         /* do a couple of logins */
 285         if (!test_netlogon_ops(p_netlogon, test_ctx, creds)) {
 286                 printf("Failed to process schannel secured NETLOGON ops\n");
 287                 ret = False;
 288         }
 289
 290         /* Swap the binding details from SAMR to LSARPC */
 291         status = dcerpc_epm_map_binding(test_ctx, b, DCERPC_LSARPC_UUID,
 292                                         DCERPC_LSARPC_VERSION, NULL);
 293         if (!NT_STATUS_IS_OK(status)) {
 294                 goto failed;
 295         }
 296
 297         status = dcerpc_secondary_connection(p, &p_lsa,
 298                                              b);
 299
 300         if (!NT_STATUS_IS_OK(status)) {
 301                 goto failed;
 302         }
 303
 304         status = dcerpc_bind_auth_password(p_lsa,
 305                                            DCERPC_LSARPC_UUID,
 306                                            DCERPC_LSARPC_VERSION,
 307                                            credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 308                                            NULL);
 309
 310         if (!NT_STATUS_IS_OK(status)) {
 311                 goto failed;
 312         }
 313
 314         if (!test_lsa_ops(p_lsa, test_ctx)) {
 315                 printf("Failed to process schannel secured LSA ops\n");
 316                 ret = False;
 317         }
 318
 319         torture_leave_domain(join_ctx);
 320         talloc_free(test_ctx);
 321         return ret;
 322
 323 failed:
 324         torture_leave_domain(join_ctx);
 325         talloc_free(test_ctx);
 326         return False;
 327 }
 328
 329 /*
 330   a schannel test suite
 331  */
 332 BOOL torture_rpc_schannel(void)
 333 {
 334         TALLOC_CTX *mem_ctx;
 335         BOOL ret = True;
 336         struct {
 337                 uint16_t acct_flags;
 338                 uint32_t dcerpc_flags;
 339                 uint32_t schannel_type;
 340         } tests[] = {
 341                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN,                       3 },
 342                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL,                       3 },
 343                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
 344                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 },
 345                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN,                               3 },
 346                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL,                               3 },
 347                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128,         3 },
 348                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128,         3 }
 349         };
 350         int i;
 351
 352         mem_ctx = talloc_init("torture_rpc_schannel");
 353
 354         for (i=0;i<ARRAY_SIZE(tests);i++) {
 355                 if (!test_schannel(mem_ctx,
 356                                    tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type)) {
 357                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x schannel_type=%d\n",
 358                                tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type);
 359                         ret = False;
 360                         break;
 361                 }
 362         }
 363
 364         talloc_free(mem_ctx);
 365
 366         return ret;
 367 }