git.samba.org / kai / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix the build.
[kai/samba.git] / source4 / torture / rpc / schannel.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    test suite for schannel operations
5
6    Copyright (C) Andrew Tridgell 2004
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "librpc/gen_ndr/ndr_netlogon_c.h"
24 #include "librpc/gen_ndr/ndr_lsa_c.h"
25 #include "librpc/gen_ndr/ndr_samr_c.h"
26 #include "auth/credentials/credentials.h"
27 #include "torture/rpc/rpc.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "auth/gensec/schannel_proto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "libcli/security/security.h"
32 #include "system/filesys.h"
33 #include "param/param.h"
34 #include "librpc/rpc/dcerpc_proto.h"
35 #include "auth/gensec/gensec.h"
36
37 #define TEST_MACHINE_NAME "schannel"
38
39 /*
40   try a netlogon SamLogon
41 */
42 bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, 
43                           struct cli_credentials *credentials, 
44                           struct creds_CredentialState *creds)
45 {
46         NTSTATUS status;
47         struct netr_LogonSamLogonEx r;
48         struct netr_NetworkInfo ninfo;
49         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
50         int i;
51         int flags = CLI_CRED_NTLM_AUTH;
52         if (lp_client_lanman_auth(tctx->lp_ctx)) {
53                 flags |= CLI_CRED_LANMAN_AUTH;
54         }
55
56         if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
57                 flags |= CLI_CRED_NTLMv2_AUTH;
58         }
59
60         cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx, 
61                                                  &ninfo.identity_info.account_name.string,
62                                                  &ninfo.identity_info.domain_name.string);
63         
64         generate_random_buffer(ninfo.challenge, 
65                                sizeof(ninfo.challenge));
66         chal = data_blob_const(ninfo.challenge, 
67                                sizeof(ninfo.challenge));
68
69         names_blob = NTLMv2_generate_names_blob(tctx, lp_iconv_convenience(tctx->lp_ctx), cli_credentials_get_workstation(credentials), 
70                                                 cli_credentials_get_domain(credentials));
71
72         status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx, 
73                                                    &flags, 
74                                                    chal,
75                                                    names_blob,
76                                                    &lm_resp, &nt_resp,
77                                                    NULL, NULL);
78         torture_assert_ntstatus_ok(tctx, status, 
79                                    "cli_credentials_get_ntlm_response failed");
80
81         ninfo.lm.data = lm_resp.data;
82         ninfo.lm.length = lm_resp.length;
83
84         ninfo.nt.data = nt_resp.data;
85         ninfo.nt.length = nt_resp.length;
86
87         ninfo.identity_info.parameter_control = 0;
88         ninfo.identity_info.logon_id_low = 0;
89         ninfo.identity_info.logon_id_high = 0;
90         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
91
92         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
93         r.in.computer_name = cli_credentials_get_workstation(credentials);
94         r.in.logon_level = 2;
95         r.in.logon.network = &ninfo;
96         r.in.flags = 0;
97
98         torture_comment(tctx, 
99                         "Testing LogonSamLogonEx with name %s\n", 
100                         ninfo.identity_info.account_name.string);
101         
102         for (i=2;i<3;i++) {
103                 r.in.validation_level = i;
104                 
105                 status = dcerpc_netr_LogonSamLogonEx(p, tctx, &r);
106                 torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
107         }
108
109         return true;
110 }
111
112 /*
113   do some samr ops using the schannel connection
114  */
115 static bool test_samr_ops(struct torture_context *tctx,
116                           struct dcerpc_pipe *p)
117 {
118         NTSTATUS status;
119         struct samr_GetDomPwInfo r;
120         struct samr_Connect connect;
121         struct samr_OpenDomain opendom;
122         int i;
123         struct lsa_String name;
124         struct policy_handle handle;
125         struct policy_handle domain_handle;
126
127         name.string = lp_workgroup(tctx->lp_ctx);
128         r.in.domain_name = &name;
129
130         connect.in.system_name = 0;
131         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
132         connect.out.connect_handle = &handle;
133         
134         printf("Testing Connect and OpenDomain on BUILTIN\n");
135
136         status = dcerpc_samr_Connect(p, tctx, &connect);
137         if (!NT_STATUS_IS_OK(status)) {
138                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
139                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
140                                nt_errstr(status));
141                 } else {
142                         printf("Connect failed - %s\n", nt_errstr(status));
143                         return false;
144                 }
145         } else {
146                 opendom.in.connect_handle = &handle;
147                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
148                 opendom.in.sid = dom_sid_parse_talloc(tctx, "S-1-5-32");
149                 opendom.out.domain_handle = &domain_handle;
150                 
151                 status = dcerpc_samr_OpenDomain(p, tctx, &opendom);
152                 if (!NT_STATUS_IS_OK(status)) {
153                         printf("OpenDomain failed - %s\n", nt_errstr(status));
154                         return false;
155                 }
156         }
157
158         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
159         
160         /* do several ops to test credential chaining */
161         for (i=0;i<5;i++) {
162                 status = dcerpc_samr_GetDomPwInfo(p, tctx, &r);
163                 if (!NT_STATUS_IS_OK(status)) {
164                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
165                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
166                                 return false;
167                         }
168                 }
169         }
170
171         return true;
172 }
173
174
175 /*
176   do some lsa ops using the schannel connection
177  */
178 static bool test_lsa_ops(struct torture_context *tctx, struct dcerpc_pipe *p)
179 {
180         struct lsa_GetUserName r;
181         NTSTATUS status;
182         bool ret = true;
183         struct lsa_StringPointer authority_name_p;
184
185         printf("\nTesting GetUserName\n");
186
187         r.in.system_name = "\\";        
188         r.in.account_name = NULL;       
189         r.in.authority_name = &authority_name_p;
190         authority_name_p.string = NULL;
191
192         /* do several ops to test credential chaining and various operations */
193         status = dcerpc_lsa_GetUserName(p, tctx, &r);
194         
195         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
196                 printf("not considering %s to be an error\n", nt_errstr(status));
197         } else if (!NT_STATUS_IS_OK(status)) {
198                 printf("GetUserName failed - %s\n", nt_errstr(status));
199                 return false;
200         } else {
201                 if (!r.out.account_name) {
202                         return false;
203                 }
204                 
205                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
206                         printf("GetUserName returned wrong user: %s, expected %s\n",
207                                r.out.account_name->string, "ANONYMOUS LOGON");
208                         return false;
209                 }
210                 if (!r.out.authority_name || !r.out.authority_name->string) {
211                         return false;
212                 }
213                 
214                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
215                         printf("GetUserName returned wrong user: %s, expected %s\n",
216                                r.out.authority_name->string->string, "NT AUTHORITY");
217                         return false;
218                 }
219         }
220         if (!test_many_LookupSids(p, tctx, NULL)) {
221                 printf("LsaLookupSids3 failed!\n");
222                 return false;
223         }
224
225         return ret;
226 }
227
228
229 /*
230   test a schannel connection with the given flags
231  */
232 static bool test_schannel(struct torture_context *tctx,
233                           uint16_t acct_flags, uint32_t dcerpc_flags,
234                           int i)
235 {
236         struct test_join *join_ctx;
237         NTSTATUS status;
238         const char *binding = torture_setting_string(tctx, "binding", NULL);
239         struct dcerpc_binding *b;
240         struct dcerpc_pipe *p = NULL;
241         struct dcerpc_pipe *p_netlogon = NULL;
242         struct dcerpc_pipe *p_netlogon2 = NULL;
243         struct dcerpc_pipe *p_netlogon3 = NULL;
244         struct dcerpc_pipe *p_samr2 = NULL;
245         struct dcerpc_pipe *p_lsa = NULL;
246         struct creds_CredentialState *creds;
247         struct cli_credentials *credentials;
248
249         join_ctx = torture_join_domain(tctx, 
250                                        talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i), 
251                                        acct_flags, &credentials);
252         torture_assert(tctx, join_ctx != NULL, "Failed to join domain");
253
254         status = dcerpc_parse_binding(tctx, binding, &b);
255         torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
256
257         b->flags &= ~DCERPC_AUTH_OPTIONS;
258         b->flags |= dcerpc_flags;
259
260         status = dcerpc_pipe_connect_b(tctx, &p, b, &ndr_table_samr,
261                                        credentials, NULL, tctx->lp_ctx);
262         torture_assert_ntstatus_ok(tctx, status, 
263                 "Failed to connect with schannel");
264
265         torture_assert(tctx, test_samr_ops(tctx, p), 
266                        "Failed to process schannel secured SAMR ops");
267
268         /* Also test that when we connect to the netlogon pipe, that
269          * the credentials we setup on the first pipe are valid for
270          * the second */
271
272         /* Swap the binding details from SAMR to NETLOGON */
273         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
274         torture_assert_ntstatus_ok(tctx, status, "epm map");
275
276         status = dcerpc_secondary_connection(p, &p_netlogon, 
277                                              b);
278         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
279
280         status = dcerpc_bind_auth(p_netlogon, &ndr_table_netlogon, 
281                                   credentials, tctx->lp_ctx,
282                                   DCERPC_AUTH_TYPE_SCHANNEL,
283                                   dcerpc_auth_level(p->conn),
284                                   NULL);
285
286         torture_assert_ntstatus_ok(tctx, status, "bind auth");
287
288         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
289         torture_assert_ntstatus_ok(tctx, status, "schannel creds");
290
291         /* do a couple of logins */
292         torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds),
293                 "Failed to process schannel secured NETLOGON ops");
294
295         torture_assert(tctx, test_netlogon_ex_ops(p_netlogon, tctx, credentials, creds),
296                 "Failed to process schannel secured NETLOGON EX ops");
297
298         /* Swap the binding details from SAMR to LSARPC */
299         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx);
300         torture_assert_ntstatus_ok(tctx, status, "epm map");
301
302         status = dcerpc_secondary_connection(p, &p_lsa, 
303                                              b);
304
305         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
306
307         status = dcerpc_bind_auth(p_lsa, &ndr_table_lsarpc,
308                                   credentials, tctx->lp_ctx,
309                                   DCERPC_AUTH_TYPE_SCHANNEL,
310                                   dcerpc_auth_level(p->conn),
311                                   NULL);
312
313         torture_assert_ntstatus_ok(tctx, status, "bind auth");
314
315         torture_assert(tctx, test_lsa_ops(tctx, p_lsa), 
316                 "Failed to process schannel secured LSA ops");
317
318         /* Drop the socket, we want to start from scratch */
319         talloc_free(p);
320         p = NULL;
321
322         /* Now see what we are still allowed to do */
323         
324         status = dcerpc_parse_binding(tctx, binding, &b);
325         torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
326
327         b->flags &= ~DCERPC_AUTH_OPTIONS;
328         b->flags |= dcerpc_flags;
329
330         status = dcerpc_pipe_connect_b(tctx, &p_samr2, b, &ndr_table_samr,
331                                        credentials, NULL, tctx->lp_ctx);
332         torture_assert_ntstatus_ok(tctx, status, 
333                 "Failed to connect with schannel");
334
335         /* do a some SAMR operations.  We have *not* done a new serverauthenticate */
336         torture_assert (tctx, test_samr_ops(tctx, p_samr2), 
337                         "Failed to process schannel secured SAMR ops (on fresh connection)");
338
339         /* Swap the binding details from SAMR to NETLOGON */
340         status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
341         torture_assert_ntstatus_ok(tctx, status, "epm");
342
343         status = dcerpc_secondary_connection(p_samr2, &p_netlogon2, 
344                                              b);
345         torture_assert_ntstatus_ok(tctx, status, "seconday connection");
346
347         /* and now setup an SCHANNEL bind on netlogon */
348         status = dcerpc_bind_auth(p_netlogon2, &ndr_table_netlogon,
349                                   credentials, tctx->lp_ctx,
350                                   DCERPC_AUTH_TYPE_SCHANNEL,
351                                   dcerpc_auth_level(p_samr2->conn),
352                                   NULL);
353
354         torture_assert_ntstatus_ok(tctx, status, "auth failed");
355         
356         /* Try the schannel-only SamLogonEx operation */
357         torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds), 
358                        "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
359                 
360
361         /* And the more traditional style, proving that the
362          * credentials chaining state is fully present */
363         torture_assert(tctx, test_netlogon_ops(p_netlogon2, tctx, credentials, creds),
364                              "Failed to process schannel secured NETLOGON ops (on fresh connection)");
365
366         /* Drop the socket, we want to start from scratch (again) */
367         talloc_free(p_samr2);
368
369         /* We don't want schannel for this test */
370         b->flags &= ~DCERPC_AUTH_OPTIONS;
371
372         status = dcerpc_pipe_connect_b(tctx, &p_netlogon3, b, &ndr_table_netlogon,
373                                        credentials, NULL, tctx->lp_ctx);
374         torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
375
376         torture_assert(tctx, !test_netlogon_ex_ops(p_netlogon3, tctx, credentials, creds),
377                         "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
378
379         /* Required because the previous call will mark the current context as having failed */
380         tctx->last_result = TORTURE_OK;
381         tctx->last_reason = NULL;
382
383         torture_assert(tctx, test_netlogon_ops(p_netlogon3, tctx, credentials, creds),
384                         "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
385
386         torture_leave_domain(join_ctx);
387         return true;
388 }
389
390
391
392 /*
393   a schannel test suite
394  */
395 bool torture_rpc_schannel(struct torture_context *torture)
396 {
397         bool ret = true;
398         struct {
399                 uint16_t acct_flags;
400                 uint32_t dcerpc_flags;
401         } tests[] = {
402                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
403                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
404                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
405                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
406                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
407                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
408                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
409                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
410         };
411         int i;
412
413         for (i=0;i<ARRAY_SIZE(tests);i++) {
414                 if (!test_schannel(torture, 
415                                    tests[i].acct_flags, tests[i].dcerpc_flags,
416                                    i)) {
417                         torture_comment(torture, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
418                                tests[i].acct_flags, tests[i].dcerpc_flags);
419                         ret = false;
420                 }
421         }
422
423         return ret;
424 }
425
426 /*
427   test two schannel connections
428  */
429 bool torture_rpc_schannel2(struct torture_context *torture)
430 {
431         struct test_join *join_ctx;
432         NTSTATUS status;
433         const char *binding = torture_setting_string(torture, "binding", NULL);
434         struct dcerpc_binding *b;
435         struct dcerpc_pipe *p1 = NULL, *p2 = NULL;
436         struct cli_credentials *credentials1, *credentials2;
437         uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN;
438
439         join_ctx = torture_join_domain(torture, talloc_asprintf(torture, "%s2", TEST_MACHINE_NAME), 
440                                        ACB_WSTRUST, &credentials1);
441         torture_assert(torture, join_ctx != NULL, 
442                        "Failed to join domain with acct_flags=ACB_WSTRUST");
443
444         credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
445         credentials1->netlogon_creds = NULL;
446         credentials2->netlogon_creds = NULL;
447
448         status = dcerpc_parse_binding(torture, binding, &b);
449         torture_assert_ntstatus_ok(torture, status, "Bad binding string");
450
451         b->flags &= ~DCERPC_AUTH_OPTIONS;
452         b->flags |= dcerpc_flags;
453
454         printf("Opening first connection\n");
455         status = dcerpc_pipe_connect_b(torture, &p1, b, &ndr_table_netlogon,
456                                        credentials1, NULL, torture->lp_ctx);
457         torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
458
459         torture_comment(torture, "Opening second connection\n");
460         status = dcerpc_pipe_connect_b(torture, &p2, b, &ndr_table_netlogon,
461                                        credentials2, NULL, torture->lp_ctx);
462         torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
463
464         credentials1->netlogon_creds = NULL;
465         credentials2->netlogon_creds = NULL;
466
467         torture_comment(torture, "Testing logon on pipe1\n");
468         if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
469                 return false;
470
471         torture_comment(torture, "Testing logon on pipe2\n");
472         if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
473                 return false;
474
475         torture_comment(torture, "Again on pipe1\n");
476         if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
477                 return false;
478
479         torture_comment(torture, "Again on pipe2\n");
480         if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
481                 return false;
482
483         torture_leave_domain(join_ctx);
484         return true;
485 }
486
Kai's WIP code