This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "librpc/gen_ndr/ndr_samr.h"
-#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_netlogon_c.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
+#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "auth/credentials/credentials.h"
+#include "torture/rpc/rpc.h"
+#include "lib/cmdline/popt_common.h"
+#include "auth/gensec/schannel_proto.h"
+#include "libcli/auth/libcli_auth.h"
+#include "libcli/security/security.h"
+#include "system/filesys.h"
+#include "param/param.h"
+#include "librpc/rpc/dcerpc_proto.h"
+#include "auth/gensec/gensec.h"
+#include "libcli/composite/composite.h"
+#include "lib/events/events.h"
+
+#define TEST_MACHINE_NAME "schannel"
-#define TEST_MACHINE_NAME "schanneltest"
+/*
+ try a netlogon SamLogon
+*/
+bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
+ struct cli_credentials *credentials,
+ struct netlogon_creds_CredentialState *creds)
+{
+ NTSTATUS status;
+ struct netr_LogonSamLogonEx r;
+ struct netr_NetworkInfo ninfo;
+ union netr_LogonLevel logon;
+ union netr_Validation validation;
+ uint8_t authoritative = 0;
+ uint32_t _flags = 0;
+ DATA_BLOB names_blob, chal, lm_resp, nt_resp;
+ int i;
+ int flags = CLI_CRED_NTLM_AUTH;
+ if (lp_client_lanman_auth(tctx->lp_ctx)) {
+ flags |= CLI_CRED_LANMAN_AUTH;
+ }
+
+ if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
+ flags |= CLI_CRED_NTLMv2_AUTH;
+ }
+
+ cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
+ &ninfo.identity_info.account_name.string,
+ &ninfo.identity_info.domain_name.string);
+
+ generate_random_buffer(ninfo.challenge,
+ sizeof(ninfo.challenge));
+ chal = data_blob_const(ninfo.challenge,
+ sizeof(ninfo.challenge));
+
+ names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
+ cli_credentials_get_domain(credentials));
+
+ status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
+ &flags,
+ chal,
+ names_blob,
+ &lm_resp, &nt_resp,
+ NULL, NULL);
+ torture_assert_ntstatus_ok(tctx, status,
+ "cli_credentials_get_ntlm_response failed");
+
+ ninfo.lm.data = lm_resp.data;
+ ninfo.lm.length = lm_resp.length;
+
+ ninfo.nt.data = nt_resp.data;
+ ninfo.nt.length = nt_resp.length;
+
+ ninfo.identity_info.parameter_control = 0;
+ ninfo.identity_info.logon_id_low = 0;
+ ninfo.identity_info.logon_id_high = 0;
+ ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
+
+ logon.network = &ninfo;
+
+ r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
+ r.in.computer_name = cli_credentials_get_workstation(credentials);
+ r.in.logon_level = 2;
+ r.in.logon= &logon;
+ r.in.flags = &_flags;
+ r.out.validation = &validation;
+ r.out.authoritative = &authoritative;
+ r.out.flags = &_flags;
+
+ torture_comment(tctx,
+ "Testing LogonSamLogonEx with name %s\n",
+ ninfo.identity_info.account_name.string);
+
+ for (i=2;i<3;i++) {
+ r.in.validation_level = i;
+
+ status = dcerpc_netr_LogonSamLogonEx(p, tctx, &r);
+ torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
+ }
+
+ return true;
+}
/*
do some samr ops using the schannel connection
*/
-static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
+static bool test_samr_ops(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
{
NTSTATUS status;
struct samr_GetDomPwInfo r;
+ struct samr_PwInfo info;
+ struct samr_Connect connect_r;
+ struct samr_OpenDomain opendom;
int i;
- struct samr_String name;
+ struct lsa_String name;
+ struct policy_handle handle;
+ struct policy_handle domain_handle;
- name.string = lp_workgroup();
+ name.string = lp_workgroup(tctx->lp_ctx);
r.in.domain_name = &name;
+ r.out.info = &info;
+
+ connect_r.in.system_name = 0;
+ connect_r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ connect_r.out.connect_handle = &handle;
+
+ printf("Testing Connect and OpenDomain on BUILTIN\n");
+
+ status = dcerpc_samr_Connect(p, tctx, &connect_r);
+ if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
+ nt_errstr(status));
+ } else {
+ printf("Connect failed - %s\n", nt_errstr(status));
+ return false;
+ }
+ } else {
+ opendom.in.connect_handle = &handle;
+ opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ opendom.in.sid = dom_sid_parse_talloc(tctx, "S-1-5-32");
+ opendom.out.domain_handle = &domain_handle;
+
+ status = dcerpc_samr_OpenDomain(p, tctx, &opendom);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("OpenDomain failed - %s\n", nt_errstr(status));
+ return false;
+ }
+ }
printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
/* do several ops to test credential chaining */
for (i=0;i<5;i++) {
- status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
+ status = dcerpc_samr_GetDomPwInfo(p, tctx, &r);
if (!NT_STATUS_IS_OK(status)) {
- printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
- return False;
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
+ return false;
+ }
}
}
- return True;
+ return true;
}
/*
- try a netlogon SamLogon
-*/
-static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds)
+ do some lsa ops using the schannel connection
+ */
+static bool test_lsa_ops(struct torture_context *tctx, struct dcerpc_pipe *p)
{
+ struct lsa_GetUserName r;
NTSTATUS status;
- struct netr_LogonSamLogon r;
- struct netr_Authenticator auth, auth2;
- struct netr_NetworkInfo ninfo;
- const char *username = lp_parm_string(-1, "torture", "username");
- const char *password = lp_parm_string(-1, "torture", "password");
-
- int i;
- BOOL ret = True;
-
- ninfo.identity_info.domain_name.string = lp_workgroup();
- ninfo.identity_info.parameter_control = 0;
- ninfo.identity_info.logon_id_low = 0;
- ninfo.identity_info.logon_id_high = 0;
- ninfo.identity_info.account_name.string = username;
- ninfo.identity_info.workstation.string = TEST_MACHINE_NAME;
- generate_random_buffer(ninfo.challenge,
- sizeof(ninfo.challenge));
- ninfo.nt.length = 24;
- ninfo.nt.data = talloc_size(mem_ctx, 24);
- SMBNTencrypt(password, ninfo.challenge, ninfo.nt.data);
- ninfo.lm.length = 24;
- ninfo.lm.data = talloc_size(mem_ctx, 24);
- SMBencrypt(password, ninfo.challenge, ninfo.lm.data);
-
-
- r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
- r.in.workstation = TEST_MACHINE_NAME;
- r.in.credential = &auth;
- r.in.return_authenticator = &auth2;
- r.in.logon_level = 2;
- r.in.logon.network = &ninfo;
-
- printf("Testing LogonSamLogon with name %s\n", username);
-
- for (i=2;i<3;i++) {
- ZERO_STRUCT(auth2);
- creds_client_authenticator(creds, &auth);
-
- r.in.validation_level = i;
-
- status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r);
+ bool ret = true;
+ struct lsa_String *account_name_p = NULL;
+ struct lsa_String *authority_name_p = NULL;
+
+ printf("\nTesting GetUserName\n");
+
+ r.in.system_name = "\\";
+ r.in.account_name = &account_name_p;
+ r.in.authority_name = &authority_name_p;
+ r.out.account_name = &account_name_p;
+
+ /* do several ops to test credential chaining and various operations */
+ status = dcerpc_lsa_GetUserName(p, tctx, &r);
+
+ authority_name_p = *r.out.authority_name;
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
+ printf("not considering %s to be an error\n", nt_errstr(status));
+ } else if (!NT_STATUS_IS_OK(status)) {
+ printf("GetUserName failed - %s\n", nt_errstr(status));
+ return false;
+ } else {
+ if (!r.out.account_name) {
+ return false;
+ }
- if (!creds_client_check(creds, &r.out.return_authenticator->cred)) {
- printf("Credential chaining failed\n");
- ret = False;
+ if (strcmp(account_name_p->string, "ANONYMOUS LOGON") != 0) {
+ printf("GetUserName returned wrong user: %s, expected %s\n",
+ account_name_p->string, "ANONYMOUS LOGON");
+ return false;
+ }
+ if (!authority_name_p || !authority_name_p->string) {
+ return false;
}
+ if (strcmp(authority_name_p->string, "NT AUTHORITY") != 0) {
+ printf("GetUserName returned wrong user: %s, expected %s\n",
+ authority_name_p->string, "NT AUTHORITY");
+ return false;
+ }
+ }
+ if (!test_many_LookupSids(p, tctx, NULL)) {
+ printf("LsaLookupSids3 failed!\n");
+ return false;
}
+
return ret;
}
+
/*
test a schannel connection with the given flags
*/
-static BOOL test_schannel(TALLOC_CTX *mem_ctx,
+static bool test_schannel(struct torture_context *tctx,
uint16_t acct_flags, uint32_t dcerpc_flags,
- uint32_t schannel_type)
+ int i)
{
- void *join_ctx;
- const char *machine_password;
+ struct test_join *join_ctx;
NTSTATUS status;
- const char *binding = lp_parm_string(-1, "torture", "binding");
+ const char *binding = torture_setting_string(tctx, "binding", NULL);
struct dcerpc_binding *b;
struct dcerpc_pipe *p = NULL;
struct dcerpc_pipe *p_netlogon = NULL;
- struct creds_CredentialState *creds;
+ struct dcerpc_pipe *p_netlogon2 = NULL;
+ struct dcerpc_pipe *p_netlogon3 = NULL;
+ struct dcerpc_pipe *p_samr2 = NULL;
+ struct dcerpc_pipe *p_lsa = NULL;
+ struct netlogon_creds_CredentialState *creds;
struct cli_credentials *credentials;
- TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
- char *test_machine_account = talloc_asprintf(NULL, "%s$", TEST_MACHINE_NAME);
+ join_ctx = torture_join_domain(tctx,
+ talloc_asprintf(tctx, "%s%d", TEST_MACHINE_NAME, i),
+ acct_flags, &credentials);
+ torture_assert(tctx, join_ctx != NULL, "Failed to join domain");
- credentials = cli_credentials_init(mem_ctx);
-
- join_ctx = torture_create_testuser(test_machine_account, lp_workgroup(),
- acct_flags, &machine_password);
- if (!join_ctx) {
- printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
- talloc_free(test_ctx);
- return False;
- }
-
- status = dcerpc_parse_binding(test_ctx, binding, &b);
- if (!NT_STATUS_IS_OK(status)) {
- printf("Bad binding string %s\n", binding);
- goto failed;
- }
+ status = dcerpc_parse_binding(tctx, binding, &b);
+ torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
b->flags &= ~DCERPC_AUTH_OPTIONS;
b->flags |= dcerpc_flags;
- cli_credentials_set_domain(credentials, lp_workgroup(), CRED_SPECIFIED);
- cli_credentials_set_workstation(credentials, TEST_MACHINE_NAME, CRED_SPECIFIED);
- cli_credentials_set_username(credentials, test_machine_account, CRED_SPECIFIED);
- cli_credentials_set_password(credentials, machine_password, CRED_SPECIFIED);
+ status = dcerpc_pipe_connect_b(tctx, &p, b, &ndr_table_samr,
+ credentials, tctx->ev, tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to connect with schannel");
- status = dcerpc_pipe_connect_b(test_ctx,
- &p, b,
- DCERPC_SAMR_UUID,
- DCERPC_SAMR_VERSION,
- credentials);
- if (!NT_STATUS_IS_OK(status)) {
- printf("Failed to connect with schannel: %s\n", nt_errstr(status));
- goto failed;
- }
-
- if (!test_samr_ops(p, test_ctx)) {
- printf("Failed to process schannel secured ops\n");
- goto failed;
- }
-
- status = dcerpc_schannel_creds(p->conn->security_state.generic_state, test_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
+ torture_assert(tctx, test_samr_ops(tctx, p),
+ "Failed to process schannel secured SAMR ops");
/* Also test that when we connect to the netlogon pipe, that
* the credentials we setup on the first pipe are valid for
* the second */
/* Swap the binding details from SAMR to NETLOGON */
- status = dcerpc_epm_map_binding(test_ctx, b, DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION);
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
+ status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status, "epm map");
status = dcerpc_secondary_connection(p, &p_netlogon,
b);
+ torture_assert_ntstatus_ok(tctx, status, "seconday connection");
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
+ status = dcerpc_bind_auth(p_netlogon, &ndr_table_netlogon,
+ credentials, lp_gensec_settings(tctx, tctx->lp_ctx),
+ DCERPC_AUTH_TYPE_SCHANNEL,
+ dcerpc_auth_level(p->conn),
+ NULL);
- status = dcerpc_bind_auth_schannel_withkey(p_netlogon,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
- creds);
+ torture_assert_ntstatus_ok(tctx, status, "bind auth");
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
-
- status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
+ status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
+ torture_assert_ntstatus_ok(tctx, status, "schannel creds");
/* do a couple of logins */
- if (!test_netlogon_ops(p_netlogon, test_ctx, creds)) {
- printf("Failed to process schannel secured ops\n");
- goto failed;
- }
+ torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds),
+ "Failed to process schannel secured NETLOGON ops");
+
+ torture_assert(tctx, test_netlogon_ex_ops(p_netlogon, tctx, credentials, creds),
+ "Failed to process schannel secured NETLOGON EX ops");
+
+ /* Swap the binding details from SAMR to LSARPC */
+ status = dcerpc_epm_map_binding(tctx, b, &ndr_table_lsarpc, tctx->ev, tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status, "epm map");
+
+ status = dcerpc_secondary_connection(p, &p_lsa,
+ b);
+
+ torture_assert_ntstatus_ok(tctx, status, "seconday connection");
+
+ status = dcerpc_bind_auth(p_lsa, &ndr_table_lsarpc,
+ credentials, lp_gensec_settings(tctx, tctx->lp_ctx),
+ DCERPC_AUTH_TYPE_SCHANNEL,
+ dcerpc_auth_level(p->conn),
+ NULL);
+
+ torture_assert_ntstatus_ok(tctx, status, "bind auth");
+
+ torture_assert(tctx, test_lsa_ops(tctx, p_lsa),
+ "Failed to process schannel secured LSA ops");
+
+ /* Drop the socket, we want to start from scratch */
+ talloc_free(p);
+ p = NULL;
+
+ /* Now see what we are still allowed to do */
+
+ status = dcerpc_parse_binding(tctx, binding, &b);
+ torture_assert_ntstatus_ok(tctx, status, "Bad binding string");
+
+ b->flags &= ~DCERPC_AUTH_OPTIONS;
+ b->flags |= dcerpc_flags;
+
+ status = dcerpc_pipe_connect_b(tctx, &p_samr2, b, &ndr_table_samr,
+ credentials, tctx->ev, tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status,
+ "Failed to connect with schannel");
- torture_leave_domain(join_ctx);
- talloc_free(test_ctx);
- return True;
+ /* do a some SAMR operations. We have *not* done a new serverauthenticate */
+ torture_assert (tctx, test_samr_ops(tctx, p_samr2),
+ "Failed to process schannel secured SAMR ops (on fresh connection)");
-failed:
- torture_leave_domain(join_ctx);
- talloc_free(test_ctx);
- return False;
+ /* Swap the binding details from SAMR to NETLOGON */
+ status = dcerpc_epm_map_binding(tctx, b, &ndr_table_netlogon, tctx->ev, tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status, "epm");
+
+ status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
+ b);
+ torture_assert_ntstatus_ok(tctx, status, "seconday connection");
+
+ /* and now setup an SCHANNEL bind on netlogon */
+ status = dcerpc_bind_auth(p_netlogon2, &ndr_table_netlogon,
+ credentials, lp_gensec_settings(tctx, tctx->lp_ctx),
+ DCERPC_AUTH_TYPE_SCHANNEL,
+ dcerpc_auth_level(p_samr2->conn),
+ NULL);
+
+ torture_assert_ntstatus_ok(tctx, status, "auth failed");
+
+ /* Try the schannel-only SamLogonEx operation */
+ torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds),
+ "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
+
+
+ /* And the more traditional style, proving that the
+ * credentials chaining state is fully present */
+ torture_assert(tctx, test_netlogon_ops(p_netlogon2, tctx, credentials, creds),
+ "Failed to process schannel secured NETLOGON ops (on fresh connection)");
+
+ /* Drop the socket, we want to start from scratch (again) */
+ talloc_free(p_samr2);
+
+ /* We don't want schannel for this test */
+ b->flags &= ~DCERPC_AUTH_OPTIONS;
+
+ status = dcerpc_pipe_connect_b(tctx, &p_netlogon3, b, &ndr_table_netlogon,
+ credentials, tctx->ev, tctx->lp_ctx);
+ torture_assert_ntstatus_ok(tctx, status, "Failed to connect without schannel");
+
+ torture_assert(tctx, !test_netlogon_ex_ops(p_netlogon3, tctx, credentials, creds),
+ "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
+
+ /* Required because the previous call will mark the current context as having failed */
+ tctx->last_result = TORTURE_OK;
+ tctx->last_reason = NULL;
+
+ torture_assert(tctx, test_netlogon_ops(p_netlogon3, tctx, credentials, creds),
+ "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
+
+ torture_leave_domain(tctx, join_ctx);
+ return true;
}
+
+
/*
a schannel test suite
*/
-BOOL torture_rpc_schannel(void)
+bool torture_rpc_schannel(struct torture_context *torture)
{
- TALLOC_CTX *mem_ctx;
- BOOL ret = True;
+ bool ret = true;
struct {
uint16_t acct_flags;
uint32_t dcerpc_flags;
- uint32_t schannel_type;
} tests[] = {
- { ACB_WSTRUST, DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN, 3 },
- { ACB_WSTRUST, DCERPC_SCHANNEL_WORKSTATION | DCERPC_SEAL, 3 },
- { ACB_WSTRUST, DCERPC_SCHANNEL_WORKSTATION | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
- { ACB_WSTRUST, DCERPC_SCHANNEL_WORKSTATION | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 },
- { ACB_SVRTRUST, DCERPC_SCHANNEL_BDC | DCERPC_SIGN, 3 },
- { ACB_SVRTRUST, DCERPC_SCHANNEL_BDC | DCERPC_SEAL, 3 },
- { ACB_SVRTRUST, DCERPC_SCHANNEL_BDC | DCERPC_SIGN | DCERPC_SCHANNEL_128, 3 },
- { ACB_SVRTRUST, DCERPC_SCHANNEL_BDC | DCERPC_SEAL | DCERPC_SCHANNEL_128, 3 }
+ { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SIGN},
+ { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SEAL},
+ { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
+ { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
+ { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SIGN },
+ { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SEAL },
+ { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
+ { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
};
int i;
- mem_ctx = talloc_init("torture_rpc_schannel");
-
for (i=0;i<ARRAY_SIZE(tests);i++) {
- if (!test_schannel(mem_ctx,
- tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type)) {
- printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x schannel_type=%d\n",
- tests[i].acct_flags, tests[i].dcerpc_flags, tests[i].schannel_type);
- ret = False;
- break;
+ if (!test_schannel(torture,
+ tests[i].acct_flags, tests[i].dcerpc_flags,
+ i)) {
+ torture_comment(torture, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
+ tests[i].acct_flags, tests[i].dcerpc_flags);
+ ret = false;
}
}
- talloc_free(mem_ctx);
-
return ret;
}
+
+/*
+ test two schannel connections
+ */
+bool torture_rpc_schannel2(struct torture_context *torture)
+{
+ struct test_join *join_ctx;
+ NTSTATUS status;
+ const char *binding = torture_setting_string(torture, "binding", NULL);
+ struct dcerpc_binding *b;
+ struct dcerpc_pipe *p1 = NULL, *p2 = NULL;
+ struct cli_credentials *credentials1, *credentials2;
+ uint32_t dcerpc_flags = DCERPC_SCHANNEL | DCERPC_SIGN;
+
+ join_ctx = torture_join_domain(torture, talloc_asprintf(torture, "%s2", TEST_MACHINE_NAME),
+ ACB_WSTRUST, &credentials1);
+ torture_assert(torture, join_ctx != NULL,
+ "Failed to join domain with acct_flags=ACB_WSTRUST");
+
+ credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
+ credentials1->netlogon_creds = NULL;
+ credentials2->netlogon_creds = NULL;
+
+ status = dcerpc_parse_binding(torture, binding, &b);
+ torture_assert_ntstatus_ok(torture, status, "Bad binding string");
+
+ b->flags &= ~DCERPC_AUTH_OPTIONS;
+ b->flags |= dcerpc_flags;
+
+ printf("Opening first connection\n");
+ status = dcerpc_pipe_connect_b(torture, &p1, b, &ndr_table_netlogon,
+ credentials1, torture->ev, torture->lp_ctx);
+ torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
+
+ torture_comment(torture, "Opening second connection\n");
+ status = dcerpc_pipe_connect_b(torture, &p2, b, &ndr_table_netlogon,
+ credentials2, torture->ev, torture->lp_ctx);
+ torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
+
+ credentials1->netlogon_creds = NULL;
+ credentials2->netlogon_creds = NULL;
+
+ torture_comment(torture, "Testing logon on pipe1\n");
+ if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
+ return false;
+
+ torture_comment(torture, "Testing logon on pipe2\n");
+ if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
+ return false;
+
+ torture_comment(torture, "Again on pipe1\n");
+ if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
+ return false;
+
+ torture_comment(torture, "Again on pipe2\n");
+ if (!test_netlogon_ex_ops(p2, torture, credentials2, NULL))
+ return false;
+
+ torture_leave_domain(torture, join_ctx);
+ return true;
+}
+
+struct torture_schannel_bench;
+
+struct torture_schannel_bench_conn {
+ struct torture_schannel_bench *s;
+ int index;
+ struct cli_credentials *wks_creds;
+ struct dcerpc_pipe *pipe;
+ struct netr_LogonSamLogonEx r;
+ struct netr_NetworkInfo ninfo;
+ TALLOC_CTX *tmp;
+ uint64_t total;
+ uint32_t count;
+};
+
+struct torture_schannel_bench {
+ struct torture_context *tctx;
+ bool progress;
+ int timelimit;
+ int nprocs;
+ int nconns;
+ struct torture_schannel_bench_conn *conns;
+ struct test_join *join_ctx1;
+ struct cli_credentials *wks_creds1;
+ struct test_join *join_ctx2;
+ struct cli_credentials *wks_creds2;
+ struct cli_credentials *user1_creds;
+ struct cli_credentials *user2_creds;
+ struct dcerpc_binding *b;
+ NTSTATUS error;
+ uint64_t total;
+ uint32_t count;
+ bool stopped;
+};
+
+static void torture_schannel_bench_connected(struct composite_context *c)
+{
+ struct torture_schannel_bench_conn *conn =
+ (struct torture_schannel_bench_conn *)c->async.private_data;
+ struct torture_schannel_bench *s = talloc_get_type(conn->s,
+ struct torture_schannel_bench);
+
+ s->error = dcerpc_pipe_connect_b_recv(c, s->conns, &conn->pipe);
+ torture_comment(s->tctx, "conn[%u]: %s\n", conn->index, nt_errstr(s->error));
+ if (NT_STATUS_IS_OK(s->error)) {
+ s->nconns++;
+ }
+}
+
+static void torture_schannel_bench_recv(struct rpc_request *req);
+
+static bool torture_schannel_bench_start(struct torture_schannel_bench_conn *conn)
+{
+ struct torture_schannel_bench *s = conn->s;
+ NTSTATUS status;
+ DATA_BLOB names_blob, chal, lm_resp, nt_resp;
+ int flags = CLI_CRED_NTLM_AUTH;
+ struct rpc_request *req;
+ struct cli_credentials *user_creds;
+
+ if (conn->total % 2) {
+ user_creds = s->user1_creds;
+ } else {
+ user_creds = s->user2_creds;
+ }
+
+ if (lp_client_lanman_auth(s->tctx->lp_ctx)) {
+ flags |= CLI_CRED_LANMAN_AUTH;
+ }
+
+ if (lp_client_ntlmv2_auth(s->tctx->lp_ctx)) {
+ flags |= CLI_CRED_NTLMv2_AUTH;
+ }
+
+ talloc_free(conn->tmp);
+ conn->tmp = talloc_new(s);
+ ZERO_STRUCT(conn->ninfo);
+ ZERO_STRUCT(conn->r);
+
+ cli_credentials_get_ntlm_username_domain(user_creds, conn->tmp,
+ &conn->ninfo.identity_info.account_name.string,
+ &conn->ninfo.identity_info.domain_name.string);
+
+ generate_random_buffer(conn->ninfo.challenge,
+ sizeof(conn->ninfo.challenge));
+ chal = data_blob_const(conn->ninfo.challenge,
+ sizeof(conn->ninfo.challenge));
+
+ names_blob = NTLMv2_generate_names_blob(conn->tmp,
+ cli_credentials_get_workstation(conn->wks_creds),
+ cli_credentials_get_domain(conn->wks_creds));
+
+ status = cli_credentials_get_ntlm_response(user_creds, conn->tmp,
+ &flags,
+ chal,
+ names_blob,
+ &lm_resp, &nt_resp,
+ NULL, NULL);
+ torture_assert_ntstatus_ok(s->tctx, status,
+ "cli_credentials_get_ntlm_response failed");
+
+ conn->ninfo.lm.data = lm_resp.data;
+ conn->ninfo.lm.length = lm_resp.length;
+
+ conn->ninfo.nt.data = nt_resp.data;
+ conn->ninfo.nt.length = nt_resp.length;
+
+ conn->ninfo.identity_info.parameter_control = 0;
+ conn->ninfo.identity_info.logon_id_low = 0;
+ conn->ninfo.identity_info.logon_id_high = 0;
+ conn->ninfo.identity_info.workstation.string = cli_credentials_get_workstation(conn->wks_creds);
+
+ conn->r.in.server_name = talloc_asprintf(conn->tmp, "\\\\%s", dcerpc_server_name(conn->pipe));
+ conn->r.in.computer_name = cli_credentials_get_workstation(conn->wks_creds);
+ conn->r.in.logon_level = 2;
+ conn->r.in.logon = talloc(conn->tmp, union netr_LogonLevel);
+ conn->r.in.logon->network = &conn->ninfo;
+ conn->r.in.flags = talloc(conn->tmp, uint32_t);
+ conn->r.in.validation_level = 2;
+ conn->r.out.validation = talloc(conn->tmp, union netr_Validation);
+ conn->r.out.authoritative = talloc(conn->tmp, uint8_t);
+ conn->r.out.flags = conn->r.in.flags;
+
+ req = dcerpc_netr_LogonSamLogonEx_send(conn->pipe, conn->tmp, &conn->r);
+ torture_assert(s->tctx, req, "Failed to setup LogonSamLogonEx request");
+
+ req->async.callback = torture_schannel_bench_recv;
+ req->async.private_data = conn;
+
+ return true;
+}
+
+static void torture_schannel_bench_recv(struct rpc_request *req)
+{
+ bool ret;
+ struct torture_schannel_bench_conn *conn =
+ (struct torture_schannel_bench_conn *)req->async.private_data;
+ struct torture_schannel_bench *s = talloc_get_type(conn->s,
+ struct torture_schannel_bench);
+
+ s->error = dcerpc_ndr_request_recv(req);
+ if (!NT_STATUS_IS_OK(s->error)) {
+ return;
+ }
+
+ conn->total++;
+ conn->count++;
+
+ if (s->stopped) {
+ return;
+ }
+
+ ret = torture_schannel_bench_start(conn);
+ if (!ret) {
+ s->error = NT_STATUS_INTERNAL_ERROR;
+ }
+}
+
+/*
+ test multiple schannel connection in parallel
+ */
+bool torture_rpc_schannel_bench1(struct torture_context *torture)
+{
+ bool ret = true;
+ NTSTATUS status;
+ const char *binding = torture_setting_string(torture, "binding", NULL);
+ struct torture_schannel_bench *s;
+ struct timeval start;
+ struct timeval end;
+ int i;
+ const char *tmp;
+
+ s = talloc_zero(torture, struct torture_schannel_bench);
+ s->tctx = torture;
+ s->progress = torture_setting_bool(torture, "progress", true);
+ s->timelimit = torture_setting_int(torture, "timelimit", 10);
+ s->nprocs = torture_setting_int(torture, "nprocs", 4);
+ s->conns = talloc_zero_array(s, struct torture_schannel_bench_conn, s->nprocs);
+
+ s->user1_creds = (struct cli_credentials *)talloc_memdup(s,
+ cmdline_credentials,
+ sizeof(*s->user1_creds));
+ tmp = torture_setting_string(s->tctx, "extra_user1", NULL);
+ if (tmp) {
+ cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
+ }
+ s->user2_creds = (struct cli_credentials *)talloc_memdup(s,
+ cmdline_credentials,
+ sizeof(*s->user1_creds));
+ tmp = torture_setting_string(s->tctx, "extra_user2", NULL);
+ if (tmp) {
+ cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
+ }
+
+ s->join_ctx1 = torture_join_domain(s->tctx, talloc_asprintf(s, "%sb", TEST_MACHINE_NAME),
+ ACB_WSTRUST, &s->wks_creds1);
+ torture_assert(torture, s->join_ctx1 != NULL,
+ "Failed to join domain with acct_flags=ACB_WSTRUST");
+ s->join_ctx2 = torture_join_domain(s->tctx, talloc_asprintf(s, "%sc", TEST_MACHINE_NAME),
+ ACB_WSTRUST, &s->wks_creds2);
+ torture_assert(torture, s->join_ctx2 != NULL,
+ "Failed to join domain with acct_flags=ACB_WSTRUST");
+
+ cli_credentials_set_kerberos_state(s->wks_creds1, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
+
+ for (i=0; i < s->nprocs; i++) {
+ s->conns[i].s = s;
+ s->conns[i].index = i;
+ s->conns[i].wks_creds = (struct cli_credentials *)talloc_memdup(
+ s->conns, s->wks_creds1,sizeof(*s->wks_creds1));
+ if ((i % 2) && (torture_setting_bool(torture, "multijoin", false))) {
+ memcpy(s->conns[i].wks_creds, s->wks_creds2,
+ talloc_get_size(s->conns[i].wks_creds));
+ }
+ s->conns[i].wks_creds->netlogon_creds = NULL;
+ }
+
+ status = dcerpc_parse_binding(s, binding, &s->b);
+ torture_assert_ntstatus_ok(torture, status, "Bad binding string");
+ s->b->flags &= ~DCERPC_AUTH_OPTIONS;
+ s->b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN;
+
+ torture_comment(torture, "Opening %d connections in parallel\n", s->nprocs);
+ for (i=0; i < s->nprocs; i++) {
+#if 1
+ s->error = dcerpc_pipe_connect_b(s->conns, &s->conns[i].pipe, s->b,
+ &ndr_table_netlogon,
+ s->conns[i].wks_creds,
+ torture->ev, torture->lp_ctx);
+ torture_assert_ntstatus_ok(torture, s->error, "Failed to connect with schannel");
+#else
+ /*
+ * This path doesn't work against windows,
+ * because of windows drops the connections
+ * which haven't reached a session setup yet
+ *
+ * The same as the reset on zero vc stuff.
+ */
+ struct composite_context *c;
+ c = dcerpc_pipe_connect_b_send(s->conns, s->b,
+ &ndr_table_netlogon,
+ s->conns[i].wks_creds,
+ torture->ev,
+ torture->lp_ctx);
+ torture_assert(torture, c != NULL, "Failed to setup connect");
+ c->async.fn = torture_schannel_bench_connected;
+ c->async.private_data = &s->conns[i];
+ }
+
+ while (NT_STATUS_IS_OK(s->error) && s->nprocs != s->nconns) {
+ int ev_ret = event_loop_once(torture->ev);
+ torture_assert(torture, ev_ret == 0, "event_loop_once failed");
+#endif
+ }
+ torture_assert_ntstatus_ok(torture, s->error, "Failed establish a connect");
+
+ /*
+ * Change the workstation password after establishing the netlogon
+ * schannel connections to prove that existing connections are not
+ * affected by a wks pwchange.
+ */
+
+ {
+ struct netr_ServerPasswordSet pwset;
+ char *password = generate_random_str(s->join_ctx1, 8);
+ struct netlogon_creds_CredentialState *creds_state;
+ struct dcerpc_pipe *net_pipe;
+ struct netr_Authenticator credential, return_authenticator;
+ struct samr_Password new_password;
+
+ status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
+ &ndr_table_netlogon,
+ s->wks_creds1,
+ torture->ev, torture->lp_ctx);
+
+ torture_assert_ntstatus_ok(torture, status,
+ "dcerpc_pipe_connect_b failed");
+
+ pwset.in.server_name = talloc_asprintf(
+ net_pipe, "\\\\%s", dcerpc_server_name(net_pipe));
+ pwset.in.computer_name =
+ cli_credentials_get_workstation(s->wks_creds1);
+ pwset.in.account_name = talloc_asprintf(
+ net_pipe, "%s$", pwset.in.computer_name);
+ pwset.in.secure_channel_type = SEC_CHAN_WKSTA;
+ pwset.in.credential = &credential;
+ pwset.in.new_password = &new_password;
+ pwset.out.return_authenticator = &return_authenticator;
+
+ E_md4hash(password, new_password.hash);
+
+ creds_state = cli_credentials_get_netlogon_creds(
+ s->wks_creds1);
+ netlogon_creds_des_encrypt(creds_state, &new_password);
+ netlogon_creds_client_authenticator(creds_state, &credential);
+
+ status = dcerpc_netr_ServerPasswordSet(net_pipe, torture, &pwset);
+ torture_assert_ntstatus_ok(torture, status,
+ "ServerPasswordSet failed");
+
+ if (!netlogon_creds_client_check(creds_state,
+ &pwset.out.return_authenticator->cred)) {
+ printf("Credential chaining failed\n");
+ }
+
+ cli_credentials_set_password(s->wks_creds1, password,
+ CRED_SPECIFIED);
+
+ talloc_free(net_pipe);
+
+ /* Just as a test, connect with the new creds */
+
+ talloc_free(s->wks_creds1->netlogon_creds);
+ s->wks_creds1->netlogon_creds = NULL;
+
+ status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
+ &ndr_table_netlogon,
+ s->wks_creds1,
+ torture->ev, torture->lp_ctx);
+
+ torture_assert_ntstatus_ok(torture, status,
+ "dcerpc_pipe_connect_b failed");
+
+ talloc_free(net_pipe);
+ }
+
+ torture_comment(torture, "Start looping LogonSamLogonEx on %d connections for %d secs\n",
+ s->nprocs, s->timelimit);
+ for (i=0; i < s->nprocs; i++) {
+ ret = torture_schannel_bench_start(&s->conns[i]);
+ torture_assert(torture, ret, "Failed to setup LogonSamLogonEx");
+ }
+
+ start = timeval_current();
+ end = timeval_add(&start, s->timelimit, 0);
+
+ while (NT_STATUS_IS_OK(s->error) && !timeval_expired(&end)) {
+ int ev_ret = event_loop_once(torture->ev);
+ torture_assert(torture, ev_ret == 0, "event_loop_once failed");
+ }
+ torture_assert_ntstatus_ok(torture, s->error, "Failed some request");
+ s->stopped = true;
+ talloc_free(s->conns);
+
+ for (i=0; i < s->nprocs; i++) {
+ s->total += s->conns[i].total;
+ }
+
+ torture_comment(torture,
+ "Total ops[%llu] (%u ops/s)\n",
+ (unsigned long long)s->total,
+ (unsigned)s->total/s->timelimit);
+
+ torture_leave_domain(torture, s->join_ctx1);
+ torture_leave_domain(torture, s->join_ctx2);
+ return true;
+}
git.samba.org / kai / samba.git / blobdiff