source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_netlogon.h"
  25 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  26 #include "librpc/gen_ndr/ndr_lsa.h"
  27 #include "librpc/gen_ndr/ndr_lsa_c.h"
  28 #include "librpc/gen_ndr/ndr_samr.h"
  29 #include "librpc/gen_ndr/ndr_samr_c.h"
  30 #include "auth/credentials/credentials.h"
  31 #include "torture/rpc/rpc.h"
  32 #include "lib/cmdline/popt_common.h"
  33 #include "auth/gensec/schannel_proto.h"
  34 #include "libcli/auth/libcli_auth.h"
  35 #include "libcli/security/proto.h"
  36
  37 #define TEST_MACHINE_NAME "schannel"
  38
  39 /*
  40   try a netlogon SamLogon
  41 */
  42 BOOL test_netlogon_ex_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  43                           struct cli_credentials *credentials,
  44                           struct creds_CredentialState *creds)
  45 {
  46         NTSTATUS status;
  47         struct netr_LogonSamLogonEx r;
  48         struct netr_NetworkInfo ninfo;
  49         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
  50         int i;
  51         BOOL ret = True;
  52         int flags = CLI_CRED_NTLM_AUTH;
  53         if (lp_client_lanman_auth()) {
  54                 flags |= CLI_CRED_LANMAN_AUTH;
  55         }
  56
  57         if (lp_client_ntlmv2_auth()) {
  58                 flags |= CLI_CRED_NTLMv2_AUTH;
  59         }
  60
  61         cli_credentials_get_ntlm_username_domain(cmdline_credentials, mem_ctx,
  62                                                  &ninfo.identity_info.account_name.string,
  63                                                  &ninfo.identity_info.domain_name.string);
  64
  65         generate_random_buffer(ninfo.challenge,
  66                                sizeof(ninfo.challenge));
  67         chal = data_blob_const(ninfo.challenge,
  68                                sizeof(ninfo.challenge));
  69
  70         names_blob = NTLMv2_generate_names_blob(mem_ctx, cli_credentials_get_workstation(credentials),
  71                                                 cli_credentials_get_domain(credentials));
  72
  73         status = cli_credentials_get_ntlm_response(cmdline_credentials, mem_ctx,
  74                                                    &flags,
  75                                                    chal,
  76                                                    names_blob,
  77                                                    &lm_resp, &nt_resp,
  78                                                    NULL, NULL);
  79         if (!NT_STATUS_IS_OK(status)) {
  80                 printf("cli_credentials_get_ntlm_response failed: %s\n",
  81                        nt_errstr(status));
  82                 return False;
  83         }
  84
  85         ninfo.lm.data = lm_resp.data;
  86         ninfo.lm.length = lm_resp.length;
  87
  88         ninfo.nt.data = nt_resp.data;
  89         ninfo.nt.length = nt_resp.length;
  90
  91         ninfo.identity_info.parameter_control = 0;
  92         ninfo.identity_info.logon_id_low = 0;
  93         ninfo.identity_info.logon_id_high = 0;
  94         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
  95
  96         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  97         r.in.computer_name = cli_credentials_get_workstation(credentials);
  98         r.in.logon_level = 2;
  99         r.in.logon.network = &ninfo;
 100         r.in.flags = 0;
 101
 102         printf("Testing LogonSamLogonEx with name %s\n", ninfo.identity_info.account_name.string);
 103
 104         for (i=2;i<3;i++) {
 105                 r.in.validation_level = i;
 106
 107                 status = dcerpc_netr_LogonSamLogonEx(p, mem_ctx, &r);
 108                 if (!NT_STATUS_IS_OK(status)) {
 109                         printf("LogonSamLogon failed: %s\n",
 110                                nt_errstr(status));
 111                         return False;
 112                 }
 113         }
 114
 115         return ret;
 116 }
 117
 118 /*
 119   do some samr ops using the schannel connection
 120  */
 121 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 122 {
 123         NTSTATUS status;
 124         struct samr_GetDomPwInfo r;
 125         struct samr_Connect connect;
 126         struct samr_OpenDomain opendom;
 127         int i;
 128         struct lsa_String name;
 129         struct policy_handle handle;
 130         struct policy_handle domain_handle;
 131
 132         name.string = lp_workgroup();
 133         r.in.domain_name = &name;
 134
 135         connect.in.system_name = 0;
 136         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 137         connect.out.connect_handle = &handle;
 138
 139         printf("Testing Connect and OpenDomain on BUILTIN\n");
 140
 141         status = dcerpc_samr_Connect(p, mem_ctx, &connect);
 142         if (!NT_STATUS_IS_OK(status)) {
 143                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 144                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
 145                                nt_errstr(status));
 146                 } else {
 147                         printf("Connect failed - %s\n", nt_errstr(status));
 148                         return False;
 149                 }
 150         } else {
 151                 opendom.in.connect_handle = &handle;
 152                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 153                 opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
 154                 opendom.out.domain_handle = &domain_handle;
 155
 156                 status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
 157                 if (!NT_STATUS_IS_OK(status)) {
 158                         printf("OpenDomain failed - %s\n", nt_errstr(status));
 159                         return False;
 160                 }
 161         }
 162
 163         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
 164
 165         /* do several ops to test credential chaining */
 166         for (i=0;i<5;i++) {
 167                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
 168                 if (!NT_STATUS_IS_OK(status)) {
 169                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 170                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
 171                                 return False;
 172                         }
 173                 }
 174         }
 175
 176         return True;
 177 }
 178
 179
 180 /*
 181   do some lsa ops using the schannel connection
 182  */
 183 static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 184 {
 185         struct lsa_GetUserName r;
 186         NTSTATUS status;
 187         BOOL ret = True;
 188         struct lsa_StringPointer authority_name_p;
 189
 190         printf("\nTesting GetUserName\n");
 191
 192         r.in.system_name = "\\";
 193         r.in.account_name = NULL;
 194         r.in.authority_name = &authority_name_p;
 195         authority_name_p.string = NULL;
 196
 197         /* do several ops to test credential chaining and various operations */
 198         status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
 199
 200         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
 201                 printf("not considering %s to be an error\n", nt_errstr(status));
 202         } else if (!NT_STATUS_IS_OK(status)) {
 203                 printf("GetUserName failed - %s\n", nt_errstr(status));
 204                 return False;
 205         } else {
 206                 if (!r.out.account_name) {
 207                         return False;
 208                 }
 209
 210                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 211                         printf("GetUserName returned wrong user: %s, expected %s\n",
 212                                r.out.account_name->string, "ANONYMOUS LOGON");
 213                         return False;
 214                 }
 215                 if (!r.out.authority_name || !r.out.authority_name->string) {
 216                         return False;
 217                 }
 218
 219                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 220                         printf("GetUserName returned wrong user: %s, expected %s\n",
 221                                r.out.authority_name->string->string, "NT AUTHORITY");
 222                         return False;
 223                 }
 224         }
 225         if (!test_many_LookupSids(p, mem_ctx, NULL)) {
 226                 printf("LsaLookupSids3 failed!\n");
 227                 return False;
 228         }
 229
 230         return ret;
 231 }
 232
 233
 234 /*
 235   test a schannel connection with the given flags
 236  */
 237 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 238                           uint16_t acct_flags, uint32_t dcerpc_flags,
 239                           int i)
 240 {
 241         BOOL ret = True;
 242
 243         struct test_join *join_ctx;
 244         NTSTATUS status;
 245         const char *binding = lp_parm_string(-1, "torture", "binding");
 246         struct dcerpc_binding *b;
 247         struct dcerpc_pipe *p = NULL;
 248         struct dcerpc_pipe *p_netlogon = NULL;
 249         struct dcerpc_pipe *p_netlogon2 = NULL;
 250         struct dcerpc_pipe *p_netlogon3 = NULL;
 251         struct dcerpc_pipe *p_samr2 = NULL;
 252         struct dcerpc_pipe *p_lsa = NULL;
 253         struct creds_CredentialState *creds;
 254         struct cli_credentials *credentials;
 255
 256         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 257
 258         join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i),
 259                                        acct_flags, &credentials);
 260         if (!join_ctx) {
 261                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 262                 talloc_free(test_ctx);
 263                 return False;
 264         }
 265
 266         status = dcerpc_parse_binding(test_ctx, binding, &b);
 267         if (!NT_STATUS_IS_OK(status)) {
 268                 printf("Bad binding string %s\n", binding);
 269                 goto failed;
 270         }
 271
 272         b->flags &= ~DCERPC_AUTH_OPTIONS;
 273         b->flags |= dcerpc_flags;
 274
 275         status = dcerpc_pipe_connect_b(test_ctx, &p, b, &dcerpc_table_samr,
 276                                        credentials, NULL);
 277         if (!NT_STATUS_IS_OK(status)) {
 278                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 279                 goto failed;
 280         }
 281
 282         if (!test_samr_ops(p, test_ctx)) {
 283                 printf("Failed to process schannel secured SAMR ops\n");
 284                 ret = False;
 285         }
 286
 287         /* Also test that when we connect to the netlogon pipe, that
 288          * the credentials we setup on the first pipe are valid for
 289          * the second */
 290
 291         /* Swap the binding details from SAMR to NETLOGON */
 292         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 293         if (!NT_STATUS_IS_OK(status)) {
 294                 goto failed;
 295         }
 296
 297         status = dcerpc_secondary_connection(p, &p_netlogon,
 298                                              b);
 299
 300         if (!NT_STATUS_IS_OK(status)) {
 301                 goto failed;
 302         }
 303
 304         status = dcerpc_bind_auth(p_netlogon, &dcerpc_table_netlogon,
 305                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 306                                   dcerpc_auth_level(p->conn),
 307                                   NULL);
 308
 309         if (!NT_STATUS_IS_OK(status)) {
 310                 goto failed;
 311         }
 312
 313         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 314         if (!NT_STATUS_IS_OK(status)) {
 315                 goto failed;
 316         }
 317
 318         /* do a couple of logins */
 319         if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
 320                 printf("Failed to process schannel secured NETLOGON ops\n");
 321                 ret = False;
 322         }
 323
 324         if (!test_netlogon_ex_ops(p_netlogon, test_ctx, credentials, creds)) {
 325                 printf("Failed to process schannel secured NETLOGON EX ops\n");
 326                 ret = False;
 327         }
 328
 329         /* Swap the binding details from SAMR to LSARPC */
 330         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_lsarpc, NULL);
 331         if (!NT_STATUS_IS_OK(status)) {
 332                 goto failed;
 333         }
 334
 335         status = dcerpc_secondary_connection(p, &p_lsa,
 336                                              b);
 337
 338         if (!NT_STATUS_IS_OK(status)) {
 339                 goto failed;
 340         }
 341
 342         status = dcerpc_bind_auth(p_lsa, &dcerpc_table_lsarpc,
 343                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 344                                   dcerpc_auth_level(p->conn),
 345                                   NULL);
 346
 347         if (!NT_STATUS_IS_OK(status)) {
 348                 goto failed;
 349         }
 350
 351         if (!test_lsa_ops(p_lsa, test_ctx)) {
 352                 printf("Failed to process schannel secured LSA ops\n");
 353                 ret = False;
 354         }
 355
 356         /* Drop the socket, we want to start from scratch */
 357         talloc_free(p);
 358         p = NULL;
 359
 360         /* Now see what we are still allowed to do */
 361
 362         status = dcerpc_parse_binding(test_ctx, binding, &b);
 363         if (!NT_STATUS_IS_OK(status)) {
 364                 printf("Bad binding string %s\n", binding);
 365                 goto failed;
 366         }
 367
 368         b->flags &= ~DCERPC_AUTH_OPTIONS;
 369         b->flags |= dcerpc_flags;
 370
 371         status = dcerpc_pipe_connect_b(test_ctx, &p_samr2, b, &dcerpc_table_samr,
 372                                        credentials, NULL);
 373         if (!NT_STATUS_IS_OK(status)) {
 374                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 375                 goto failed;
 376         }
 377
 378         /* do a some SAMR operations.  We have *not* done a new serverauthenticate */
 379         if (!test_samr_ops(p_samr2, test_ctx)) {
 380                 printf("Failed to process schannel secured SAMR ops (on fresh connection)\n");
 381                 goto failed;
 382         }
 383
 384         /* Swap the binding details from SAMR to NETLOGON */
 385         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 386         if (!NT_STATUS_IS_OK(status)) {
 387                 goto failed;
 388         }
 389
 390         status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
 391                                              b);
 392         if (!NT_STATUS_IS_OK(status)) {
 393                 goto failed;
 394         }
 395
 396         /* and now setup an SCHANNEL bind on netlogon */
 397         status = dcerpc_bind_auth(p_netlogon2, &dcerpc_table_netlogon,
 398                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 399                                   dcerpc_auth_level(p_samr2->conn),
 400                                   NULL);
 401
 402         if (!NT_STATUS_IS_OK(status)) {
 403                 goto failed;
 404         }
 405
 406         /* Try the schannel-only SamLogonEx operation */
 407         if (!test_netlogon_ex_ops(p_netlogon2, test_ctx, credentials, creds)) {
 408                 printf("Failed to process schannel secured NETLOGON EX ops (on fresh connection)\n");
 409                 ret = False;
 410         }
 411
 412         /* And the more traditional style, proving that the
 413          * credentials chaining state is fully present */
 414         if (!test_netlogon_ops(p_netlogon2, test_ctx, credentials, creds)) {
 415                 printf("Failed to process schannel secured NETLOGON ops (on fresh connection)\n");
 416                 ret = False;
 417         }
 418
 419         /* Drop the socket, we want to start from scratch (again) */
 420         talloc_free(p_samr2);
 421
 422         /* We don't want schannel for this test */
 423         b->flags &= ~DCERPC_AUTH_OPTIONS;
 424
 425         status = dcerpc_pipe_connect_b(test_ctx, &p_netlogon3, b, &dcerpc_table_netlogon,
 426                                        credentials, NULL);
 427         if (!NT_STATUS_IS_OK(status)) {
 428                 printf("Failed to connect without schannel: %s\n", nt_errstr(status));
 429                 goto failed;
 430         }
 431
 432         if (test_netlogon_ex_ops(p_netlogon3, test_ctx, credentials, creds)) {
 433                 printf("Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)\n");
 434                 ret = False;
 435         }
 436
 437         if (!test_netlogon_ops(p_netlogon3, test_ctx, credentials, creds)) {
 438                 printf("Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth\n");
 439                 ret = False;
 440         }
 441
 442         torture_leave_domain(join_ctx);
 443         talloc_free(test_ctx);
 444         return ret;
 445
 446 failed:
 447         torture_leave_domain(join_ctx);
 448         talloc_free(test_ctx);
 449         return False;
 450 }
 451
 452 /*
 453   a schannel test suite
 454  */
 455 BOOL torture_rpc_schannel(void)
 456 {
 457         TALLOC_CTX *mem_ctx;
 458         BOOL ret = True;
 459         struct {
 460                 uint16_t acct_flags;
 461                 uint32_t dcerpc_flags;
 462         } tests[] = {
 463                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
 464                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
 465                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
 466                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
 467                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
 468                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
 469                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
 470                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 471         };
 472         int i;
 473
 474         mem_ctx = talloc_init("torture_rpc_schannel");
 475
 476         for (i=0;i<ARRAY_SIZE(tests);i++) {
 477                 if (!test_schannel(mem_ctx,
 478                                    tests[i].acct_flags, tests[i].dcerpc_flags,
 479                                    i)) {
 480                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
 481                                tests[i].acct_flags, tests[i].dcerpc_flags);
 482                         ret = False;
 483                         break;
 484                 }
 485         }
 486
 487         talloc_free(mem_ctx);
 488
 489         return ret;
 490 }