source4/torture/rpc/schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test suite for schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_netlogon.h"
  25 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  26 #include "librpc/gen_ndr/ndr_lsa_c.h"
  27 #include "librpc/gen_ndr/ndr_samr_c.h"
  28 #include "auth/credentials/credentials.h"
  29 #include "torture/rpc/rpc.h"
  30 #include "lib/cmdline/popt_common.h"
  31 #include "auth/gensec/schannel_proto.h"
  32 #include "libcli/auth/libcli_auth.h"
  33 #include "libcli/security/proto.h"
  34
  35 #define TEST_MACHINE_NAME "schannel"
  36
  37 /*
  38   try a netlogon SamLogon
  39 */
  40 BOOL test_netlogon_ex_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
  41                           struct cli_credentials *credentials,
  42                           struct creds_CredentialState *creds)
  43 {
  44         NTSTATUS status;
  45         struct netr_LogonSamLogonEx r;
  46         struct netr_NetworkInfo ninfo;
  47         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
  48         int i;
  49         BOOL ret = True;
  50         int flags = CLI_CRED_NTLM_AUTH;
  51         if (lp_client_lanman_auth()) {
  52                 flags |= CLI_CRED_LANMAN_AUTH;
  53         }
  54
  55         if (lp_client_ntlmv2_auth()) {
  56                 flags |= CLI_CRED_NTLMv2_AUTH;
  57         }
  58
  59         cli_credentials_get_ntlm_username_domain(cmdline_credentials, mem_ctx,
  60                                                  &ninfo.identity_info.account_name.string,
  61                                                  &ninfo.identity_info.domain_name.string);
  62
  63         generate_random_buffer(ninfo.challenge,
  64                                sizeof(ninfo.challenge));
  65         chal = data_blob_const(ninfo.challenge,
  66                                sizeof(ninfo.challenge));
  67
  68         names_blob = NTLMv2_generate_names_blob(mem_ctx, cli_credentials_get_workstation(credentials),
  69                                                 cli_credentials_get_domain(credentials));
  70
  71         status = cli_credentials_get_ntlm_response(cmdline_credentials, mem_ctx,
  72                                                    &flags,
  73                                                    chal,
  74                                                    names_blob,
  75                                                    &lm_resp, &nt_resp,
  76                                                    NULL, NULL);
  77         if (!NT_STATUS_IS_OK(status)) {
  78                 printf("cli_credentials_get_ntlm_response failed: %s\n",
  79                        nt_errstr(status));
  80                 return False;
  81         }
  82
  83         ninfo.lm.data = lm_resp.data;
  84         ninfo.lm.length = lm_resp.length;
  85
  86         ninfo.nt.data = nt_resp.data;
  87         ninfo.nt.length = nt_resp.length;
  88
  89         ninfo.identity_info.parameter_control = 0;
  90         ninfo.identity_info.logon_id_low = 0;
  91         ninfo.identity_info.logon_id_high = 0;
  92         ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
  93
  94         r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
  95         r.in.computer_name = cli_credentials_get_workstation(credentials);
  96         r.in.logon_level = 2;
  97         r.in.logon.network = &ninfo;
  98         r.in.flags = 0;
  99
 100         printf("Testing LogonSamLogonEx with name %s\n", ninfo.identity_info.account_name.string);
 101
 102         for (i=2;i<3;i++) {
 103                 r.in.validation_level = i;
 104
 105                 status = dcerpc_netr_LogonSamLogonEx(p, mem_ctx, &r);
 106                 if (!NT_STATUS_IS_OK(status)) {
 107                         printf("LogonSamLogon failed: %s\n",
 108                                nt_errstr(status));
 109                         return False;
 110                 }
 111         }
 112
 113         return ret;
 114 }
 115
 116 /*
 117   do some samr ops using the schannel connection
 118  */
 119 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 120 {
 121         NTSTATUS status;
 122         struct samr_GetDomPwInfo r;
 123         struct samr_Connect connect;
 124         struct samr_OpenDomain opendom;
 125         int i;
 126         struct lsa_String name;
 127         struct policy_handle handle;
 128         struct policy_handle domain_handle;
 129
 130         name.string = lp_workgroup();
 131         r.in.domain_name = &name;
 132
 133         connect.in.system_name = 0;
 134         connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 135         connect.out.connect_handle = &handle;
 136
 137         printf("Testing Connect and OpenDomain on BUILTIN\n");
 138
 139         status = dcerpc_samr_Connect(p, mem_ctx, &connect);
 140         if (!NT_STATUS_IS_OK(status)) {
 141                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 142                         printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
 143                                nt_errstr(status));
 144                 } else {
 145                         printf("Connect failed - %s\n", nt_errstr(status));
 146                         return False;
 147                 }
 148         } else {
 149                 opendom.in.connect_handle = &handle;
 150                 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 151                 opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
 152                 opendom.out.domain_handle = &domain_handle;
 153
 154                 status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
 155                 if (!NT_STATUS_IS_OK(status)) {
 156                         printf("OpenDomain failed - %s\n", nt_errstr(status));
 157                         return False;
 158                 }
 159         }
 160
 161         printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
 162
 163         /* do several ops to test credential chaining */
 164         for (i=0;i<5;i++) {
 165                 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
 166                 if (!NT_STATUS_IS_OK(status)) {
 167                         if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 168                                 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
 169                                 return False;
 170                         }
 171                 }
 172         }
 173
 174         return True;
 175 }
 176
 177
 178 /*
 179   do some lsa ops using the schannel connection
 180  */
 181 static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 182 {
 183         struct lsa_GetUserName r;
 184         NTSTATUS status;
 185         BOOL ret = True;
 186         struct lsa_StringPointer authority_name_p;
 187
 188         printf("\nTesting GetUserName\n");
 189
 190         r.in.system_name = "\\";
 191         r.in.account_name = NULL;
 192         r.in.authority_name = &authority_name_p;
 193         authority_name_p.string = NULL;
 194
 195         /* do several ops to test credential chaining and various operations */
 196         status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
 197
 198         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
 199                 printf("not considering %s to be an error\n", nt_errstr(status));
 200         } else if (!NT_STATUS_IS_OK(status)) {
 201                 printf("GetUserName failed - %s\n", nt_errstr(status));
 202                 return False;
 203         } else {
 204                 if (!r.out.account_name) {
 205                         return False;
 206                 }
 207
 208                 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
 209                         printf("GetUserName returned wrong user: %s, expected %s\n",
 210                                r.out.account_name->string, "ANONYMOUS LOGON");
 211                         return False;
 212                 }
 213                 if (!r.out.authority_name || !r.out.authority_name->string) {
 214                         return False;
 215                 }
 216
 217                 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
 218                         printf("GetUserName returned wrong user: %s, expected %s\n",
 219                                r.out.authority_name->string->string, "NT AUTHORITY");
 220                         return False;
 221                 }
 222         }
 223         if (!test_many_LookupSids(p, mem_ctx, NULL)) {
 224                 printf("LsaLookupSids3 failed!\n");
 225                 return False;
 226         }
 227
 228         return ret;
 229 }
 230
 231
 232 /*
 233   test a schannel connection with the given flags
 234  */
 235 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
 236                           uint16_t acct_flags, uint32_t dcerpc_flags,
 237                           int i)
 238 {
 239         BOOL ret = True;
 240
 241         struct test_join *join_ctx;
 242         NTSTATUS status;
 243         const char *binding = lp_parm_string(-1, "torture", "binding");
 244         struct dcerpc_binding *b;
 245         struct dcerpc_pipe *p = NULL;
 246         struct dcerpc_pipe *p_netlogon = NULL;
 247         struct dcerpc_pipe *p_netlogon2 = NULL;
 248         struct dcerpc_pipe *p_netlogon3 = NULL;
 249         struct dcerpc_pipe *p_samr2 = NULL;
 250         struct dcerpc_pipe *p_lsa = NULL;
 251         struct creds_CredentialState *creds;
 252         struct cli_credentials *credentials;
 253
 254         TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
 255
 256         join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i),
 257                                        acct_flags, &credentials);
 258         if (!join_ctx) {
 259                 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
 260                 talloc_free(test_ctx);
 261                 return False;
 262         }
 263
 264         status = dcerpc_parse_binding(test_ctx, binding, &b);
 265         if (!NT_STATUS_IS_OK(status)) {
 266                 printf("Bad binding string %s\n", binding);
 267                 goto failed;
 268         }
 269
 270         b->flags &= ~DCERPC_AUTH_OPTIONS;
 271         b->flags |= dcerpc_flags;
 272
 273         status = dcerpc_pipe_connect_b(test_ctx, &p, b, &dcerpc_table_samr,
 274                                        credentials, NULL);
 275         if (!NT_STATUS_IS_OK(status)) {
 276                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 277                 goto failed;
 278         }
 279
 280         if (!test_samr_ops(p, test_ctx)) {
 281                 printf("Failed to process schannel secured SAMR ops\n");
 282                 ret = False;
 283         }
 284
 285         /* Also test that when we connect to the netlogon pipe, that
 286          * the credentials we setup on the first pipe are valid for
 287          * the second */
 288
 289         /* Swap the binding details from SAMR to NETLOGON */
 290         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 291         if (!NT_STATUS_IS_OK(status)) {
 292                 goto failed;
 293         }
 294
 295         status = dcerpc_secondary_connection(p, &p_netlogon,
 296                                              b);
 297
 298         if (!NT_STATUS_IS_OK(status)) {
 299                 goto failed;
 300         }
 301
 302         status = dcerpc_bind_auth(p_netlogon, &dcerpc_table_netlogon,
 303                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 304                                   dcerpc_auth_level(p->conn),
 305                                   NULL);
 306
 307         if (!NT_STATUS_IS_OK(status)) {
 308                 goto failed;
 309         }
 310
 311         status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
 312         if (!NT_STATUS_IS_OK(status)) {
 313                 goto failed;
 314         }
 315
 316         /* do a couple of logins */
 317         if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
 318                 printf("Failed to process schannel secured NETLOGON ops\n");
 319                 ret = False;
 320         }
 321
 322         if (!test_netlogon_ex_ops(p_netlogon, test_ctx, credentials, creds)) {
 323                 printf("Failed to process schannel secured NETLOGON EX ops\n");
 324                 ret = False;
 325         }
 326
 327         /* Swap the binding details from SAMR to LSARPC */
 328         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_lsarpc, NULL);
 329         if (!NT_STATUS_IS_OK(status)) {
 330                 goto failed;
 331         }
 332
 333         status = dcerpc_secondary_connection(p, &p_lsa,
 334                                              b);
 335
 336         if (!NT_STATUS_IS_OK(status)) {
 337                 goto failed;
 338         }
 339
 340         status = dcerpc_bind_auth(p_lsa, &dcerpc_table_lsarpc,
 341                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 342                                   dcerpc_auth_level(p->conn),
 343                                   NULL);
 344
 345         if (!NT_STATUS_IS_OK(status)) {
 346                 goto failed;
 347         }
 348
 349         if (!test_lsa_ops(p_lsa, test_ctx)) {
 350                 printf("Failed to process schannel secured LSA ops\n");
 351                 ret = False;
 352         }
 353
 354         /* Drop the socket, we want to start from scratch */
 355         talloc_free(p);
 356         p = NULL;
 357
 358         /* Now see what we are still allowed to do */
 359
 360         status = dcerpc_parse_binding(test_ctx, binding, &b);
 361         if (!NT_STATUS_IS_OK(status)) {
 362                 printf("Bad binding string %s\n", binding);
 363                 goto failed;
 364         }
 365
 366         b->flags &= ~DCERPC_AUTH_OPTIONS;
 367         b->flags |= dcerpc_flags;
 368
 369         status = dcerpc_pipe_connect_b(test_ctx, &p_samr2, b, &dcerpc_table_samr,
 370                                        credentials, NULL);
 371         if (!NT_STATUS_IS_OK(status)) {
 372                 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
 373                 goto failed;
 374         }
 375
 376         /* do a some SAMR operations.  We have *not* done a new serverauthenticate */
 377         if (!test_samr_ops(p_samr2, test_ctx)) {
 378                 printf("Failed to process schannel secured SAMR ops (on fresh connection)\n");
 379                 goto failed;
 380         }
 381
 382         /* Swap the binding details from SAMR to NETLOGON */
 383         status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
 384         if (!NT_STATUS_IS_OK(status)) {
 385                 goto failed;
 386         }
 387
 388         status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
 389                                              b);
 390         if (!NT_STATUS_IS_OK(status)) {
 391                 goto failed;
 392         }
 393
 394         /* and now setup an SCHANNEL bind on netlogon */
 395         status = dcerpc_bind_auth(p_netlogon2, &dcerpc_table_netlogon,
 396                                   credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 397                                   dcerpc_auth_level(p_samr2->conn),
 398                                   NULL);
 399
 400         if (!NT_STATUS_IS_OK(status)) {
 401                 goto failed;
 402         }
 403
 404         /* Try the schannel-only SamLogonEx operation */
 405         if (!test_netlogon_ex_ops(p_netlogon2, test_ctx, credentials, creds)) {
 406                 printf("Failed to process schannel secured NETLOGON EX ops (on fresh connection)\n");
 407                 ret = False;
 408         }
 409
 410         /* And the more traditional style, proving that the
 411          * credentials chaining state is fully present */
 412         if (!test_netlogon_ops(p_netlogon2, test_ctx, credentials, creds)) {
 413                 printf("Failed to process schannel secured NETLOGON ops (on fresh connection)\n");
 414                 ret = False;
 415         }
 416
 417         /* Drop the socket, we want to start from scratch (again) */
 418         talloc_free(p_samr2);
 419
 420         /* We don't want schannel for this test */
 421         b->flags &= ~DCERPC_AUTH_OPTIONS;
 422
 423         status = dcerpc_pipe_connect_b(test_ctx, &p_netlogon3, b, &dcerpc_table_netlogon,
 424                                        credentials, NULL);
 425         if (!NT_STATUS_IS_OK(status)) {
 426                 printf("Failed to connect without schannel: %s\n", nt_errstr(status));
 427                 goto failed;
 428         }
 429
 430         if (test_netlogon_ex_ops(p_netlogon3, test_ctx, credentials, creds)) {
 431                 printf("Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)\n");
 432                 ret = False;
 433         }
 434
 435         if (!test_netlogon_ops(p_netlogon3, test_ctx, credentials, creds)) {
 436                 printf("Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth\n");
 437                 ret = False;
 438         }
 439
 440         torture_leave_domain(join_ctx);
 441         talloc_free(test_ctx);
 442         return ret;
 443
 444 failed:
 445         torture_leave_domain(join_ctx);
 446         talloc_free(test_ctx);
 447         return False;
 448 }
 449
 450 /*
 451   a schannel test suite
 452  */
 453 BOOL torture_rpc_schannel(void)
 454 {
 455         TALLOC_CTX *mem_ctx;
 456         BOOL ret = True;
 457         struct {
 458                 uint16_t acct_flags;
 459                 uint32_t dcerpc_flags;
 460         } tests[] = {
 461                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN},
 462                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL},
 463                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
 464                 { ACB_WSTRUST,   DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
 465                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN },
 466                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL },
 467                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
 468                 { ACB_SVRTRUST,  DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
 469         };
 470         int i;
 471
 472         mem_ctx = talloc_init("torture_rpc_schannel");
 473
 474         for (i=0;i<ARRAY_SIZE(tests);i++) {
 475                 if (!test_schannel(mem_ctx,
 476                                    tests[i].acct_flags, tests[i].dcerpc_flags,
 477                                    i)) {
 478                         printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
 479                                tests[i].acct_flags, tests[i].dcerpc_flags);
 480                         ret = False;
 481                         break;
 482                 }
 483         }
 484
 485         talloc_free(mem_ctx);
 486
 487         return ret;
 488 }