2 Unix SMB/CIFS implementation.
4 test suite for schannel operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_netlogon_c.h"
24 #include "librpc/gen_ndr/ndr_lsa_c.h"
25 #include "librpc/gen_ndr/ndr_samr_c.h"
26 #include "auth/credentials/credentials.h"
27 #include "torture/rpc/torture_rpc.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "../libcli/auth/schannel.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "libcli/security/security.h"
32 #include "system/filesys.h"
33 #include "param/param.h"
34 #include "librpc/rpc/dcerpc_proto.h"
35 #include "libcli/composite/composite.h"
36 #include "lib/events/events.h"
38 #define TEST_MACHINE_NAME "schannel"
41 try a netlogon SamLogon
43 bool test_netlogon_ex_ops(struct dcerpc_pipe
*p
, struct torture_context
*tctx
,
44 struct cli_credentials
*credentials
,
45 struct netlogon_creds_CredentialState
*creds
)
48 struct netr_LogonSamLogonEx r
;
49 struct netr_NetworkInfo ninfo
;
50 union netr_LogonLevel logon
;
51 union netr_Validation validation
;
52 uint8_t authoritative
= 0;
54 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
56 int flags
= CLI_CRED_NTLM_AUTH
;
57 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
59 struct netr_UserSessionKey key
;
60 struct netr_LMSessionKey LMSessKey
;
61 uint32_t validation_levels
[] = { 2, 3 };
62 struct netr_SamBaseInfo
*base
;
63 const char *crypto_alg
= "";
64 bool can_do_validation_6
= true;
66 if (lpcfg_client_lanman_auth(tctx
->lp_ctx
)) {
67 flags
|= CLI_CRED_LANMAN_AUTH
;
70 if (lpcfg_client_ntlmv2_auth(tctx
->lp_ctx
)) {
71 flags
|= CLI_CRED_NTLMv2_AUTH
;
74 cli_credentials_get_ntlm_username_domain(cmdline_credentials
, tctx
,
75 &ninfo
.identity_info
.account_name
.string
,
76 &ninfo
.identity_info
.domain_name
.string
);
78 generate_random_buffer(ninfo
.challenge
,
79 sizeof(ninfo
.challenge
));
80 chal
= data_blob_const(ninfo
.challenge
,
81 sizeof(ninfo
.challenge
));
83 names_blob
= NTLMv2_generate_names_blob(tctx
, cli_credentials_get_workstation(credentials
),
84 cli_credentials_get_domain(credentials
));
86 status
= cli_credentials_get_ntlm_response(cmdline_credentials
, tctx
,
92 torture_assert_ntstatus_ok(tctx
, status
,
93 "cli_credentials_get_ntlm_response failed");
95 ninfo
.lm
.data
= lm_resp
.data
;
96 ninfo
.lm
.length
= lm_resp
.length
;
98 ninfo
.nt
.data
= nt_resp
.data
;
99 ninfo
.nt
.length
= nt_resp
.length
;
101 ninfo
.identity_info
.parameter_control
= 0;
102 ninfo
.identity_info
.logon_id_low
= 0;
103 ninfo
.identity_info
.logon_id_high
= 0;
104 ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(credentials
);
106 logon
.network
= &ninfo
;
108 r
.in
.server_name
= talloc_asprintf(tctx
, "\\\\%s", dcerpc_server_name(p
));
109 r
.in
.computer_name
= cli_credentials_get_workstation(credentials
);
110 r
.in
.logon_level
= NetlogonNetworkInformation
;
112 r
.in
.flags
= &_flags
;
113 r
.out
.validation
= &validation
;
114 r
.out
.authoritative
= &authoritative
;
115 r
.out
.flags
= &_flags
;
119 - save usrsession and lmsession key
127 if (creds
->negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES
) {
129 } else if (creds
->negotiate_flags
& NETLOGON_NEG_ARCFOUR
) {
130 crypto_alg
= "ARCFOUR";
134 r
.in
.validation_level
= 6;
136 torture_comment(tctx
,
137 "Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n",
138 ninfo
.identity_info
.account_name
.string
, crypto_alg
,
139 r
.in
.validation_level
);
141 torture_assert_ntstatus_ok(tctx
,
142 dcerpc_netr_LogonSamLogonEx_r(b
, tctx
, &r
),
143 "LogonSamLogonEx failed");
144 if (NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_INVALID_INFO_CLASS
)) {
145 can_do_validation_6
= false;
147 torture_assert_ntstatus_ok(tctx
, r
.out
.result
,
148 "LogonSamLogonEx failed");
150 key
= r
.out
.validation
->sam6
->base
.key
;
151 LMSessKey
= r
.out
.validation
->sam6
->base
.LMSessKey
;
153 DEBUG(1,("unencrypted session keys from validation_level 6:\n"));
154 dump_data(1, r
.out
.validation
->sam6
->base
.key
.key
, 16);
155 dump_data(1, r
.out
.validation
->sam6
->base
.LMSessKey
.key
, 8);
158 for (i
=0; i
< ARRAY_SIZE(validation_levels
); i
++) {
160 r
.in
.validation_level
= validation_levels
[i
];
162 torture_comment(tctx
,
163 "Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n",
164 ninfo
.identity_info
.account_name
.string
, crypto_alg
,
165 r
.in
.validation_level
);
167 torture_assert_ntstatus_ok(tctx
,
168 dcerpc_netr_LogonSamLogonEx_r(b
, tctx
, &r
),
169 "LogonSamLogonEx failed");
170 torture_assert_ntstatus_ok(tctx
, r
.out
.result
,
171 "LogonSamLogonEx failed");
174 /* when this test is called without creds no point in
175 * testing the session keys */
179 switch (validation_levels
[i
]) {
181 base
= &r
.out
.validation
->sam2
->base
;
184 base
= &r
.out
.validation
->sam3
->base
;
190 DEBUG(1,("encrypted keys validation_level %d:\n",
191 validation_levels
[i
]));
192 dump_data(1, base
->key
.key
, 16);
193 dump_data(1, base
->LMSessKey
.key
, 8);
195 if (creds
->negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES
) {
196 netlogon_creds_aes_decrypt(creds
, base
->key
.key
, 16);
197 netlogon_creds_aes_decrypt(creds
, base
->LMSessKey
.key
, 8);
198 } else if (creds
->negotiate_flags
& NETLOGON_NEG_ARCFOUR
) {
199 netlogon_creds_arcfour_crypt(creds
, base
->key
.key
, 16);
200 netlogon_creds_arcfour_crypt(creds
, base
->LMSessKey
.key
, 8);
203 DEBUG(1,("decryped keys validation_level %d\n",
204 validation_levels
[i
]));
206 dump_data(1, base
->key
.key
, 16);
207 dump_data(1, base
->LMSessKey
.key
, 8);
209 if (!can_do_validation_6
) {
210 /* we cant compare against unencrypted keys */
214 torture_assert_mem_equal(tctx
,
218 "unexpected user session key\n");
219 torture_assert_mem_equal(tctx
,
223 "unexpected LM session key\n");
230 do some samr ops using the schannel connection
232 static bool test_samr_ops(struct torture_context
*tctx
,
233 struct dcerpc_binding_handle
*b
)
235 struct samr_GetDomPwInfo r
;
236 struct samr_PwInfo info
;
237 struct samr_Connect connect_r
;
238 struct samr_OpenDomain opendom
;
240 struct lsa_String name
;
241 struct policy_handle handle
;
242 struct policy_handle domain_handle
;
244 name
.string
= lpcfg_workgroup(tctx
->lp_ctx
);
245 r
.in
.domain_name
= &name
;
248 connect_r
.in
.system_name
= 0;
249 connect_r
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
250 connect_r
.out
.connect_handle
= &handle
;
252 torture_comment(tctx
, "Testing Connect and OpenDomain on BUILTIN\n");
254 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_Connect_r(b
, tctx
, &connect_r
),
256 if (!NT_STATUS_IS_OK(connect_r
.out
.result
)) {
257 if (NT_STATUS_EQUAL(connect_r
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
258 torture_comment(tctx
, "Connect failed (expected, schannel mapped to anonymous): %s\n",
259 nt_errstr(connect_r
.out
.result
));
261 torture_comment(tctx
, "Connect failed - %s\n", nt_errstr(connect_r
.out
.result
));
265 opendom
.in
.connect_handle
= &handle
;
266 opendom
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
267 opendom
.in
.sid
= dom_sid_parse_talloc(tctx
, "S-1-5-32");
268 opendom
.out
.domain_handle
= &domain_handle
;
270 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_OpenDomain_r(b
, tctx
, &opendom
),
271 "OpenDomain failed");
272 if (!NT_STATUS_IS_OK(opendom
.out
.result
)) {
273 torture_comment(tctx
, "OpenDomain failed - %s\n", nt_errstr(opendom
.out
.result
));
278 torture_comment(tctx
, "Testing GetDomPwInfo with name %s\n", r
.in
.domain_name
->string
);
280 /* do several ops to test credential chaining */
282 torture_assert_ntstatus_ok(tctx
, dcerpc_samr_GetDomPwInfo_r(b
, tctx
, &r
),
283 "GetDomPwInfo failed");
284 if (!NT_STATUS_IS_OK(r
.out
.result
)) {
285 if (!NT_STATUS_EQUAL(r
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
286 torture_comment(tctx
, "GetDomPwInfo op %d failed - %s\n", i
, nt_errstr(r
.out
.result
));
297 do some lsa ops using the schannel connection
299 static bool test_lsa_ops(struct torture_context
*tctx
, struct dcerpc_pipe
*p
)
301 struct lsa_GetUserName r
;
303 struct lsa_String
*account_name_p
= NULL
;
304 struct lsa_String
*authority_name_p
= NULL
;
305 struct dcerpc_binding_handle
*b
= p
->binding_handle
;
307 torture_comment(tctx
, "\nTesting GetUserName\n");
309 r
.in
.system_name
= "\\";
310 r
.in
.account_name
= &account_name_p
;
311 r
.in
.authority_name
= &authority_name_p
;
312 r
.out
.account_name
= &account_name_p
;
314 /* do several ops to test credential chaining and various operations */
315 torture_assert_ntstatus_ok(tctx
, dcerpc_lsa_GetUserName_r(b
, tctx
, &r
),
316 "lsa_GetUserName failed");
318 authority_name_p
= *r
.out
.authority_name
;
320 if (!NT_STATUS_IS_OK(r
.out
.result
)) {
321 torture_comment(tctx
, "GetUserName failed - %s\n", nt_errstr(r
.out
.result
));
324 if (!r
.out
.account_name
) {
328 if (strcmp(account_name_p
->string
, "ANONYMOUS LOGON") != 0) {
329 torture_comment(tctx
, "GetUserName returned wrong user: %s, expected %s\n",
330 account_name_p
->string
, "ANONYMOUS LOGON");
332 if (!torture_setting_bool(tctx
, "samba3", false)) {
336 if (!authority_name_p
|| !authority_name_p
->string
) {
340 if (strcmp(authority_name_p
->string
, "NT AUTHORITY") != 0) {
341 torture_comment(tctx
, "GetUserName returned wrong user: %s, expected %s\n",
342 authority_name_p
->string
, "NT AUTHORITY");
344 if (!torture_setting_bool(tctx
, "samba3", false)) {
355 test a schannel connection with the given flags
357 static bool test_schannel(struct torture_context
*tctx
,
358 uint16_t acct_flags
, uint32_t dcerpc_flags
,
361 struct test_join
*join_ctx
;
363 const char *binding
= torture_setting_string(tctx
, "binding", NULL
);
364 struct dcerpc_binding
*b
;
365 struct dcerpc_pipe
*p
= NULL
;
366 struct dcerpc_pipe
*p_netlogon
= NULL
;
367 struct dcerpc_pipe
*p_netlogon2
= NULL
;
368 struct dcerpc_pipe
*p_netlogon3
= NULL
;
369 struct dcerpc_pipe
*p_samr2
= NULL
;
370 struct dcerpc_pipe
*p_lsa
= NULL
;
371 struct netlogon_creds_CredentialState
*creds
;
372 struct cli_credentials
*credentials
;
373 enum dcerpc_transport_t transport
;
375 join_ctx
= torture_join_domain(tctx
,
376 talloc_asprintf(tctx
, "%s%d", TEST_MACHINE_NAME
, i
),
377 acct_flags
, &credentials
);
378 torture_assert(tctx
, join_ctx
!= NULL
, "Failed to join domain");
380 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
381 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
383 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
384 b
->flags
|= dcerpc_flags
;
386 status
= dcerpc_pipe_connect_b(tctx
, &p
, b
, &ndr_table_samr
,
387 credentials
, tctx
->ev
, tctx
->lp_ctx
);
388 torture_assert_ntstatus_ok(tctx
, status
,
389 "Failed to connect to samr with schannel");
391 torture_assert(tctx
, test_samr_ops(tctx
, p
->binding_handle
),
392 "Failed to process schannel secured SAMR ops");
394 /* Also test that when we connect to the netlogon pipe, that
395 * the credentials we setup on the first pipe are valid for
398 /* Swap the binding details from SAMR to NETLOGON */
399 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
400 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
402 status
= dcerpc_secondary_connection(p
, &p_netlogon
,
404 torture_assert_ntstatus_ok(tctx
, status
, "secondary connection");
406 status
= dcerpc_bind_auth(p_netlogon
, &ndr_table_netlogon
,
407 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
408 DCERPC_AUTH_TYPE_SCHANNEL
,
409 dcerpc_auth_level(p
->conn
),
412 torture_assert_ntstatus_ok(tctx
, status
, "bind auth");
414 creds
= cli_credentials_get_netlogon_creds(credentials
);
415 torture_assert(tctx
, (creds
!= NULL
), "schannel creds");
417 /* checks the capabilities */
418 torture_assert(tctx
, test_netlogon_capabilities(p_netlogon
, tctx
, credentials
, creds
),
419 "Failed to process schannel secured capability ops (on fresh connection)");
421 /* do a couple of logins */
422 torture_assert(tctx
, test_netlogon_ops(p_netlogon
, tctx
, credentials
, creds
),
423 "Failed to process schannel secured NETLOGON ops");
425 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon
, tctx
, credentials
, creds
),
426 "Failed to process schannel secured NETLOGON EX ops");
428 /* we *MUST* use ncacn_np for openpolicy etc. */
429 transport
= dcerpc_binding_get_transport(b
);
430 status
= dcerpc_binding_set_transport(b
, NCACN_NP
);
431 torture_assert_ntstatus_ok(tctx
, status
, "set transport");
433 /* Swap the binding details from SAMR to LSARPC */
434 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_lsarpc
, tctx
->ev
, tctx
->lp_ctx
);
435 torture_assert_ntstatus_ok(tctx
, status
, "epm map");
437 torture_assert_ntstatus_ok(tctx
,
438 dcerpc_pipe_connect_b(tctx
, &p_lsa
, b
, &ndr_table_lsarpc
,
439 credentials
, tctx
->ev
, tctx
->lp_ctx
),
440 "failed to connect lsarpc with schannel");
442 torture_assert(tctx
, test_lsa_ops(tctx
, p_lsa
),
443 "Failed to process schannel secured LSA ops");
448 /* we *MUST* use ncacn_ip_tcp for lookupsids3/lookupnames4 */
449 status
= dcerpc_binding_set_transport(b
, NCACN_IP_TCP
);
450 torture_assert_ntstatus_ok(tctx
, status
, "set transport");
452 torture_assert_ntstatus_ok(tctx
,
453 dcerpc_epm_map_binding(tctx
, b
, &ndr_table_lsarpc
, tctx
->ev
, tctx
->lp_ctx
),
454 "failed to call epm map");
456 torture_assert_ntstatus_ok(tctx
,
457 dcerpc_pipe_connect_b(tctx
, &p_lsa
, b
, &ndr_table_lsarpc
,
458 credentials
, tctx
->ev
, tctx
->lp_ctx
),
459 "failed to connect lsarpc with schannel");
462 test_many_LookupSids(p_lsa
, tctx
, NULL
),
463 "LsaLookupSids3 failed!\n");
465 status
= dcerpc_binding_set_transport(b
, transport
);
466 torture_assert_ntstatus_ok(tctx
, status
, "set transport");
469 /* Drop the socket, we want to start from scratch */
473 /* Now see what we are still allowed to do */
475 status
= dcerpc_parse_binding(tctx
, binding
, &b
);
476 torture_assert_ntstatus_ok(tctx
, status
, "Bad binding string");
478 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
479 b
->flags
|= dcerpc_flags
;
481 status
= dcerpc_pipe_connect_b(tctx
, &p_samr2
, b
, &ndr_table_samr
,
482 credentials
, tctx
->ev
, tctx
->lp_ctx
);
483 torture_assert_ntstatus_ok(tctx
, status
,
484 "Failed to connect with schannel");
486 /* do a some SAMR operations. We have *not* done a new serverauthenticate */
487 torture_assert (tctx
, test_samr_ops(tctx
, p_samr2
->binding_handle
),
488 "Failed to process schannel secured SAMR ops (on fresh connection)");
490 /* Swap the binding details from SAMR to NETLOGON */
491 status
= dcerpc_epm_map_binding(tctx
, b
, &ndr_table_netlogon
, tctx
->ev
, tctx
->lp_ctx
);
492 torture_assert_ntstatus_ok(tctx
, status
, "epm");
494 status
= dcerpc_secondary_connection(p_samr2
, &p_netlogon2
,
496 torture_assert_ntstatus_ok(tctx
, status
, "secondary connection");
498 /* and now setup an SCHANNEL bind on netlogon */
499 status
= dcerpc_bind_auth(p_netlogon2
, &ndr_table_netlogon
,
500 credentials
, lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
501 DCERPC_AUTH_TYPE_SCHANNEL
,
502 dcerpc_auth_level(p_samr2
->conn
),
505 torture_assert_ntstatus_ok(tctx
, status
, "auth failed");
507 /* checks the capabilities */
508 torture_assert(tctx
, test_netlogon_capabilities(p_netlogon2
, tctx
, credentials
, creds
),
509 "Failed to process schannel secured capability ops (on fresh connection)");
511 /* Try the schannel-only SamLogonEx operation */
512 torture_assert(tctx
, test_netlogon_ex_ops(p_netlogon2
, tctx
, credentials
, creds
),
513 "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");
516 /* And the more traditional style, proving that the
517 * credentials chaining state is fully present */
518 torture_assert(tctx
, test_netlogon_ops(p_netlogon2
, tctx
, credentials
, creds
),
519 "Failed to process schannel secured NETLOGON ops (on fresh connection)");
521 /* Drop the socket, we want to start from scratch (again) */
522 talloc_free(p_samr2
);
524 /* We don't want schannel for this test */
525 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
527 status
= dcerpc_pipe_connect_b(tctx
, &p_netlogon3
, b
, &ndr_table_netlogon
,
528 credentials
, tctx
->ev
, tctx
->lp_ctx
);
529 torture_assert_ntstatus_ok(tctx
, status
, "Failed to connect without schannel");
531 torture_assert(tctx
, !test_netlogon_ex_ops(p_netlogon3
, tctx
, credentials
, creds
),
532 "Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)");
534 /* Required because the previous call will mark the current context as having failed */
535 tctx
->last_result
= TORTURE_OK
;
536 tctx
->last_reason
= NULL
;
538 torture_assert(tctx
, test_netlogon_ops(p_netlogon3
, tctx
, credentials
, creds
),
539 "Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth");
541 torture_leave_domain(tctx
, join_ctx
);
548 a schannel test suite
550 bool torture_rpc_schannel(struct torture_context
*torture
)
555 uint32_t dcerpc_flags
;
557 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AUTO
},
558 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_AUTO
},
559 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
560 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
},
561 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AES
},
562 { ACB_WSTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_AES
},
563 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AUTO
},
564 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_AUTO
},
565 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_128
},
566 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_128
},
567 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SIGN
| DCERPC_SCHANNEL_AES
},
568 { ACB_SVRTRUST
, DCERPC_SCHANNEL
| DCERPC_SEAL
| DCERPC_SCHANNEL_AES
}
572 for (i
=0;i
<ARRAY_SIZE(tests
);i
++) {
573 torture_comment(torture
, "Testing with acct_flags=0x%x dcerpc_flags=0x%x \n",
574 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
);
576 if (!test_schannel(torture
,
577 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
,
579 torture_comment(torture
, "Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
580 tests
[i
].acct_flags
, tests
[i
].dcerpc_flags
);
589 test two schannel connections
591 bool torture_rpc_schannel2(struct torture_context
*torture
)
593 struct test_join
*join_ctx
;
595 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
596 struct dcerpc_binding
*b
;
597 struct dcerpc_pipe
*p1
= NULL
, *p2
= NULL
;
598 struct cli_credentials
*credentials1
, *credentials2
;
599 uint32_t dcerpc_flags
= DCERPC_SCHANNEL
| DCERPC_SIGN
;
601 join_ctx
= torture_join_domain(torture
, talloc_asprintf(torture
, "%s2", TEST_MACHINE_NAME
),
602 ACB_WSTRUST
, &credentials1
);
603 torture_assert(torture
, join_ctx
!= NULL
,
604 "Failed to join domain with acct_flags=ACB_WSTRUST");
606 credentials2
= cli_credentials_shallow_copy(torture
, credentials1
);
607 cli_credentials_set_netlogon_creds(credentials1
, NULL
);
608 cli_credentials_set_netlogon_creds(credentials2
, NULL
);
610 status
= dcerpc_parse_binding(torture
, binding
, &b
);
611 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
613 b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
614 b
->flags
|= dcerpc_flags
;
616 torture_comment(torture
, "Opening first connection\n");
617 status
= dcerpc_pipe_connect_b(torture
, &p1
, b
, &ndr_table_netlogon
,
618 credentials1
, torture
->ev
, torture
->lp_ctx
);
619 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
621 torture_comment(torture
, "Opening second connection\n");
622 status
= dcerpc_pipe_connect_b(torture
, &p2
, b
, &ndr_table_netlogon
,
623 credentials2
, torture
->ev
, torture
->lp_ctx
);
624 torture_assert_ntstatus_ok(torture
, status
, "Failed to connect with schannel");
626 cli_credentials_set_netlogon_creds(credentials1
, NULL
);
627 cli_credentials_set_netlogon_creds(credentials2
, NULL
);
629 torture_comment(torture
, "Testing logon on pipe1\n");
630 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
633 torture_comment(torture
, "Testing logon on pipe2\n");
634 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
637 torture_comment(torture
, "Again on pipe1\n");
638 if (!test_netlogon_ex_ops(p1
, torture
, credentials1
, NULL
))
641 torture_comment(torture
, "Again on pipe2\n");
642 if (!test_netlogon_ex_ops(p2
, torture
, credentials2
, NULL
))
645 torture_leave_domain(torture
, join_ctx
);
649 struct torture_schannel_bench
;
651 struct torture_schannel_bench_conn
{
652 struct torture_schannel_bench
*s
;
654 struct cli_credentials
*wks_creds
;
655 struct dcerpc_pipe
*pipe
;
656 struct netr_LogonSamLogonEx r
;
657 struct netr_NetworkInfo ninfo
;
663 struct torture_schannel_bench
{
664 struct torture_context
*tctx
;
669 struct torture_schannel_bench_conn
*conns
;
670 struct test_join
*join_ctx1
;
671 struct cli_credentials
*wks_creds1
;
672 struct test_join
*join_ctx2
;
673 struct cli_credentials
*wks_creds2
;
674 struct cli_credentials
*user1_creds
;
675 struct cli_credentials
*user2_creds
;
676 struct dcerpc_binding
*b
;
683 static void torture_schannel_bench_connected(struct composite_context
*c
)
685 struct torture_schannel_bench_conn
*conn
=
686 (struct torture_schannel_bench_conn
*)c
->async
.private_data
;
687 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
688 struct torture_schannel_bench
);
690 s
->error
= dcerpc_pipe_connect_b_recv(c
, s
->conns
, &conn
->pipe
);
691 torture_comment(s
->tctx
, "conn[%u]: %s\n", conn
->index
, nt_errstr(s
->error
));
692 if (NT_STATUS_IS_OK(s
->error
)) {
697 static void torture_schannel_bench_recv(struct tevent_req
*subreq
);
699 static bool torture_schannel_bench_start(struct torture_schannel_bench_conn
*conn
)
701 struct torture_schannel_bench
*s
= conn
->s
;
703 DATA_BLOB names_blob
, chal
, lm_resp
, nt_resp
;
704 int flags
= CLI_CRED_NTLM_AUTH
;
705 struct tevent_req
*subreq
;
706 struct cli_credentials
*user_creds
;
708 if (conn
->total
% 2) {
709 user_creds
= s
->user1_creds
;
711 user_creds
= s
->user2_creds
;
714 if (lpcfg_client_lanman_auth(s
->tctx
->lp_ctx
)) {
715 flags
|= CLI_CRED_LANMAN_AUTH
;
718 if (lpcfg_client_ntlmv2_auth(s
->tctx
->lp_ctx
)) {
719 flags
|= CLI_CRED_NTLMv2_AUTH
;
722 talloc_free(conn
->tmp
);
723 conn
->tmp
= talloc_new(s
);
724 ZERO_STRUCT(conn
->ninfo
);
725 ZERO_STRUCT(conn
->r
);
727 cli_credentials_get_ntlm_username_domain(user_creds
, conn
->tmp
,
728 &conn
->ninfo
.identity_info
.account_name
.string
,
729 &conn
->ninfo
.identity_info
.domain_name
.string
);
731 generate_random_buffer(conn
->ninfo
.challenge
,
732 sizeof(conn
->ninfo
.challenge
));
733 chal
= data_blob_const(conn
->ninfo
.challenge
,
734 sizeof(conn
->ninfo
.challenge
));
736 names_blob
= NTLMv2_generate_names_blob(conn
->tmp
,
737 cli_credentials_get_workstation(conn
->wks_creds
),
738 cli_credentials_get_domain(conn
->wks_creds
));
740 status
= cli_credentials_get_ntlm_response(user_creds
, conn
->tmp
,
746 torture_assert_ntstatus_ok(s
->tctx
, status
,
747 "cli_credentials_get_ntlm_response failed");
749 conn
->ninfo
.lm
.data
= lm_resp
.data
;
750 conn
->ninfo
.lm
.length
= lm_resp
.length
;
752 conn
->ninfo
.nt
.data
= nt_resp
.data
;
753 conn
->ninfo
.nt
.length
= nt_resp
.length
;
755 conn
->ninfo
.identity_info
.parameter_control
= 0;
756 conn
->ninfo
.identity_info
.logon_id_low
= 0;
757 conn
->ninfo
.identity_info
.logon_id_high
= 0;
758 conn
->ninfo
.identity_info
.workstation
.string
= cli_credentials_get_workstation(conn
->wks_creds
);
760 conn
->r
.in
.server_name
= talloc_asprintf(conn
->tmp
, "\\\\%s", dcerpc_server_name(conn
->pipe
));
761 conn
->r
.in
.computer_name
= cli_credentials_get_workstation(conn
->wks_creds
);
762 conn
->r
.in
.logon_level
= NetlogonNetworkInformation
;
763 conn
->r
.in
.logon
= talloc(conn
->tmp
, union netr_LogonLevel
);
764 conn
->r
.in
.logon
->network
= &conn
->ninfo
;
765 conn
->r
.in
.flags
= talloc(conn
->tmp
, uint32_t);
766 conn
->r
.in
.validation_level
= 2;
767 conn
->r
.out
.validation
= talloc(conn
->tmp
, union netr_Validation
);
768 conn
->r
.out
.authoritative
= talloc(conn
->tmp
, uint8_t);
769 conn
->r
.out
.flags
= conn
->r
.in
.flags
;
771 subreq
= dcerpc_netr_LogonSamLogonEx_r_send(s
, s
->tctx
->ev
,
772 conn
->pipe
->binding_handle
,
774 torture_assert(s
->tctx
, subreq
, "Failed to setup LogonSamLogonEx request");
776 tevent_req_set_callback(subreq
, torture_schannel_bench_recv
, conn
);
781 static void torture_schannel_bench_recv(struct tevent_req
*subreq
)
784 struct torture_schannel_bench_conn
*conn
=
785 (struct torture_schannel_bench_conn
*)tevent_req_callback_data_void(subreq
);
786 struct torture_schannel_bench
*s
= talloc_get_type(conn
->s
,
787 struct torture_schannel_bench
);
789 s
->error
= dcerpc_netr_LogonSamLogonEx_r_recv(subreq
, subreq
);
791 if (!NT_STATUS_IS_OK(s
->error
)) {
802 ret
= torture_schannel_bench_start(conn
);
804 s
->error
= NT_STATUS_INTERNAL_ERROR
;
809 test multiple schannel connection in parallel
811 bool torture_rpc_schannel_bench1(struct torture_context
*torture
)
815 const char *binding
= torture_setting_string(torture
, "binding", NULL
);
816 struct torture_schannel_bench
*s
;
817 struct timeval start
;
822 s
= talloc_zero(torture
, struct torture_schannel_bench
);
824 s
->progress
= torture_setting_bool(torture
, "progress", true);
825 s
->timelimit
= torture_setting_int(torture
, "timelimit", 10);
826 s
->nprocs
= torture_setting_int(torture
, "nprocs", 4);
827 s
->conns
= talloc_zero_array(s
, struct torture_schannel_bench_conn
, s
->nprocs
);
829 s
->user1_creds
= cli_credentials_shallow_copy(s
, cmdline_credentials
);
830 tmp
= torture_setting_string(s
->tctx
, "extra_user1", NULL
);
832 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
834 s
->user2_creds
= cli_credentials_shallow_copy(s
, cmdline_credentials
);
835 tmp
= torture_setting_string(s
->tctx
, "extra_user2", NULL
);
837 cli_credentials_parse_string(s
->user1_creds
, tmp
, CRED_SPECIFIED
);
840 s
->join_ctx1
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sb", TEST_MACHINE_NAME
),
841 ACB_WSTRUST
, &s
->wks_creds1
);
842 torture_assert(torture
, s
->join_ctx1
!= NULL
,
843 "Failed to join domain with acct_flags=ACB_WSTRUST");
844 s
->join_ctx2
= torture_join_domain(s
->tctx
, talloc_asprintf(s
, "%sc", TEST_MACHINE_NAME
),
845 ACB_WSTRUST
, &s
->wks_creds2
);
846 torture_assert(torture
, s
->join_ctx2
!= NULL
,
847 "Failed to join domain with acct_flags=ACB_WSTRUST");
849 cli_credentials_set_kerberos_state(s
->wks_creds1
, CRED_DONT_USE_KERBEROS
);
850 cli_credentials_set_kerberos_state(s
->wks_creds2
, CRED_DONT_USE_KERBEROS
);
852 for (i
=0; i
< s
->nprocs
; i
++) {
853 struct cli_credentials
*wks
= s
->wks_creds1
;
855 if ((i
% 2) && (torture_setting_bool(torture
, "multijoin", false))) {
860 s
->conns
[i
].index
= i
;
861 s
->conns
[i
].wks_creds
= cli_credentials_shallow_copy(s
->conns
, wks
);
862 cli_credentials_set_netlogon_creds(s
->conns
[i
].wks_creds
, NULL
);
865 status
= dcerpc_parse_binding(s
, binding
, &s
->b
);
866 torture_assert_ntstatus_ok(torture
, status
, "Bad binding string");
867 s
->b
->flags
&= ~DCERPC_AUTH_OPTIONS
;
868 s
->b
->flags
|= DCERPC_SCHANNEL
| DCERPC_SIGN
;
870 torture_comment(torture
, "Opening %d connections in parallel\n", s
->nprocs
);
871 for (i
=0; i
< s
->nprocs
; i
++) {
873 s
->error
= dcerpc_pipe_connect_b(s
->conns
, &s
->conns
[i
].pipe
, s
->b
,
875 s
->conns
[i
].wks_creds
,
876 torture
->ev
, torture
->lp_ctx
);
877 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed to connect with schannel");
880 * This path doesn't work against windows,
881 * because of windows drops the connections
882 * which haven't reached a session setup yet
884 * The same as the reset on zero vc stuff.
886 struct composite_context
*c
;
887 c
= dcerpc_pipe_connect_b_send(s
->conns
, s
->b
,
889 s
->conns
[i
].wks_creds
,
892 torture_assert(torture
, c
!= NULL
, "Failed to setup connect");
893 c
->async
.fn
= torture_schannel_bench_connected
;
894 c
->async
.private_data
= &s
->conns
[i
];
897 while (NT_STATUS_IS_OK(s
->error
) && s
->nprocs
!= s
->nconns
) {
898 int ev_ret
= tevent_loop_once(torture
->ev
);
899 torture_assert(torture
, ev_ret
== 0, "tevent_loop_once failed");
902 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed establish a connect");
905 * Change the workstation password after establishing the netlogon
906 * schannel connections to prove that existing connections are not
907 * affected by a wks pwchange.
911 struct netr_ServerPasswordSet pwset
;
912 char *password
= generate_random_password(s
->join_ctx1
, 8, 255);
913 struct netlogon_creds_CredentialState
*creds_state
;
914 struct dcerpc_pipe
*net_pipe
;
915 struct netr_Authenticator credential
, return_authenticator
;
916 struct samr_Password new_password
;
918 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
921 torture
->ev
, torture
->lp_ctx
);
923 torture_assert_ntstatus_ok(torture
, status
,
924 "dcerpc_pipe_connect_b failed");
926 pwset
.in
.server_name
= talloc_asprintf(
927 net_pipe
, "\\\\%s", dcerpc_server_name(net_pipe
));
928 pwset
.in
.computer_name
=
929 cli_credentials_get_workstation(s
->wks_creds1
);
930 pwset
.in
.account_name
= talloc_asprintf(
931 net_pipe
, "%s$", pwset
.in
.computer_name
);
932 pwset
.in
.secure_channel_type
= SEC_CHAN_WKSTA
;
933 pwset
.in
.credential
= &credential
;
934 pwset
.in
.new_password
= &new_password
;
935 pwset
.out
.return_authenticator
= &return_authenticator
;
937 E_md4hash(password
, new_password
.hash
);
939 creds_state
= cli_credentials_get_netlogon_creds(
941 netlogon_creds_des_encrypt(creds_state
, &new_password
);
942 netlogon_creds_client_authenticator(creds_state
, &credential
);
944 torture_assert_ntstatus_ok(torture
, dcerpc_netr_ServerPasswordSet_r(net_pipe
->binding_handle
, torture
, &pwset
),
945 "ServerPasswordSet failed");
946 torture_assert_ntstatus_ok(torture
, pwset
.out
.result
,
947 "ServerPasswordSet failed");
949 if (!netlogon_creds_client_check(creds_state
,
950 &pwset
.out
.return_authenticator
->cred
)) {
951 torture_comment(torture
, "Credential chaining failed\n");
954 cli_credentials_set_password(s
->wks_creds1
, password
,
957 talloc_free(net_pipe
);
959 /* Just as a test, connect with the new creds */
961 cli_credentials_set_netlogon_creds(s
->wks_creds1
, NULL
);
963 status
= dcerpc_pipe_connect_b(s
, &net_pipe
, s
->b
,
966 torture
->ev
, torture
->lp_ctx
);
968 torture_assert_ntstatus_ok(torture
, status
,
969 "dcerpc_pipe_connect_b failed");
971 talloc_free(net_pipe
);
974 torture_comment(torture
, "Start looping LogonSamLogonEx on %d connections for %d secs\n",
975 s
->nprocs
, s
->timelimit
);
976 for (i
=0; i
< s
->nprocs
; i
++) {
977 ret
= torture_schannel_bench_start(&s
->conns
[i
]);
978 torture_assert(torture
, ret
, "Failed to setup LogonSamLogonEx");
981 start
= timeval_current();
982 end
= timeval_add(&start
, s
->timelimit
, 0);
984 while (NT_STATUS_IS_OK(s
->error
) && !timeval_expired(&end
)) {
985 int ev_ret
= tevent_loop_once(torture
->ev
);
986 torture_assert(torture
, ev_ret
== 0, "tevent_loop_once failed");
988 torture_assert_ntstatus_ok(torture
, s
->error
, "Failed some request");
990 talloc_free(s
->conns
);
992 for (i
=0; i
< s
->nprocs
; i
++) {
993 s
->total
+= s
->conns
[i
].total
;
996 torture_comment(torture
,
997 "Total ops[%llu] (%u ops/s)\n",
998 (unsigned long long)s
->total
,
999 (unsigned)s
->total
/s
->timelimit
);
1001 torture_leave_domain(torture
, s
->join_ctx1
);
1002 torture_leave_domain(torture
, s
->join_ctx2
);