search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r14470: Remove some unnecessary headers.
[Samba.git] / source / torture / rpc / schannel.c
blobcb3723f995eaeb3e6c4ae7202ed2075d1940d3cc
1 /*
2 Unix SMB/CIFS implementation.
3
4 test suite for schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "librpc/gen_ndr/ndr_netlogon_c.h"
25 #include "librpc/gen_ndr/ndr_lsa_c.h"
26 #include "librpc/gen_ndr/ndr_samr_c.h"
27 #include "auth/credentials/credentials.h"
28 #include "torture/rpc/rpc.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "auth/gensec/schannel_proto.h"
31 #include "libcli/auth/libcli_auth.h"
32 #include "libcli/security/proto.h"
33
34 #define TEST_MACHINE_NAME "schannel"
35
36 /*
37 try a netlogon SamLogon
38 */
39 BOOL test_netlogon_ex_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
40 struct cli_credentials *credentials,
41 struct creds_CredentialState *creds)
42 {
43 NTSTATUS status;
44 struct netr_LogonSamLogonEx r;
45 struct netr_NetworkInfo ninfo;
46 DATA_BLOB names_blob, chal, lm_resp, nt_resp;
47 int i;
48 BOOL ret = True;
49 int flags = CLI_CRED_NTLM_AUTH;
50 if (lp_client_lanman_auth()) {
51 flags |= CLI_CRED_LANMAN_AUTH;
52 }
53
54 if (lp_client_ntlmv2_auth()) {
55 flags |= CLI_CRED_NTLMv2_AUTH;
56 }
57
58 cli_credentials_get_ntlm_username_domain(cmdline_credentials, mem_ctx,
59 &ninfo.identity_info.account_name.string,
60 &ninfo.identity_info.domain_name.string);
61
62 generate_random_buffer(ninfo.challenge,
63 sizeof(ninfo.challenge));
64 chal = data_blob_const(ninfo.challenge,
65 sizeof(ninfo.challenge));
66
67 names_blob = NTLMv2_generate_names_blob(mem_ctx, cli_credentials_get_workstation(credentials),
68 cli_credentials_get_domain(credentials));
69
70 status = cli_credentials_get_ntlm_response(cmdline_credentials, mem_ctx,
71 &flags,
72 chal,
73 names_blob,
74 &lm_resp, &nt_resp,
75 NULL, NULL);
76 if (!NT_STATUS_IS_OK(status)) {
77 printf("cli_credentials_get_ntlm_response failed: %s\n",
78 nt_errstr(status));
79 return False;
80 }
81
82 ninfo.lm.data = lm_resp.data;
83 ninfo.lm.length = lm_resp.length;
84
85 ninfo.nt.data = nt_resp.data;
86 ninfo.nt.length = nt_resp.length;
87
88 ninfo.identity_info.parameter_control = 0;
89 ninfo.identity_info.logon_id_low = 0;
90 ninfo.identity_info.logon_id_high = 0;
91 ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
92
93 r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
94 r.in.computer_name = cli_credentials_get_workstation(credentials);
95 r.in.logon_level = 2;
96 r.in.logon.network = &ninfo;
97 r.in.flags = 0;
98
99 printf("Testing LogonSamLogonEx with name %s\n", ninfo.identity_info.account_name.string);
100
101 for (i=2;i<3;i++) {
102 r.in.validation_level = i;
103
104 status = dcerpc_netr_LogonSamLogonEx(p, mem_ctx, &r);
105 if (!NT_STATUS_IS_OK(status)) {
106 printf("LogonSamLogon failed: %s\n",
107 nt_errstr(status));
108 return False;
109 }
110 }
111
112 return ret;
113 }
114
115 /*
116 do some samr ops using the schannel connection
117 */
118 static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
119 {
120 NTSTATUS status;
121 struct samr_GetDomPwInfo r;
122 struct samr_Connect connect;
123 struct samr_OpenDomain opendom;
124 int i;
125 struct lsa_String name;
126 struct policy_handle handle;
127 struct policy_handle domain_handle;
128
129 name.string = lp_workgroup();
130 r.in.domain_name = &name;
131
132 connect.in.system_name = 0;
133 connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
134 connect.out.connect_handle = &handle;
135
136 printf("Testing Connect and OpenDomain on BUILTIN\n");
137
138 status = dcerpc_samr_Connect(p, mem_ctx, &connect);
139 if (!NT_STATUS_IS_OK(status)) {
140 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
141 printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
142 nt_errstr(status));
143 } else {
144 printf("Connect failed - %s\n", nt_errstr(status));
145 return False;
146 }
147 } else {
148 opendom.in.connect_handle = &handle;
149 opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
150 opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
151 opendom.out.domain_handle = &domain_handle;
152
153 status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
154 if (!NT_STATUS_IS_OK(status)) {
155 printf("OpenDomain failed - %s\n", nt_errstr(status));
156 return False;
157 }
158 }
159
160 printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
161
162 /* do several ops to test credential chaining */
163 for (i=0;i<5;i++) {
164 status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
165 if (!NT_STATUS_IS_OK(status)) {
166 if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
167 printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
168 return False;
169 }
170 }
171 }
172
173 return True;
174 }
175
176
177 /*
178 do some lsa ops using the schannel connection
179 */
180 static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
181 {
182 struct lsa_GetUserName r;
183 NTSTATUS status;
184 BOOL ret = True;
185 struct lsa_StringPointer authority_name_p;
186
187 printf("\nTesting GetUserName\n");
188
189 r.in.system_name = "\\";
190 r.in.account_name = NULL;
191 r.in.authority_name = &authority_name_p;
192 authority_name_p.string = NULL;
193
194 /* do several ops to test credential chaining and various operations */
195 status = dcerpc_lsa_GetUserName(p, mem_ctx, &r);
196
197 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
198 printf("not considering %s to be an error\n", nt_errstr(status));
199 } else if (!NT_STATUS_IS_OK(status)) {
200 printf("GetUserName failed - %s\n", nt_errstr(status));
201 return False;
202 } else {
203 if (!r.out.account_name) {
204 return False;
205 }
206
207 if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
208 printf("GetUserName returned wrong user: %s, expected %s\n",
209 r.out.account_name->string, "ANONYMOUS LOGON");
210 return False;
211 }
212 if (!r.out.authority_name || !r.out.authority_name->string) {
213 return False;
214 }
215
216 if (strcmp(r.out.authority_name->string->string, "NT AUTHORITY") != 0) {
217 printf("GetUserName returned wrong user: %s, expected %s\n",
218 r.out.authority_name->string->string, "NT AUTHORITY");
219 return False;
220 }
221 }
222 if (!test_many_LookupSids(p, mem_ctx, NULL)) {
223 printf("LsaLookupSids3 failed!\n");
224 return False;
225 }
226
227 return ret;
228 }
229
230
231 /*
232 test a schannel connection with the given flags
233 */
234 static BOOL test_schannel(TALLOC_CTX *mem_ctx,
235 uint16_t acct_flags, uint32_t dcerpc_flags,
236 int i)
237 {
238 BOOL ret = True;
239
240 struct test_join *join_ctx;
241 NTSTATUS status;
242 const char *binding = lp_parm_string(-1, "torture", "binding");
243 struct dcerpc_binding *b;
244 struct dcerpc_pipe *p = NULL;
245 struct dcerpc_pipe *p_netlogon = NULL;
246 struct dcerpc_pipe *p_netlogon2 = NULL;
247 struct dcerpc_pipe *p_netlogon3 = NULL;
248 struct dcerpc_pipe *p_samr2 = NULL;
249 struct dcerpc_pipe *p_lsa = NULL;
250 struct creds_CredentialState *creds;
251 struct cli_credentials *credentials;
252
253 TALLOC_CTX *test_ctx = talloc_named(mem_ctx, 0, "test_schannel context");
254
255 join_ctx = torture_join_domain(talloc_asprintf(mem_ctx, "%s%d", TEST_MACHINE_NAME, i),
256 acct_flags, &credentials);
257 if (!join_ctx) {
258 printf("Failed to join domain with acct_flags=0x%x\n", acct_flags);
259 talloc_free(test_ctx);
260 return False;
261 }
262
263 status = dcerpc_parse_binding(test_ctx, binding, &b);
264 if (!NT_STATUS_IS_OK(status)) {
265 printf("Bad binding string %s\n", binding);
266 goto failed;
267 }
268
269 b->flags &= ~DCERPC_AUTH_OPTIONS;
270 b->flags |= dcerpc_flags;
271
272 status = dcerpc_pipe_connect_b(test_ctx, &p, b, &dcerpc_table_samr,
273 credentials, NULL);
274 if (!NT_STATUS_IS_OK(status)) {
275 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
276 goto failed;
277 }
278
279 if (!test_samr_ops(p, test_ctx)) {
280 printf("Failed to process schannel secured SAMR ops\n");
281 ret = False;
282 }
283
284 /* Also test that when we connect to the netlogon pipe, that
285 * the credentials we setup on the first pipe are valid for
286 * the second */
287
288 /* Swap the binding details from SAMR to NETLOGON */
289 status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
290 if (!NT_STATUS_IS_OK(status)) {
291 goto failed;
292 }
293
294 status = dcerpc_secondary_connection(p, &p_netlogon,
295 b);
296
297 if (!NT_STATUS_IS_OK(status)) {
298 goto failed;
299 }
300
301 status = dcerpc_bind_auth(p_netlogon, &dcerpc_table_netlogon,
302 credentials, DCERPC_AUTH_TYPE_SCHANNEL,
303 dcerpc_auth_level(p->conn),
304 NULL);
305
306 if (!NT_STATUS_IS_OK(status)) {
307 goto failed;
308 }
309
310 status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, test_ctx, &creds);
311 if (!NT_STATUS_IS_OK(status)) {
312 goto failed;
313 }
314
315 /* do a couple of logins */
316 if (!test_netlogon_ops(p_netlogon, test_ctx, credentials, creds)) {
317 printf("Failed to process schannel secured NETLOGON ops\n");
318 ret = False;
319 }
320
321 if (!test_netlogon_ex_ops(p_netlogon, test_ctx, credentials, creds)) {
322 printf("Failed to process schannel secured NETLOGON EX ops\n");
323 ret = False;
324 }
325
326 /* Swap the binding details from SAMR to LSARPC */
327 status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_lsarpc, NULL);
328 if (!NT_STATUS_IS_OK(status)) {
329 goto failed;
330 }
331
332 status = dcerpc_secondary_connection(p, &p_lsa,
333 b);
334
335 if (!NT_STATUS_IS_OK(status)) {
336 goto failed;
337 }
338
339 status = dcerpc_bind_auth(p_lsa, &dcerpc_table_lsarpc,
340 credentials, DCERPC_AUTH_TYPE_SCHANNEL,
341 dcerpc_auth_level(p->conn),
342 NULL);
343
344 if (!NT_STATUS_IS_OK(status)) {
345 goto failed;
346 }
347
348 if (!test_lsa_ops(p_lsa, test_ctx)) {
349 printf("Failed to process schannel secured LSA ops\n");
350 ret = False;
351 }
352
353 /* Drop the socket, we want to start from scratch */
354 talloc_free(p);
355 p = NULL;
356
357 /* Now see what we are still allowed to do */
358
359 status = dcerpc_parse_binding(test_ctx, binding, &b);
360 if (!NT_STATUS_IS_OK(status)) {
361 printf("Bad binding string %s\n", binding);
362 goto failed;
363 }
364
365 b->flags &= ~DCERPC_AUTH_OPTIONS;
366 b->flags |= dcerpc_flags;
367
368 status = dcerpc_pipe_connect_b(test_ctx, &p_samr2, b, &dcerpc_table_samr,
369 credentials, NULL);
370 if (!NT_STATUS_IS_OK(status)) {
371 printf("Failed to connect with schannel: %s\n", nt_errstr(status));
372 goto failed;
373 }
374
375 /* do a some SAMR operations. We have *not* done a new serverauthenticate */
376 if (!test_samr_ops(p_samr2, test_ctx)) {
377 printf("Failed to process schannel secured SAMR ops (on fresh connection)\n");
378 goto failed;
379 }
380
381 /* Swap the binding details from SAMR to NETLOGON */
382 status = dcerpc_epm_map_binding(test_ctx, b, &dcerpc_table_netlogon, NULL);
383 if (!NT_STATUS_IS_OK(status)) {
384 goto failed;
385 }
386
387 status = dcerpc_secondary_connection(p_samr2, &p_netlogon2,
388 b);
389 if (!NT_STATUS_IS_OK(status)) {
390 goto failed;
391 }
392
393 /* and now setup an SCHANNEL bind on netlogon */
394 status = dcerpc_bind_auth(p_netlogon2, &dcerpc_table_netlogon,
395 credentials, DCERPC_AUTH_TYPE_SCHANNEL,
396 dcerpc_auth_level(p_samr2->conn),
397 NULL);
398
399 if (!NT_STATUS_IS_OK(status)) {
400 goto failed;
401 }
402
403 /* Try the schannel-only SamLogonEx operation */
404 if (!test_netlogon_ex_ops(p_netlogon2, test_ctx, credentials, creds)) {
405 printf("Failed to process schannel secured NETLOGON EX ops (on fresh connection)\n");
406 ret = False;
407 }
408
409 /* And the more traditional style, proving that the
410 * credentials chaining state is fully present */
411 if (!test_netlogon_ops(p_netlogon2, test_ctx, credentials, creds)) {
412 printf("Failed to process schannel secured NETLOGON ops (on fresh connection)\n");
413 ret = False;
414 }
415
416 /* Drop the socket, we want to start from scratch (again) */
417 talloc_free(p_samr2);
418
419 /* We don't want schannel for this test */
420 b->flags &= ~DCERPC_AUTH_OPTIONS;
421
422 status = dcerpc_pipe_connect_b(test_ctx, &p_netlogon3, b, &dcerpc_table_netlogon,
423 credentials, NULL);
424 if (!NT_STATUS_IS_OK(status)) {
425 printf("Failed to connect without schannel: %s\n", nt_errstr(status));
426 goto failed;
427 }
428
429 if (test_netlogon_ex_ops(p_netlogon3, test_ctx, credentials, creds)) {
430 printf("Processed NOT schannel secured NETLOGON EX ops without SCHANNEL (unsafe)\n");
431 ret = False;
432 }
433
434 if (!test_netlogon_ops(p_netlogon3, test_ctx, credentials, creds)) {
435 printf("Failed to processed NOT schannel secured NETLOGON ops without new ServerAuth\n");
436 ret = False;
437 }
438
439 torture_leave_domain(join_ctx);
440 talloc_free(test_ctx);
441 return ret;
442
443 failed:
444 torture_leave_domain(join_ctx);
445 talloc_free(test_ctx);
446 return False;
447 }
448
449 /*
450 a schannel test suite
451 */
452 BOOL torture_rpc_schannel(void)
453 {
454 TALLOC_CTX *mem_ctx;
455 BOOL ret = True;
456 struct {
457 uint16_t acct_flags;
458 uint32_t dcerpc_flags;
459 } tests[] = {
460 { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SIGN},
461 { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SEAL},
462 { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128},
463 { ACB_WSTRUST, DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 },
464 { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SIGN },
465 { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SEAL },
466 { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128 },
467 { ACB_SVRTRUST, DCERPC_SCHANNEL | DCERPC_SEAL | DCERPC_SCHANNEL_128 }
468 };
469 int i;
470
471 mem_ctx = talloc_init("torture_rpc_schannel");
472
473 for (i=0;i<ARRAY_SIZE(tests);i++) {
474 if (!test_schannel(mem_ctx,
475 tests[i].acct_flags, tests[i].dcerpc_flags,
476 i)) {
477 printf("Failed with acct_flags=0x%x dcerpc_flags=0x%x \n",
478 tests[i].acct_flags, tests[i].dcerpc_flags);
479 ret = False;
480 break;
481 }
482 }
483
484 talloc_free(mem_ctx);
485
486 return ret;
487 }
Samba GIT mirror