diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-11-11 04:32:01 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:05:43 -0500 |
| commit | a8db4dcf03bccb2e1b954d097e758d6c7780db9e (patch) | |
| tree | 6f91b3623b76da1da8194efd04fcce048fcfaf33 /source4/torture/rpc/netlogon.c | |
| parent | 5afda90c95e2e120f1121afb6b9fe7f5222ffa1e (diff) | |
| download | samba-a8db4dcf03bccb2e1b954d097e758d6c7780db9e.tar.gz samba-a8db4dcf03bccb2e1b954d097e758d6c7780db9e.tar.bz2 samba-a8db4dcf03bccb2e1b954d097e758d6c7780db9e.zip | |
r3677: Seperate the SamLogon tests from the main RPC-NETLOGON test into a
RPC-SAMLOGON of their own.
I have expanded the tests to validate the use of various flags, which
change some of the crypto behaviour.
Andrew Bartlett
(This used to be commit 3a140a3691ce49ebf4d1efcb99cfffd26c68a28f)
Diffstat (limited to 'source4/torture/rpc/netlogon.c')
| -rw-r--r-- | source4/torture/rpc/netlogon.c | 1048 |
1 files changed, 37 insertions, 1011 deletions
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 0551151db8..fe64727d79 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -25,8 +25,6 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "auth/auth.h" -#include "lib/crypto/crypto.h" - static const char *machine_password; @@ -74,20 +72,21 @@ static BOOL test_LogonUasLogoff(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) } -static BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) +BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + const char *machine_name, + const char *plain_pass, + struct creds_CredentialState *creds) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate a; struct netr_Credential credentials1, credentials2, credentials3; - const char *plain_pass; struct samr_Password mach_password; printf("Testing ServerReqChallenge\n"); r.in.server_name = NULL; - r.in.computer_name = TEST_MACHINE_NAME; + r.in.computer_name = machine_name; r.in.credentials = &credentials1; r.out.credentials = &credentials2; @@ -99,23 +98,17 @@ static BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return False; } - plain_pass = machine_password; - if (!plain_pass) { - printf("Unable to fetch machine password!\n"); - return False; - } - E_md4hash(plain_pass, mach_password.hash); a.in.server_name = NULL; - a.in.account_name = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); + a.in.account_name = talloc_asprintf(mem_ctx, "%s$", machine_name); a.in.secure_channel_type = SEC_CHAN_BDC; - a.in.computer_name = TEST_MACHINE_NAME; + a.in.computer_name = machine_name; a.in.credentials = &credentials3; a.out.credentials = &credentials3; creds_client_init(creds, &credentials1, &credentials2, &mach_password, &credentials3, - NETLOGON_NEG_AUTH2_FLAGS); + 0); printf("Testing ServerAuthenticate\n"); @@ -133,21 +126,22 @@ static BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return True; } -static BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - uint32_t negotiate_flags, - struct creds_CredentialState *creds) +BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + uint32_t negotiate_flags, + const char *machine_name, + const char *plain_pass, + struct creds_CredentialState *creds) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate2 a; struct netr_Credential credentials1, credentials2, credentials3; - const char *plain_pass; struct samr_Password mach_password; printf("Testing ServerReqChallenge\n"); r.in.server_name = NULL; - r.in.computer_name = TEST_MACHINE_NAME; + r.in.computer_name = machine_name; r.in.credentials = &credentials1; r.out.credentials = &credentials2; @@ -159,18 +153,12 @@ static BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return False; } - plain_pass = machine_password; - if (!plain_pass) { - printf("Unable to fetch machine password!\n"); - return False; - } - E_md4hash(plain_pass, mach_password.hash); a.in.server_name = NULL; - a.in.account_name = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); + a.in.account_name = talloc_asprintf(mem_ctx, "%s$", machine_name); a.in.secure_channel_type = SEC_CHAN_BDC; - a.in.computer_name = TEST_MACHINE_NAME; + a.in.computer_name = machine_name; a.in.negotiate_flags = &negotiate_flags; a.out.negotiate_flags = &negotiate_flags; a.in.credentials = &credentials3; @@ -198,22 +186,23 @@ static BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, } -static BOOL test_SetupCredentials3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - uint32_t negotiate_flags, - struct creds_CredentialState *creds) +BOOL test_SetupCredentials3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + uint32_t negotiate_flags, + const char *machine_name, + const char *plain_pass, + struct creds_CredentialState *creds) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate3 a; struct netr_Credential credentials1, credentials2, credentials3; - const char *plain_pass; struct samr_Password mach_password; uint32 rid; printf("Testing ServerReqChallenge\n"); r.in.server_name = NULL; - r.in.computer_name = TEST_MACHINE_NAME; + r.in.computer_name = machine_name; r.in.credentials = &credentials1; r.out.credentials = &credentials2; @@ -225,18 +214,12 @@ static BOOL test_SetupCredentials3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return False; } - plain_pass = machine_password; - if (!plain_pass) { - printf("Unable to fetch machine password!\n"); - return False; - } - E_md4hash(plain_pass, mach_password.hash); a.in.server_name = NULL; - a.in.account_name = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); + a.in.account_name = talloc_asprintf(mem_ctx, "%s$", machine_name); a.in.secure_channel_type = SEC_CHAN_BDC; - a.in.computer_name = TEST_MACHINE_NAME; + a.in.computer_name = machine_name; a.in.negotiate_flags = &negotiate_flags; a.in.credentials = &credentials3; a.out.credentials = &credentials3; @@ -264,961 +247,6 @@ static BOOL test_SetupCredentials3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return True; } -enum ntlm_break { - BREAK_BOTH, - BREAK_NONE, - BREAK_LM, - BREAK_NT, - NO_LM, - NO_NT -}; - -struct samlogon_state { - TALLOC_CTX *mem_ctx; - const char *account_name; - const char *account_domain; - const char *password; - struct dcerpc_pipe *p; - int function_level; - struct netr_LogonSamLogon r; - struct netr_LogonSamLogonWithFlags r_flags; - struct netr_Authenticator auth, auth2; - struct creds_CredentialState creds; - - DATA_BLOB chall; -}; - -/* - Authenticate a user with a challenge/response, checking session key - and valid authentication types -*/ -static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, - enum ntlm_break break_which, - DATA_BLOB *chall, - DATA_BLOB *lm_response, - DATA_BLOB *nt_response, - uint8_t lm_key[8], - uint8_t user_session_key[16], - char **error_string) -{ - NTSTATUS status; - struct netr_LogonSamLogon *r = &samlogon_state->r; - struct netr_LogonSamLogonWithFlags *r_flags = &samlogon_state->r_flags; - struct netr_NetworkInfo ninfo; - - struct netr_SamBaseInfo *base; - - uint16 validation_level; - - samlogon_state->r.in.logon.network = &ninfo; - samlogon_state->r_flags.in.logon.network = &ninfo; - - ninfo.identity_info.domain_name.string = samlogon_state->account_domain; - ninfo.identity_info.parameter_control = 0; - ninfo.identity_info.logon_id_low = 0; - ninfo.identity_info.logon_id_high = 0; - ninfo.identity_info.account_name.string = samlogon_state->account_name; - ninfo.identity_info.workstation.string = TEST_MACHINE_NAME; - - memcpy(ninfo.challenge, chall->data, 8); - - switch (break_which) { - case BREAK_NONE: - break; - case BREAK_LM: - if (lm_response && lm_response->data) { - lm_response->data[0]++; - } - break; - case BREAK_NT: - if (nt_response && nt_response->data) { - nt_response->data[0]++; - } - break; - case BREAK_BOTH: - if (lm_response && lm_response->data) { - lm_response->data[0]++; - } - if (nt_response && nt_response->data) { - nt_response->data[0]++; - } - break; - case NO_LM: - data_blob_free(lm_response); - break; - case NO_NT: - data_blob_free(nt_response); - break; - } - - if (nt_response) { - ninfo.nt.data = nt_response->data; - ninfo.nt.length = nt_response->length; - } else { - ninfo.nt.data = NULL; - ninfo.nt.length = 0; - } - - if (lm_response) { - ninfo.lm.data = lm_response->data; - ninfo.lm.length = lm_response->length; - } else { - ninfo.lm.data = NULL; - ninfo.lm.length = 0; - } - - ZERO_STRUCT(samlogon_state->auth2); - creds_client_authenticator(&samlogon_state->creds, &samlogon_state->auth); - - switch (samlogon_state->function_level) { - case DCERPC_NETR_LOGONSAMLOGON: - r->out.return_authenticator = NULL; - status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r); - if (!r->out.return_authenticator || - !creds_client_check(&samlogon_state->creds, &r->out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); - } - if (!NT_STATUS_IS_OK(status)) { - if (error_string) { - *error_string = strdup(nt_errstr(status)); - } - } - - validation_level = r->in.validation_level; - switch (validation_level) { - case 2: - base = &r->out.validation.sam2->base; - break; - case 3: - base = &r->out.validation.sam3->base; - break; - case 6: - base = &r->out.validation.sam6->base; - break; - } - break; - case DCERPC_NETR_LOGONSAMLOGONWITHFLAGS: - r_flags->out.return_authenticator = NULL; - status = dcerpc_netr_LogonSamLogonWithFlags(samlogon_state->p, samlogon_state->mem_ctx, r_flags); - if (!r_flags->out.return_authenticator || - !creds_client_check(&samlogon_state->creds, &r_flags->out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); - } - if (!NT_STATUS_IS_OK(status)) { - if (error_string) { - *error_string = strdup(nt_errstr(status)); - } - } - - validation_level = r_flags->in.validation_level; - switch (validation_level) { - case 2: - base = &r_flags->out.validation.sam2->base; - break; - case 3: - base = &r_flags->out.validation.sam3->base; - break; - case 6: - base = &r_flags->out.validation.sam6->base; - break; - } - break; - } - - - if (!NT_STATUS_IS_OK(status)) { - /* we cannot check the session key, if the logon failed... */ - return status; - } - - - /* find and decyrpt the session keys, return in parameters above */ - if (validation_level != 6) { - static const char zeros[16]; - - if (memcmp(base->key.key, zeros, - sizeof(base->key.key)) != 0) { - creds_arcfour_crypt(&samlogon_state->creds, - base->key.key, - sizeof(base->key.key)); - } - - if (user_session_key) { - memcpy(user_session_key, base->key.key, 16); - } - - if (memcmp(base->LMSessKey.key, zeros, - sizeof(base->LMSessKey.key)) != 0) { - creds_arcfour_crypt(&samlogon_state->creds, - base->LMSessKey.key, - sizeof(base->LMSessKey.key)); - } - - if (lm_key) { - memcpy(lm_key, base->LMSessKey.key, 8); - } - } else { - /* they aren't encrypted! */ - if (user_session_key) { - memcpy(user_session_key, base->key.key, 16); - } - if (lm_key) { - memcpy(lm_key, base->LMSessKey.key, 8); - } - } - - return status; -} - - -/* - * Test the normal 'LM and NTLM' combination - */ - -static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) -{ - BOOL pass = True; - BOOL lm_good; - NTSTATUS nt_status; - DATA_BLOB lm_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - DATA_BLOB session_key = data_blob_talloc(samlogon_state->mem_ctx, NULL, 16); - - uint8_t lm_key[8]; - uint8_t user_session_key[16]; - uint8_t lm_hash[16]; - uint8_t nt_hash[16]; - - ZERO_STRUCT(lm_key); - ZERO_STRUCT(user_session_key); - - lm_good = SMBencrypt(samlogon_state->password, samlogon_state->chall.data, lm_response.data); - if (!lm_good) { - ZERO_STRUCT(lm_hash); - } else { - E_deshash(samlogon_state->password, lm_hash); - } - - SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); - - E_md4hash(samlogon_state->password, nt_hash); - SMBsesskeygen_ntv1(nt_hash, session_key.data); - - nt_status = check_samlogon(samlogon_state, - break_which, - &samlogon_state->chall, - &lm_response, - &nt_response, - lm_key, - user_session_key, - error_string); - - data_blob_free(&lm_response); - - if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { - /* for 'long' passwords, the LM password is invalid */ - if (break_which == NO_NT && !lm_good) { - return True; - } - return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); - } - - if (!NT_STATUS_IS_OK(nt_status)) { - return False; - } - - if (break_which == NO_NT && !lm_good) { - printf("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!"); - return False; - } - - if (memcmp(lm_hash, lm_key, - sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); - dump_data(1, (const char *)lm_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)lm_hash, 8); - pass = False; - } - - switch (break_which) { - case NO_NT: - { - char lm_key_expected[16]; - memcpy(lm_key_expected, lm_hash, 8); - memset(lm_key_expected+8, '\0', 8); - if (memcmp(lm_key_expected, user_session_key, - 16) != 0) { - printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); - printf("expected:\n"); - dump_data(1, (const char *)lm_key_expected, sizeof(lm_key_expected)); - pass = False; - } - break; - } - default: - if (memcmp(session_key.data, user_session_key, - sizeof(user_session_key)) != 0) { - printf("NT Session Key does not match expectations!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, 16); - printf("expected:\n"); - dump_data(1, (const char *)session_key.data, session_key.length); - pass = False; - } - } - return pass; -} - -/* - * Test LM authentication, no NT response supplied - */ - -static BOOL test_lm(struct samlogon_state *samlogon_state, char **error_string) -{ - - return test_lm_ntlm_broken(samlogon_state, NO_NT, error_string); -} - -/* - * Test the NTLM response only, no LM. - */ - -static BOOL test_ntlm(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, NO_LM, error_string); -} - -/* - * Test the NTLM response only, but in the LM field. - */ - -static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_string) -{ - BOOL pass = True; - NTSTATUS nt_status; - DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - - uint8_t lm_key[8]; - uint8_t lm_hash[16]; - uint8_t user_session_key[16]; - - ZERO_STRUCT(user_session_key); - - SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); - - E_deshash(samlogon_state->password, lm_hash); - - nt_status = check_samlogon(samlogon_state, - BREAK_NONE, - &samlogon_state->chall, - &nt_response, - NULL, - lm_key, - user_session_key, - error_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - return False; - } - - if (memcmp(lm_hash, lm_key, - sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); - dump_data(1, (const char *)lm_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)lm_hash, 8); - pass = False; - } - if (memcmp(lm_hash, user_session_key, 8) != 0) { - char lm_key_expected[16]; - memcpy(lm_key_expected, lm_hash, 8); - memset(lm_key_expected+8, '\0', 8); - if (memcmp(lm_key_expected, user_session_key, - 16) != 0) { - printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); - printf("expected:\n"); - dump_data(1, (const char *)lm_key_expected, sizeof(lm_key_expected)); - pass = False; - } - } - return pass; -} - -/* - * Test the NTLM response only, but in the both the NT and LM fields. - */ - -static BOOL test_ntlm_in_both(struct samlogon_state *samlogon_state, char **error_string) -{ - BOOL pass = True; - BOOL lm_good; - NTSTATUS nt_status; - DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - DATA_BLOB session_key = data_blob_talloc(samlogon_state->mem_ctx, NULL, 16); - - char lm_key[8]; - char lm_hash[16]; - char user_session_key[16]; - char nt_hash[16]; - - ZERO_STRUCT(lm_key); - ZERO_STRUCT(user_session_key); - - SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, - nt_response.data); - E_md4hash(samlogon_state->password, (uint8_t *)nt_hash); - SMBsesskeygen_ntv1((const uint8_t *)nt_hash, - session_key.data); - - lm_good = E_deshash(samlogon_state->password, (uint8_t *)lm_hash); - if (!lm_good) { - ZERO_STRUCT(lm_hash); - } - - nt_status = check_samlogon(samlogon_state, - BREAK_NONE, - &samlogon_state->chall, - NULL, - &nt_response, - lm_key, - user_session_key, - error_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - return False; - } - - if (memcmp(lm_hash, lm_key, - sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); - dump_data(1, lm_key, 8); - printf("expected:\n"); - dump_data(1, lm_hash, 8); - pass = False; - } - if (memcmp(session_key.data, user_session_key, - sizeof(user_session_key)) != 0) { - printf("NT Session Key does not match expectations!\n"); - printf("user_session_key:\n"); - dump_data(1, user_session_key, 16); - printf("expected:\n"); - dump_data(1, (const char *)session_key.data, session_key.length); - pass = False; - } - - - return pass; -} - -/* - * Test the NTLMv2 and LMv2 responses - */ - -static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) -{ - BOOL pass = True; - NTSTATUS nt_status; - DATA_BLOB ntlmv2_response = data_blob(NULL, 0); - DATA_BLOB lmv2_response = data_blob(NULL, 0); - DATA_BLOB lmv2_session_key = data_blob(NULL, 0); - DATA_BLOB ntlmv2_session_key = data_blob(NULL, 0); - DATA_BLOB names_blob = NTLMv2_generate_names_blob(samlogon_state->mem_ctx, lp_netbios_name(), lp_workgroup()); - - uint8_t lm_session_key[8]; - uint8_t user_session_key[16]; - - ZERO_STRUCT(lm_session_key); - ZERO_STRUCT(user_session_key); - - /* TODO - test with various domain cases, and without domain */ - if (!SMBNTLMv2encrypt(samlogon_state->account_name, samlogon_state->account_domain, - samlogon_state->password, &samlogon_state->chall, - &names_blob, - &lmv2_response, &ntlmv2_response, - &lmv2_session_key, &ntlmv2_session_key)) { - data_blob_free(&names_blob); - return False; - } - data_blob_free(&names_blob); - - nt_status = check_samlogon(samlogon_state, - break_which, - &samlogon_state->chall, - &lmv2_response, - &ntlmv2_response, - lm_session_key, - user_session_key, - error_string); - - data_blob_free(&lmv2_response); - data_blob_free(&ntlmv2_response); - - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { - return break_which == BREAK_BOTH; - } - - switch (break_which) { - case NO_NT: - if (memcmp(lmv2_session_key.data, user_session_key, - sizeof(user_session_key)) != 0) { - printf("USER (LMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, 16); - printf("expected:\n"); - dump_data(1, (const char *)lmv2_session_key.data, ntlmv2_session_key.length); - pass = False; - } - if (memcmp(lmv2_session_key.data, lm_session_key, - sizeof(lm_session_key)) != 0) { - printf("LM (LMv2) Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); - dump_data(1, (const char *)lm_session_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)lmv2_session_key.data, 8); - pass = False; - } - break; - default: - if (memcmp(ntlmv2_session_key.data, user_session_key, - sizeof(user_session_key)) != 0) { - printf("USER (NTLMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, 16); - printf("expected:\n"); - dump_data(1, (const char *)ntlmv2_session_key.data, ntlmv2_session_key.length); - pass = False; - } - if (memcmp(ntlmv2_session_key.data, lm_session_key, - sizeof(lm_session_key)) != 0) { - printf("LM (NTLMv2) Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); - dump_data(1, (const char *)lm_session_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)ntlmv2_session_key.data, 8); - pass = False; - } - } - - return pass; -} - -/* - * Test the NTLMv2 and LMv2 responses - */ - -static BOOL test_lmv2_ntlmv2(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_NONE, error_string); -} - -/* - * Test the LMv2 response only - */ - -static BOOL test_lmv2(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, NO_NT, error_string); -} - -/* - * Test the NTLMv2 response only - */ - -static BOOL test_ntlmv2(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, NO_LM, error_string); -} - -static BOOL test_lm_ntlm(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, BREAK_NONE, error_string); -} - -static BOOL test_ntlm_lm_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, BREAK_LM, error_string); -} - -static BOOL test_ntlm_ntlm_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, BREAK_NT, error_string); -} - -static BOOL test_lm_ntlm_both_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, BREAK_BOTH, error_string); -} -static BOOL test_ntlmv2_lmv2_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_LM, error_string); -} - -static BOOL test_ntlmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_NT, error_string); -} - -static BOOL test_ntlmv2_both_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_BOTH, error_string); -} - -/* - * Test the NTLM2 response (extra challenge in LM feild) - * - * This test is the same as the 'break LM' test, but checks that the - * server implements NTLM2 session security in the right place - * (NETLOGON is the wrong place). - */ - -static BOOL test_ntlm2(struct samlogon_state *samlogon_state, char **error_string) -{ - BOOL pass = True; - NTSTATUS nt_status; - DATA_BLOB lm_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - - uint8_t lm_key[8]; - uint8_t nt_hash[16]; - uint8_t lm_hash[16]; - uint8_t nt_key[16]; - uint8_t user_session_key[16]; - uint8_t expected_user_session_key[16]; - uint8_t session_nonce_hash[16]; - uint8_t client_chall[8]; - - struct MD5Context md5_session_nonce_ctx; - HMACMD5Context hmac_ctx; - - ZERO_STRUCT(user_session_key); - ZERO_STRUCT(lm_key); - generate_random_buffer(client_chall, 8); - - MD5Init(&md5_session_nonce_ctx); - MD5Update(&md5_session_nonce_ctx, samlogon_state->chall.data, 8); - MD5Update(&md5_session_nonce_ctx, client_chall, 8); - MD5Final(session_nonce_hash, &md5_session_nonce_ctx); - - E_md4hash(samlogon_state->password, (uint8_t *)nt_hash); - E_deshash(samlogon_state->password, (uint8_t *)lm_hash); - SMBsesskeygen_ntv1((const uint8_t *)nt_hash, - nt_key); - - SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); - - memcpy(lm_response.data, session_nonce_hash, 8); - memset(lm_response.data + 8, 0, 16); - - hmac_md5_init_rfc2104(nt_key, 16, &hmac_ctx); - hmac_md5_update(samlogon_state->chall.data, 8, &hmac_ctx); - hmac_md5_update(client_chall, 8, &hmac_ctx); - hmac_md5_final(expected_user_session_key, &hmac_ctx); - - nt_status = check_samlogon(samlogon_state, - BREAK_NONE, - &samlogon_state->chall, - &lm_response, - &nt_response, - lm_key, - user_session_key, - error_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - return False; - } - - if (memcmp(lm_hash, lm_key, - sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); - dump_data(1, (const char *)lm_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)lm_hash, 8); - pass = False; - } - if (memcmp(nt_key, user_session_key, 16) != 0) { - printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); - printf("expected:\n"); - dump_data(1, (const char *)nt_key, sizeof(nt_key)); - pass = False; - } - return pass; -} - -static BOOL test_plaintext(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) -{ - NTSTATUS nt_status; - DATA_BLOB nt_response = data_blob(NULL, 0); - DATA_BLOB lm_response = data_blob(NULL, 0); - char *password; - char *dospw; - void *unicodepw; - - uint8_t user_session_key[16]; - uint8_t lm_key[16]; - static const uint8_t zeros[8]; - DATA_BLOB chall = data_blob_talloc(samlogon_state->mem_ctx, zeros, sizeof(zeros)); - - ZERO_STRUCT(user_session_key); - - if ((push_ucs2_talloc(samlogon_state->mem_ctx, &unicodepw, - samlogon_state->password)) == -1) { - DEBUG(0, ("push_ucs2_allocate failed!\n")); - exit(1); - } - - nt_response = data_blob_talloc(samlogon_state->mem_ctx, unicodepw, strlen_m(samlogon_state->password)*2); - - password = strupper_talloc(samlogon_state->mem_ctx, samlogon_state->password); - - if ((convert_string_talloc(samlogon_state->mem_ctx, CH_UNIX, - CH_DOS, password, - strlen(password)+1, - (void**)&dospw)) == -1) { - DEBUG(0, ("convert_string_talloc failed!\n")); - exit(1); - } - - lm_response = data_blob_talloc(samlogon_state->mem_ctx, dospw, strlen(dospw)); - - nt_status = check_samlogon(samlogon_state, - break_which, - &chall, - &lm_response, - &nt_response, - lm_key, - user_session_key, - error_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - return break_which == BREAK_NT; - } - - return True; -} - -static BOOL test_plaintext_none_broken(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, BREAK_NONE, error_string); -} - -static BOOL test_plaintext_lm_broken(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, BREAK_LM, error_string); -} - -static BOOL test_plaintext_nt_broken(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, BREAK_NT, error_string); -} - -static BOOL test_plaintext_nt_only(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, NO_LM, error_string); -} - -static BOOL test_plaintext_lm_only(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, NO_NT, error_string); -} - -/* - Tests: - - - LM only - - NT and LM - - NT - - NT in LM field - - NT in both fields - - NTLMv2 - - NTLMv2 and LMv2 - - LMv2 - - plaintext tests (in challenge-response fields) - - check we get the correct session key in each case - check what values we get for the LM session key - -*/ - -static const struct ntlm_tests { - BOOL (*fn)(struct samlogon_state *, char **); - const char *name; - BOOL expect_fail; -} test_table[] = { - {test_lm, "LM", False}, - {test_lm_ntlm, "LM and NTLM", False}, - {test_lm_ntlm_both_broken, "LM and NTLM, both broken", False}, - {test_ntlm, "NTLM", False}, - {test_ntlm_in_lm, "NTLM in LM", False}, - {test_ntlm_in_both, "NTLM in both", False}, - {test_ntlmv2, "NTLMv2", False}, - {test_lmv2_ntlmv2, "NTLMv2 and LMv2", False}, - {test_lmv2, "LMv2", False}, - {test_ntlmv2_lmv2_broken, "NTLMv2 and LMv2, LMv2 broken", False}, - {test_ntlmv2_ntlmv2_broken, "NTLMv2 and LMv2, NTLMv2 broken", False}, - {test_ntlmv2_both_broken, "NTLMv2 and LMv2, both broken", False}, - {test_ntlm_lm_broken, "NTLM and LM, LM broken", False}, - {test_ntlm_ntlm_broken, "NTLM and LM, NTLM broken", False}, - {test_ntlm2, "NTLM2 (NTLMv2 session security)", False}, - {test_plaintext_none_broken, "Plaintext", True}, - {test_plaintext_lm_broken, "Plaintext LM broken", True}, - {test_plaintext_nt_broken, "Plaintext NT broken", True}, - {test_plaintext_nt_only, "Plaintext NT only", True}, - {test_plaintext_lm_only, "Plaintext LM only", True}, - {NULL, NULL} -}; - -/* - try a netlogon SamLogon -*/ -static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) -{ - int i, v, l, f; - BOOL ret = True; - int validation_levels[] = {2,3,6}; - int logon_levels[] = { 2, 6 }; - int function_levels[] = { - DCERPC_NETR_LOGONSAMLOGON, - DCERPC_NETR_LOGONSAMLOGONWITHFLAGS }; - struct samlogon_state samlogon_state; - - printf("testing netr_LogonSamLogon and netr_LogonSamLogonWithFlags\n"); - - samlogon_state.mem_ctx = mem_ctx; - samlogon_state.account_name = lp_parm_string(-1, "torture", "username"); - samlogon_state.account_domain = lp_parm_string(-1, "torture", "userdomain"); - samlogon_state.password = lp_parm_string(-1, "torture", "password"); - samlogon_state.p = p; - - samlogon_state.chall = data_blob_talloc(mem_ctx, NULL, 8); - - generate_random_buffer(samlogon_state.chall.data, 8); - - if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, &samlogon_state.creds)) { - return False; - } - - if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, &samlogon_state.creds)) { - return False; - } - - if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, &samlogon_state.creds)) { - return False; - } - - samlogon_state.r_flags.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r_flags.in.workstation = TEST_MACHINE_NAME; - samlogon_state.r_flags.in.credential = &samlogon_state.auth; - samlogon_state.r_flags.in.return_authenticator = &samlogon_state.auth2; - samlogon_state.r_flags.in.flags = 0; - - samlogon_state.r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r.in.workstation = TEST_MACHINE_NAME; - samlogon_state.r.in.credential = &samlogon_state.auth; - samlogon_state.r.in.return_authenticator = &samlogon_state.auth2; - - for (i=0; test_table[i].fn; i++) { - for (v=0;v<ARRAY_SIZE(validation_levels);v++) { - for (l=0;l<ARRAY_SIZE(logon_levels);l++) { - for (f=0;f<ARRAY_SIZE(function_levels);f++) { - char *error_string = NULL; - samlogon_state.function_level = function_levels[f]; - samlogon_state.r.in.validation_level = validation_levels[v]; - samlogon_state.r.in.logon_level = logon_levels[l]; - samlogon_state.r_flags.in.validation_level = validation_levels[v]; - samlogon_state.r_flags.in.logon_level = logon_levels[l]; - if (!test_table[i].fn(&samlogon_state, &error_string)) { - printf("Testing '%s' at validation level %d, logon level %d, function %d: \n", - test_table[i].name, validation_levels[v], - logon_levels[l], function_levels[f]); - - if (test_table[i].expect_fail) { - printf(" failed (expected, test incomplete): %s\n", error_string); - } else { - printf(" failed: %s\n", error_string); - ret = False; - } - SAFE_FREE(error_string); - } - } - } - } - } - - return ret; -} - -/* - test an ADS style interactive domain login -*/ -static BOOL test_InteractiveLogin(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) -{ - NTSTATUS status; - struct netr_LogonSamLogonWithFlags r; - struct netr_Authenticator a, ra; - struct netr_PasswordInfo pinfo; - const char *plain_pass; - - ZERO_STRUCT(r); - ZERO_STRUCT(ra); - - creds_client_authenticator(creds, &a); - - r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - r.in.workstation = TEST_MACHINE_NAME; - r.in.credential = &a; - r.in.return_authenticator = &ra; - r.in.logon_level = 5; - r.in.logon.password = &pinfo; - r.in.validation_level = 6; - r.in.flags = 0; - - pinfo.identity_info.domain_name.string = lp_parm_string(-1, "torture", "userdomain"); - pinfo.identity_info.parameter_control = 0; - pinfo.identity_info.logon_id_low = 0; - pinfo.identity_info.logon_id_high = 0; - pinfo.identity_info.account_name.string = lp_parm_string(-1, "torture", "username"); - pinfo.identity_info.workstation.string = TEST_MACHINE_NAME; - - plain_pass = lp_parm_string(-1, "torture", "password"); - - E_deshash(plain_pass, pinfo.lmpassword.hash); - E_md4hash(plain_pass, pinfo.ntpassword.hash); - - creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); - creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); - - printf("Testing netr_LogonSamLogonWithFlags\n"); - - status = dcerpc_netr_LogonSamLogonWithFlags(p, mem_ctx, &r); - if (!NT_STATUS_IS_OK(status)) { - printf("netr_LogonSamLogonWithFlags - %s\n", nt_errstr(status)); - exit(1); - return False; - } - - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); - return False; - } - - return True; -} - - - /* try a change password for our machine account */ @@ -1229,7 +257,8 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) const char *password; struct creds_CredentialState creds; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, + machine_password, &creds)) { return False; } @@ -1279,7 +308,7 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) machine_password = password; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { printf("ServerPasswordSet failed to actually change the password\n"); return False; } @@ -1303,7 +332,7 @@ static BOOL test_DatabaseSync(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) int i; BOOL ret = True; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1364,7 +393,7 @@ static BOOL test_DatabaseDeltas(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) int i; BOOL ret = True; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1418,7 +447,7 @@ static BOOL test_AccountDeltas(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct creds_CredentialState creds; BOOL ret = True; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1453,7 +482,7 @@ static BOOL test_AccountSync(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct creds_CredentialState creds; BOOL ret = True; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1649,7 +678,8 @@ static BOOL test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) int i; BOOL ret = True; - if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, &creds)) { + if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, + TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1800,7 +830,8 @@ static BOOL test_GetDomainInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct netr_Authenticator a; struct creds_CredentialState creds; - if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, &creds)) { + if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1842,8 +873,6 @@ static BOOL test_GetDomainInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) return False; } - test_InteractiveLogin(p, mem_ctx, &creds); - return True; } @@ -1869,7 +898,8 @@ static BOOL test_GetDomainInfo_async(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) int i; int async_counter = 0; - if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, &creds)) { + if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1970,10 +1000,6 @@ BOOL torture_rpc_netlogon(void) ret = False; } - if (!test_SamLogon(p, mem_ctx)) { - ret = False; - } - if (!test_GetDomainInfo(p, mem_ctx)) { ret = False; } |