diff options
-rw-r--r-- | source4/include/structs.h | 7 | ||||
-rw-r--r-- | source4/libcli/auth/credentials.c | 21 | ||||
-rw-r--r-- | source4/torture/config.mk | 1 | ||||
-rw-r--r-- | source4/torture/rpc/netlogon.c | 1048 | ||||
-rw-r--r-- | source4/torture/rpc/samlogon.c | 1085 | ||||
-rw-r--r-- | source4/torture/rpc/schannel.c | 18 | ||||
-rw-r--r-- | source4/torture/rpc/testjoin.c | 27 | ||||
-rw-r--r-- | source4/torture/torture.c | 1 |
8 files changed, 1182 insertions, 1026 deletions
diff --git a/source4/include/structs.h b/source4/include/structs.h index 00dfbf6c79..424b7a0e7a 100644 --- a/source4/include/structs.h +++ b/source4/include/structs.h @@ -46,7 +46,6 @@ struct samr_CryptPassword; struct samr_CryptPasswordEx; struct samr_LogonHours; -struct netr_SamInfo3; struct netr_Authenticator; union netr_Validation; @@ -111,3 +110,9 @@ struct net_context; struct file_info; struct xattr_DosEAs; + +struct test_join; + +struct test_join_ads_dc; + +struct netr_LMSessionKey; diff --git a/source4/libcli/auth/credentials.c b/source4/libcli/auth/credentials.c index a09d767e89..ec41ebf4bd 100644 --- a/source4/libcli/auth/credentials.c +++ b/source4/libcli/auth/credentials.c @@ -25,6 +25,7 @@ #include "system/time.h" #include "auth/auth.h" #include "lib/crypto/crypto.h" +#include "librpc/gen_ndr/ndr_netlogon.h" /* initialise the credentials state for old-style 64 bit session keys @@ -129,6 +130,26 @@ static void creds_step(struct creds_CredentialState *creds) /* + DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key +*/ +void creds_des_encrypt_LMKey(struct creds_CredentialState *creds, struct netr_LMSessionKey *key) +{ + struct netr_LMSessionKey tmp; + des_crypt56(tmp.key, key->key, creds->session_key, 1); + *key = tmp; +} + +/* + DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key +*/ +void creds_des_decrypt_LMKey(struct creds_CredentialState *creds, struct netr_LMSessionKey *key) +{ + struct netr_LMSessionKey tmp; + des_crypt56(tmp.key, key->key, creds->session_key, 0); + *key = tmp; +} + +/* DES encrypt a 16 byte password buffer using the session key */ void creds_des_encrypt(struct creds_CredentialState *creds, struct samr_Password *pass) diff --git a/source4/torture/config.mk b/source4/torture/config.mk index 70a3e540f7..cef76baac4 100644 --- a/source4/torture/config.mk +++ b/source4/torture/config.mk @@ -89,6 +89,7 @@ ADD_OBJ_FILES = \ torture/rpc/xplogin.o \ torture/rpc/schannel.o \ torture/rpc/netlogon.o \ + torture/rpc/samlogon.o \ torture/rpc/bind.o REQUIRED_SUBSYSTEMS = \ LIBSMB diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index 0551151db8..fe64727d79 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -25,8 +25,6 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "auth/auth.h" -#include "lib/crypto/crypto.h" - static const char *machine_password; @@ -74,20 +72,21 @@ static BOOL test_LogonUasLogoff(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) } -static BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) +BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + const char *machine_name, + const char *plain_pass, + struct creds_CredentialState *creds) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate a; struct netr_Credential credentials1, credentials2, credentials3; - const char *plain_pass; struct samr_Password mach_password; printf("Testing ServerReqChallenge\n"); r.in.server_name = NULL; - r.in.computer_name = TEST_MACHINE_NAME; + r.in.computer_name = machine_name; r.in.credentials = &credentials1; r.out.credentials = &credentials2; @@ -99,23 +98,17 @@ static BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return False; } - plain_pass = machine_password; - if (!plain_pass) { - printf("Unable to fetch machine password!\n"); - return False; - } - E_md4hash(plain_pass, mach_password.hash); a.in.server_name = NULL; - a.in.account_name = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); + a.in.account_name = talloc_asprintf(mem_ctx, "%s$", machine_name); a.in.secure_channel_type = SEC_CHAN_BDC; - a.in.computer_name = TEST_MACHINE_NAME; + a.in.computer_name = machine_name; a.in.credentials = &credentials3; a.out.credentials = &credentials3; creds_client_init(creds, &credentials1, &credentials2, &mach_password, &credentials3, - NETLOGON_NEG_AUTH2_FLAGS); + 0); printf("Testing ServerAuthenticate\n"); @@ -133,21 +126,22 @@ static BOOL test_SetupCredentials(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return True; } -static BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - uint32_t negotiate_flags, - struct creds_CredentialState *creds) +BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + uint32_t negotiate_flags, + const char *machine_name, + const char *plain_pass, + struct creds_CredentialState *creds) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate2 a; struct netr_Credential credentials1, credentials2, credentials3; - const char *plain_pass; struct samr_Password mach_password; printf("Testing ServerReqChallenge\n"); r.in.server_name = NULL; - r.in.computer_name = TEST_MACHINE_NAME; + r.in.computer_name = machine_name; r.in.credentials = &credentials1; r.out.credentials = &credentials2; @@ -159,18 +153,12 @@ static BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return False; } - plain_pass = machine_password; - if (!plain_pass) { - printf("Unable to fetch machine password!\n"); - return False; - } - E_md4hash(plain_pass, mach_password.hash); a.in.server_name = NULL; - a.in.account_name = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); + a.in.account_name = talloc_asprintf(mem_ctx, "%s$", machine_name); a.in.secure_channel_type = SEC_CHAN_BDC; - a.in.computer_name = TEST_MACHINE_NAME; + a.in.computer_name = machine_name; a.in.negotiate_flags = &negotiate_flags; a.out.negotiate_flags = &negotiate_flags; a.in.credentials = &credentials3; @@ -198,22 +186,23 @@ static BOOL test_SetupCredentials2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, } -static BOOL test_SetupCredentials3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - uint32_t negotiate_flags, - struct creds_CredentialState *creds) +BOOL test_SetupCredentials3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + uint32_t negotiate_flags, + const char *machine_name, + const char *plain_pass, + struct creds_CredentialState *creds) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate3 a; struct netr_Credential credentials1, credentials2, credentials3; - const char *plain_pass; struct samr_Password mach_password; uint32 rid; printf("Testing ServerReqChallenge\n"); r.in.server_name = NULL; - r.in.computer_name = TEST_MACHINE_NAME; + r.in.computer_name = machine_name; r.in.credentials = &credentials1; r.out.credentials = &credentials2; @@ -225,18 +214,12 @@ static BOOL test_SetupCredentials3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return False; } - plain_pass = machine_password; - if (!plain_pass) { - printf("Unable to fetch machine password!\n"); - return False; - } - E_md4hash(plain_pass, mach_password.hash); a.in.server_name = NULL; - a.in.account_name = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); + a.in.account_name = talloc_asprintf(mem_ctx, "%s$", machine_name); a.in.secure_channel_type = SEC_CHAN_BDC; - a.in.computer_name = TEST_MACHINE_NAME; + a.in.computer_name = machine_name; a.in.negotiate_flags = &negotiate_flags; a.in.credentials = &credentials3; a.out.credentials = &credentials3; @@ -264,961 +247,6 @@ static BOOL test_SetupCredentials3(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, return True; } -enum ntlm_break { - BREAK_BOTH, - BREAK_NONE, - BREAK_LM, - BREAK_NT, - NO_LM, - NO_NT -}; - -struct samlogon_state { - TALLOC_CTX *mem_ctx; - const char *account_name; - const char *account_domain; - const char *password; - struct dcerpc_pipe *p; - int function_level; - struct netr_LogonSamLogon r; - struct netr_LogonSamLogonWithFlags r_flags; - struct netr_Authenticator auth, auth2; - struct creds_CredentialState creds; - - DATA_BLOB chall; -}; - -/* - Authenticate a user with a challenge/response, checking session key - and valid authentication types -*/ -static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, - enum ntlm_break break_which, - DATA_BLOB *chall, - DATA_BLOB *lm_response, - DATA_BLOB *nt_response, - uint8_t lm_key[8], - uint8_t user_session_key[16], - char **error_string) -{ - NTSTATUS status; - struct netr_LogonSamLogon *r = &samlogon_state->r; - struct netr_LogonSamLogonWithFlags *r_flags = &samlogon_state->r_flags; - struct netr_NetworkInfo ninfo; - - struct netr_SamBaseInfo *base; - - uint16 validation_level; - - samlogon_state->r.in.logon.network = &ninfo; - samlogon_state->r_flags.in.logon.network = &ninfo; - - ninfo.identity_info.domain_name.string = samlogon_state->account_domain; - ninfo.identity_info.parameter_control = 0; - ninfo.identity_info.logon_id_low = 0; - ninfo.identity_info.logon_id_high = 0; - ninfo.identity_info.account_name.string = samlogon_state->account_name; - ninfo.identity_info.workstation.string = TEST_MACHINE_NAME; - - memcpy(ninfo.challenge, chall->data, 8); - - switch (break_which) { - case BREAK_NONE: - break; - case BREAK_LM: - if (lm_response && lm_response->data) { - lm_response->data[0]++; - } - break; - case BREAK_NT: - if (nt_response && nt_response->data) { - nt_response->data[0]++; - } - break; - case BREAK_BOTH: - if (lm_response && lm_response->data) { - lm_response->data[0]++; - } - if (nt_response && nt_response->data) { - nt_response->data[0]++; - } - break; - case NO_LM: - data_blob_free(lm_response); - break; - case NO_NT: - data_blob_free(nt_response); - break; - } - - if (nt_response) { - ninfo.nt.data = nt_response->data; - ninfo.nt.length = nt_response->length; - } else { - ninfo.nt.data = NULL; - ninfo.nt.length = 0; - } - - if (lm_response) { - ninfo.lm.data = lm_response->data; - ninfo.lm.length = lm_response->length; - } else { - ninfo.lm.data = NULL; - ninfo.lm.length = 0; - } - - ZERO_STRUCT(samlogon_state->auth2); - creds_client_authenticator(&samlogon_state->creds, &samlogon_state->auth); - - switch (samlogon_state->function_level) { - case DCERPC_NETR_LOGONSAMLOGON: - r->out.return_authenticator = NULL; - status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r); - if (!r->out.return_authenticator || - !creds_client_check(&samlogon_state->creds, &r->out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); - } - if (!NT_STATUS_IS_OK(status)) { - if (error_string) { - *error_string = strdup(nt_errstr(status)); - } - } - - validation_level = r->in.validation_level; - switch (validation_level) { - case 2: - base = &r->out.validation.sam2->base; - break; - case 3: - base = &r->out.validation.sam3->base; - break; - case 6: - base = &r->out.validation.sam6->base; - break; - } - break; - case DCERPC_NETR_LOGONSAMLOGONWITHFLAGS: - r_flags->out.return_authenticator = NULL; - status = dcerpc_netr_LogonSamLogonWithFlags(samlogon_state->p, samlogon_state->mem_ctx, r_flags); - if (!r_flags->out.return_authenticator || - !creds_client_check(&samlogon_state->creds, &r_flags->out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); - } - if (!NT_STATUS_IS_OK(status)) { - if (error_string) { - *error_string = strdup(nt_errstr(status)); - } - } - - validation_level = r_flags->in.validation_level; - switch (validation_level) { - case 2: - base = &r_flags->out.validation.sam2->base; - break; - case 3: - base = &r_flags->out.validation.sam3->base; - break; - case 6: - base = &r_flags->out.validation.sam6->base; - break; - } - break; - } - - - if (!NT_STATUS_IS_OK(status)) { - /* we cannot check the session key, if the logon failed... */ - return status; - } - - - /* find and decyrpt the session keys, return in parameters above */ - if (validation_level != 6) { - static const char zeros[16]; - - if (memcmp(base->key.key, zeros, - sizeof(base->key.key)) != 0) { - creds_arcfour_crypt(&samlogon_state->creds, - base->key.key, - sizeof(base->key.key)); - } - - if (user_session_key) { - memcpy(user_session_key, base->key.key, 16); - } - - if (memcmp(base->LMSessKey.key, zeros, - sizeof(base->LMSessKey.key)) != 0) { - creds_arcfour_crypt(&samlogon_state->creds, - base->LMSessKey.key, - sizeof(base->LMSessKey.key)); - } - - if (lm_key) { - memcpy(lm_key, base->LMSessKey.key, 8); - } - } else { - /* they aren't encrypted! */ - if (user_session_key) { - memcpy(user_session_key, base->key.key, 16); - } - if (lm_key) { - memcpy(lm_key, base->LMSessKey.key, 8); - } - } - - return status; -} - - -/* - * Test the normal 'LM and NTLM' combination - */ - -static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) -{ - BOOL pass = True; - BOOL lm_good; - NTSTATUS nt_status; - DATA_BLOB lm_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - DATA_BLOB session_key = data_blob_talloc(samlogon_state->mem_ctx, NULL, 16); - - uint8_t lm_key[8]; - uint8_t user_session_key[16]; - uint8_t lm_hash[16]; - uint8_t nt_hash[16]; - - ZERO_STRUCT(lm_key); - ZERO_STRUCT(user_session_key); - - lm_good = SMBencrypt(samlogon_state->password, samlogon_state->chall.data, lm_response.data); - if (!lm_good) { - ZERO_STRUCT(lm_hash); - } else { - E_deshash(samlogon_state->password, lm_hash); - } - - SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); - - E_md4hash(samlogon_state->password, nt_hash); - SMBsesskeygen_ntv1(nt_hash, session_key.data); - - nt_status = check_samlogon(samlogon_state, - break_which, - &samlogon_state->chall, - &lm_response, - &nt_response, - lm_key, - user_session_key, - error_string); - - data_blob_free(&lm_response); - - if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { - /* for 'long' passwords, the LM password is invalid */ - if (break_which == NO_NT && !lm_good) { - return True; - } - return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); - } - - if (!NT_STATUS_IS_OK(nt_status)) { - return False; - } - - if (break_which == NO_NT && !lm_good) { - printf("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!"); - return False; - } - - if (memcmp(lm_hash, lm_key, - sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); - dump_data(1, (const char *)lm_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)lm_hash, 8); - pass = False; - } - - switch (break_which) { - case NO_NT: - { - char lm_key_expected[16]; - memcpy(lm_key_expected, lm_hash, 8); - memset(lm_key_expected+8, '\0', 8); - if (memcmp(lm_key_expected, user_session_key, - 16) != 0) { - printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); - printf("expected:\n"); - dump_data(1, (const char *)lm_key_expected, sizeof(lm_key_expected)); - pass = False; - } - break; - } - default: - if (memcmp(session_key.data, user_session_key, - sizeof(user_session_key)) != 0) { - printf("NT Session Key does not match expectations!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, 16); - printf("expected:\n"); - dump_data(1, (const char *)session_key.data, session_key.length); - pass = False; - } - } - return pass; -} - -/* - * Test LM authentication, no NT response supplied - */ - -static BOOL test_lm(struct samlogon_state *samlogon_state, char **error_string) -{ - - return test_lm_ntlm_broken(samlogon_state, NO_NT, error_string); -} - -/* - * Test the NTLM response only, no LM. - */ - -static BOOL test_ntlm(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, NO_LM, error_string); -} - -/* - * Test the NTLM response only, but in the LM field. - */ - -static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_string) -{ - BOOL pass = True; - NTSTATUS nt_status; - DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - - uint8_t lm_key[8]; - uint8_t lm_hash[16]; - uint8_t user_session_key[16]; - - ZERO_STRUCT(user_session_key); - - SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); - - E_deshash(samlogon_state->password, lm_hash); - - nt_status = check_samlogon(samlogon_state, - BREAK_NONE, - &samlogon_state->chall, - &nt_response, - NULL, - lm_key, - user_session_key, - error_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - return False; - } - - if (memcmp(lm_hash, lm_key, - sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); - dump_data(1, (const char *)lm_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)lm_hash, 8); - pass = False; - } - if (memcmp(lm_hash, user_session_key, 8) != 0) { - char lm_key_expected[16]; - memcpy(lm_key_expected, lm_hash, 8); - memset(lm_key_expected+8, '\0', 8); - if (memcmp(lm_key_expected, user_session_key, - 16) != 0) { - printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); - printf("expected:\n"); - dump_data(1, (const char *)lm_key_expected, sizeof(lm_key_expected)); - pass = False; - } - } - return pass; -} - -/* - * Test the NTLM response only, but in the both the NT and LM fields. - */ - -static BOOL test_ntlm_in_both(struct samlogon_state *samlogon_state, char **error_string) -{ - BOOL pass = True; - BOOL lm_good; - NTSTATUS nt_status; - DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - DATA_BLOB session_key = data_blob_talloc(samlogon_state->mem_ctx, NULL, 16); - - char lm_key[8]; - char lm_hash[16]; - char user_session_key[16]; - char nt_hash[16]; - - ZERO_STRUCT(lm_key); - ZERO_STRUCT(user_session_key); - - SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, - nt_response.data); - E_md4hash(samlogon_state->password, (uint8_t *)nt_hash); - SMBsesskeygen_ntv1((const uint8_t *)nt_hash, - session_key.data); - - lm_good = E_deshash(samlogon_state->password, (uint8_t *)lm_hash); - if (!lm_good) { - ZERO_STRUCT(lm_hash); - } - - nt_status = check_samlogon(samlogon_state, - BREAK_NONE, - &samlogon_state->chall, - NULL, - &nt_response, - lm_key, - user_session_key, - error_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - return False; - } - - if (memcmp(lm_hash, lm_key, - sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); - dump_data(1, lm_key, 8); - printf("expected:\n"); - dump_data(1, lm_hash, 8); - pass = False; - } - if (memcmp(session_key.data, user_session_key, - sizeof(user_session_key)) != 0) { - printf("NT Session Key does not match expectations!\n"); - printf("user_session_key:\n"); - dump_data(1, user_session_key, 16); - printf("expected:\n"); - dump_data(1, (const char *)session_key.data, session_key.length); - pass = False; - } - - - return pass; -} - -/* - * Test the NTLMv2 and LMv2 responses - */ - -static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) -{ - BOOL pass = True; - NTSTATUS nt_status; - DATA_BLOB ntlmv2_response = data_blob(NULL, 0); - DATA_BLOB lmv2_response = data_blob(NULL, 0); - DATA_BLOB lmv2_session_key = data_blob(NULL, 0); - DATA_BLOB ntlmv2_session_key = data_blob(NULL, 0); - DATA_BLOB names_blob = NTLMv2_generate_names_blob(samlogon_state->mem_ctx, lp_netbios_name(), lp_workgroup()); - - uint8_t lm_session_key[8]; - uint8_t user_session_key[16]; - - ZERO_STRUCT(lm_session_key); - ZERO_STRUCT(user_session_key); - - /* TODO - test with various domain cases, and without domain */ - if (!SMBNTLMv2encrypt(samlogon_state->account_name, samlogon_state->account_domain, - samlogon_state->password, &samlogon_state->chall, - &names_blob, - &lmv2_response, &ntlmv2_response, - &lmv2_session_key, &ntlmv2_session_key)) { - data_blob_free(&names_blob); - return False; - } - data_blob_free(&names_blob); - - nt_status = check_samlogon(samlogon_state, - break_which, - &samlogon_state->chall, - &lmv2_response, - &ntlmv2_response, - lm_session_key, - user_session_key, - error_string); - - data_blob_free(&lmv2_response); - data_blob_free(&ntlmv2_response); - - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { - return break_which == BREAK_BOTH; - } - - switch (break_which) { - case NO_NT: - if (memcmp(lmv2_session_key.data, user_session_key, - sizeof(user_session_key)) != 0) { - printf("USER (LMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, 16); - printf("expected:\n"); - dump_data(1, (const char *)lmv2_session_key.data, ntlmv2_session_key.length); - pass = False; - } - if (memcmp(lmv2_session_key.data, lm_session_key, - sizeof(lm_session_key)) != 0) { - printf("LM (LMv2) Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); - dump_data(1, (const char *)lm_session_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)lmv2_session_key.data, 8); - pass = False; - } - break; - default: - if (memcmp(ntlmv2_session_key.data, user_session_key, - sizeof(user_session_key)) != 0) { - printf("USER (NTLMv2) Session Key does not match expectations!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, 16); - printf("expected:\n"); - dump_data(1, (const char *)ntlmv2_session_key.data, ntlmv2_session_key.length); - pass = False; - } - if (memcmp(ntlmv2_session_key.data, lm_session_key, - sizeof(lm_session_key)) != 0) { - printf("LM (NTLMv2) Session Key does not match expectations!\n"); - printf("lm_session_key:\n"); - dump_data(1, (const char *)lm_session_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)ntlmv2_session_key.data, 8); - pass = False; - } - } - - return pass; -} - -/* - * Test the NTLMv2 and LMv2 responses - */ - -static BOOL test_lmv2_ntlmv2(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_NONE, error_string); -} - -/* - * Test the LMv2 response only - */ - -static BOOL test_lmv2(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, NO_NT, error_string); -} - -/* - * Test the NTLMv2 response only - */ - -static BOOL test_ntlmv2(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, NO_LM, error_string); -} - -static BOOL test_lm_ntlm(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, BREAK_NONE, error_string); -} - -static BOOL test_ntlm_lm_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, BREAK_LM, error_string); -} - -static BOOL test_ntlm_ntlm_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, BREAK_NT, error_string); -} - -static BOOL test_lm_ntlm_both_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lm_ntlm_broken(samlogon_state, BREAK_BOTH, error_string); -} -static BOOL test_ntlmv2_lmv2_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_LM, error_string); -} - -static BOOL test_ntlmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_NT, error_string); -} - -static BOOL test_ntlmv2_both_broken(struct samlogon_state *samlogon_state, char **error_string) -{ - return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_BOTH, error_string); -} - -/* - * Test the NTLM2 response (extra challenge in LM feild) - * - * This test is the same as the 'break LM' test, but checks that the - * server implements NTLM2 session security in the right place - * (NETLOGON is the wrong place). - */ - -static BOOL test_ntlm2(struct samlogon_state *samlogon_state, char **error_string) -{ - BOOL pass = True; - NTSTATUS nt_status; - DATA_BLOB lm_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); - - uint8_t lm_key[8]; - uint8_t nt_hash[16]; - uint8_t lm_hash[16]; - uint8_t nt_key[16]; - uint8_t user_session_key[16]; - uint8_t expected_user_session_key[16]; - uint8_t session_nonce_hash[16]; - uint8_t client_chall[8]; - - struct MD5Context md5_session_nonce_ctx; - HMACMD5Context hmac_ctx; - - ZERO_STRUCT(user_session_key); - ZERO_STRUCT(lm_key); - generate_random_buffer(client_chall, 8); - - MD5Init(&md5_session_nonce_ctx); - MD5Update(&md5_session_nonce_ctx, samlogon_state->chall.data, 8); - MD5Update(&md5_session_nonce_ctx, client_chall, 8); - MD5Final(session_nonce_hash, &md5_session_nonce_ctx); - - E_md4hash(samlogon_state->password, (uint8_t *)nt_hash); - E_deshash(samlogon_state->password, (uint8_t *)lm_hash); - SMBsesskeygen_ntv1((const uint8_t *)nt_hash, - nt_key); - - SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); - - memcpy(lm_response.data, session_nonce_hash, 8); - memset(lm_response.data + 8, 0, 16); - - hmac_md5_init_rfc2104(nt_key, 16, &hmac_ctx); - hmac_md5_update(samlogon_state->chall.data, 8, &hmac_ctx); - hmac_md5_update(client_chall, 8, &hmac_ctx); - hmac_md5_final(expected_user_session_key, &hmac_ctx); - - nt_status = check_samlogon(samlogon_state, - BREAK_NONE, - &samlogon_state->chall, - &lm_response, - &nt_response, - lm_key, - user_session_key, - error_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - return False; - } - - if (memcmp(lm_hash, lm_key, - sizeof(lm_key)) != 0) { - printf("LM Key does not match expectations!\n"); - printf("lm_key:\n"); - dump_data(1, (const char *)lm_key, 8); - printf("expected:\n"); - dump_data(1, (const char *)lm_hash, 8); - pass = False; - } - if (memcmp(nt_key, user_session_key, 16) != 0) { - printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); - printf("user_session_key:\n"); - dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); - printf("expected:\n"); - dump_data(1, (const char *)nt_key, sizeof(nt_key)); - pass = False; - } - return pass; -} - -static BOOL test_plaintext(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) -{ - NTSTATUS nt_status; - DATA_BLOB nt_response = data_blob(NULL, 0); - DATA_BLOB lm_response = data_blob(NULL, 0); - char *password; - char *dospw; - void *unicodepw; - - uint8_t user_session_key[16]; - uint8_t lm_key[16]; - static const uint8_t zeros[8]; - DATA_BLOB chall = data_blob_talloc(samlogon_state->mem_ctx, zeros, sizeof(zeros)); - - ZERO_STRUCT(user_session_key); - - if ((push_ucs2_talloc(samlogon_state->mem_ctx, &unicodepw, - samlogon_state->password)) == -1) { - DEBUG(0, ("push_ucs2_allocate failed!\n")); - exit(1); - } - - nt_response = data_blob_talloc(samlogon_state->mem_ctx, unicodepw, strlen_m(samlogon_state->password)*2); - - password = strupper_talloc(samlogon_state->mem_ctx, samlogon_state->password); - - if ((convert_string_talloc(samlogon_state->mem_ctx, CH_UNIX, - CH_DOS, password, - strlen(password)+1, - (void**)&dospw)) == -1) { - DEBUG(0, ("convert_string_talloc failed!\n")); - exit(1); - } - - lm_response = data_blob_talloc(samlogon_state->mem_ctx, dospw, strlen(dospw)); - - nt_status = check_samlogon(samlogon_state, - break_which, - &chall, - &lm_response, - &nt_response, - lm_key, - user_session_key, - error_string); - - if (!NT_STATUS_IS_OK(nt_status)) { - return break_which == BREAK_NT; - } - - return True; -} - -static BOOL test_plaintext_none_broken(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, BREAK_NONE, error_string); -} - -static BOOL test_plaintext_lm_broken(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, BREAK_LM, error_string); -} - -static BOOL test_plaintext_nt_broken(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, BREAK_NT, error_string); -} - -static BOOL test_plaintext_nt_only(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, NO_LM, error_string); -} - -static BOOL test_plaintext_lm_only(struct samlogon_state *samlogon_state, - char **error_string) { - return test_plaintext(samlogon_state, NO_NT, error_string); -} - -/* - Tests: - - - LM only - - NT and LM - - NT - - NT in LM field - - NT in both fields - - NTLMv2 - - NTLMv2 and LMv2 - - LMv2 - - plaintext tests (in challenge-response fields) - - check we get the correct session key in each case - check what values we get for the LM session key - -*/ - -static const struct ntlm_tests { - BOOL (*fn)(struct samlogon_state *, char **); - const char *name; - BOOL expect_fail; -} test_table[] = { - {test_lm, "LM", False}, - {test_lm_ntlm, "LM and NTLM", False}, - {test_lm_ntlm_both_broken, "LM and NTLM, both broken", False}, - {test_ntlm, "NTLM", False}, - {test_ntlm_in_lm, "NTLM in LM", False}, - {test_ntlm_in_both, "NTLM in both", False}, - {test_ntlmv2, "NTLMv2", False}, - {test_lmv2_ntlmv2, "NTLMv2 and LMv2", False}, - {test_lmv2, "LMv2", False}, - {test_ntlmv2_lmv2_broken, "NTLMv2 and LMv2, LMv2 broken", False}, - {test_ntlmv2_ntlmv2_broken, "NTLMv2 and LMv2, NTLMv2 broken", False}, - {test_ntlmv2_both_broken, "NTLMv2 and LMv2, both broken", False}, - {test_ntlm_lm_broken, "NTLM and LM, LM broken", False}, - {test_ntlm_ntlm_broken, "NTLM and LM, NTLM broken", False}, - {test_ntlm2, "NTLM2 (NTLMv2 session security)", False}, - {test_plaintext_none_broken, "Plaintext", True}, - {test_plaintext_lm_broken, "Plaintext LM broken", True}, - {test_plaintext_nt_broken, "Plaintext NT broken", True}, - {test_plaintext_nt_only, "Plaintext NT only", True}, - {test_plaintext_lm_only, "Plaintext LM only", True}, - {NULL, NULL} -}; - -/* - try a netlogon SamLogon -*/ -static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) -{ - int i, v, l, f; - BOOL ret = True; - int validation_levels[] = {2,3,6}; - int logon_levels[] = { 2, 6 }; - int function_levels[] = { - DCERPC_NETR_LOGONSAMLOGON, - DCERPC_NETR_LOGONSAMLOGONWITHFLAGS }; - struct samlogon_state samlogon_state; - - printf("testing netr_LogonSamLogon and netr_LogonSamLogonWithFlags\n"); - - samlogon_state.mem_ctx = mem_ctx; - samlogon_state.account_name = lp_parm_string(-1, "torture", "username"); - samlogon_state.account_domain = lp_parm_string(-1, "torture", "userdomain"); - samlogon_state.password = lp_parm_string(-1, "torture", "password"); - samlogon_state.p = p; - - samlogon_state.chall = data_blob_talloc(mem_ctx, NULL, 8); - - generate_random_buffer(samlogon_state.chall.data, 8); - - if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, &samlogon_state.creds)) { - return False; - } - - if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, &samlogon_state.creds)) { - return False; - } - - if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, &samlogon_state.creds)) { - return False; - } - - samlogon_state.r_flags.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r_flags.in.workstation = TEST_MACHINE_NAME; - samlogon_state.r_flags.in.credential = &samlogon_state.auth; - samlogon_state.r_flags.in.return_authenticator = &samlogon_state.auth2; - samlogon_state.r_flags.in.flags = 0; - - samlogon_state.r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - samlogon_state.r.in.workstation = TEST_MACHINE_NAME; - samlogon_state.r.in.credential = &samlogon_state.auth; - samlogon_state.r.in.return_authenticator = &samlogon_state.auth2; - - for (i=0; test_table[i].fn; i++) { - for (v=0;v<ARRAY_SIZE(validation_levels);v++) { - for (l=0;l<ARRAY_SIZE(logon_levels);l++) { - for (f=0;f<ARRAY_SIZE(function_levels);f++) { - char *error_string = NULL; - samlogon_state.function_level = function_levels[f]; - samlogon_state.r.in.validation_level = validation_levels[v]; - samlogon_state.r.in.logon_level = logon_levels[l]; - samlogon_state.r_flags.in.validation_level = validation_levels[v]; - samlogon_state.r_flags.in.logon_level = logon_levels[l]; - if (!test_table[i].fn(&samlogon_state, &error_string)) { - printf("Testing '%s' at validation level %d, logon level %d, function %d: \n", - test_table[i].name, validation_levels[v], - logon_levels[l], function_levels[f]); - - if (test_table[i].expect_fail) { - printf(" failed (expected, test incomplete): %s\n", error_string); - } else { - printf(" failed: %s\n", error_string); - ret = False; - } - SAFE_FREE(error_string); - } - } - } - } - } - - return ret; -} - -/* - test an ADS style interactive domain login -*/ -static BOOL test_InteractiveLogin(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) -{ - NTSTATUS status; - struct netr_LogonSamLogonWithFlags r; - struct netr_Authenticator a, ra; - struct netr_PasswordInfo pinfo; - const char *plain_pass; - - ZERO_STRUCT(r); - ZERO_STRUCT(ra); - - creds_client_authenticator(creds, &a); - - r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); - r.in.workstation = TEST_MACHINE_NAME; - r.in.credential = &a; - r.in.return_authenticator = &ra; - r.in.logon_level = 5; - r.in.logon.password = &pinfo; - r.in.validation_level = 6; - r.in.flags = 0; - - pinfo.identity_info.domain_name.string = lp_parm_string(-1, "torture", "userdomain"); - pinfo.identity_info.parameter_control = 0; - pinfo.identity_info.logon_id_low = 0; - pinfo.identity_info.logon_id_high = 0; - pinfo.identity_info.account_name.string = lp_parm_string(-1, "torture", "username"); - pinfo.identity_info.workstation.string = TEST_MACHINE_NAME; - - plain_pass = lp_parm_string(-1, "torture", "password"); - - E_deshash(plain_pass, pinfo.lmpassword.hash); - E_md4hash(plain_pass, pinfo.ntpassword.hash); - - creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); - creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); - - printf("Testing netr_LogonSamLogonWithFlags\n"); - - status = dcerpc_netr_LogonSamLogonWithFlags(p, mem_ctx, &r); - if (!NT_STATUS_IS_OK(status)) { - printf("netr_LogonSamLogonWithFlags - %s\n", nt_errstr(status)); - exit(1); - return False; - } - - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { - printf("Credential chaining failed\n"); - return False; - } - - return True; -} - - - /* try a change password for our machine account */ @@ -1229,7 +257,8 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) const char *password; struct creds_CredentialState creds; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, + machine_password, &creds)) { return False; } @@ -1279,7 +308,7 @@ static BOOL test_SetPassword(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) machine_password = password; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { printf("ServerPasswordSet failed to actually change the password\n"); return False; } @@ -1303,7 +332,7 @@ static BOOL test_DatabaseSync(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) int i; BOOL ret = True; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1364,7 +393,7 @@ static BOOL test_DatabaseDeltas(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) int i; BOOL ret = True; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1418,7 +447,7 @@ static BOOL test_AccountDeltas(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct creds_CredentialState creds; BOOL ret = True; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1453,7 +482,7 @@ static BOOL test_AccountSync(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct creds_CredentialState creds; BOOL ret = True; - if (!test_SetupCredentials(p, mem_ctx, &creds)) { + if (!test_SetupCredentials(p, mem_ctx, TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1649,7 +678,8 @@ static BOOL test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) int i; BOOL ret = True; - if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, &creds)) { + if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, + TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1800,7 +830,8 @@ static BOOL test_GetDomainInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) struct netr_Authenticator a; struct creds_CredentialState creds; - if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, &creds)) { + if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1842,8 +873,6 @@ static BOOL test_GetDomainInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) return False; } - test_InteractiveLogin(p, mem_ctx, &creds); - return True; } @@ -1869,7 +898,8 @@ static BOOL test_GetDomainInfo_async(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) int i; int async_counter = 0; - if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, &creds)) { + if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + TEST_MACHINE_NAME, machine_password, &creds)) { return False; } @@ -1970,10 +1000,6 @@ BOOL torture_rpc_netlogon(void) ret = False; } - if (!test_SamLogon(p, mem_ctx)) { - ret = False; - } - if (!test_GetDomainInfo(p, mem_ctx)) { ret = False; } diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c new file mode 100644 index 0000000000..470d1d9b60 --- /dev/null +++ b/source4/torture/rpc/samlogon.c @@ -0,0 +1,1085 @@ +/* + Unix SMB/CIFS implementation. + + test suite for netlogon SamLogon operations + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004 + Copyright (C) Tim Potter 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_netlogon.h" +#include "auth/auth.h" +#include "lib/crypto/crypto.h" + +#define TEST_MACHINE_NAME "samlogontest" + +enum ntlm_break { + BREAK_BOTH, + BREAK_NONE, + BREAK_LM, + BREAK_NT, + NO_LM, + NO_NT +}; + +struct samlogon_state { + TALLOC_CTX *mem_ctx; + const char *account_name; + const char *account_domain; + const char *password; + struct dcerpc_pipe *p; + int function_level; + struct netr_LogonSamLogon r; + struct netr_LogonSamLogonWithFlags r_flags; + struct netr_Authenticator auth, auth2; + struct creds_CredentialState *creds; + + DATA_BLOB chall; +}; + +/* + Authenticate a user with a challenge/response, checking session key + and valid authentication types +*/ +static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, + enum ntlm_break break_which, + DATA_BLOB *chall, + DATA_BLOB *lm_response, + DATA_BLOB *nt_response, + uint8_t lm_key[8], + uint8_t user_session_key[16], + char **error_string) +{ + NTSTATUS status; + struct netr_LogonSamLogon *r = &samlogon_state->r; + struct netr_LogonSamLogonWithFlags *r_flags = &samlogon_state->r_flags; + struct netr_NetworkInfo ninfo; + + struct netr_SamBaseInfo *base; + + uint16 validation_level; + + samlogon_state->r.in.logon.network = &ninfo; + samlogon_state->r_flags.in.logon.network = &ninfo; + + ninfo.identity_info.domain_name.string = samlogon_state->account_domain; + ninfo.identity_info.parameter_control = 0; + ninfo.identity_info.logon_id_low = 0; + ninfo.identity_info.logon_id_high = 0; + ninfo.identity_info.account_name.string = samlogon_state->account_name; + ninfo.identity_info.workstation.string = TEST_MACHINE_NAME; + + memcpy(ninfo.challenge, chall->data, 8); + + switch (break_which) { + case BREAK_NONE: + break; + case BREAK_LM: + if (lm_response && lm_response->data) { + lm_response->data[0]++; + } + break; + case BREAK_NT: + if (nt_response && nt_response->data) { + nt_response->data[0]++; + } + break; + case BREAK_BOTH: + if (lm_response && lm_response->data) { + lm_response->data[0]++; + } + if (nt_response && nt_response->data) { + nt_response->data[0]++; + } + break; + case NO_LM: + data_blob_free(lm_response); + break; + case NO_NT: + data_blob_free(nt_response); + break; + } + + if (nt_response) { + ninfo.nt.data = nt_response->data; + ninfo.nt.length = nt_response->length; + } else { + ninfo.nt.data = NULL; + ninfo.nt.length = 0; + } + + if (lm_response) { + ninfo.lm.data = lm_response->data; + ninfo.lm.length = lm_response->length; + } else { + ninfo.lm.data = NULL; + ninfo.lm.length = 0; + } + + ZERO_STRUCT(samlogon_state->auth2); + creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); + + switch (samlogon_state->function_level) { + case DCERPC_NETR_LOGONSAMLOGON: + r->out.return_authenticator = NULL; + status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r); + if (!r->out.return_authenticator || + !creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) { + printf("Credential chaining failed\n"); + } + if (!NT_STATUS_IS_OK(status)) { + if (error_string) { + *error_string = strdup(nt_errstr(status)); + } + } + + validation_level = r->in.validation_level; + switch (validation_level) { + case 2: + base = &r->out.validation.sam2->base; + break; + case 3: + base = &r->out.validation.sam3->base; + break; + case 6: + base = &r->out.validation.sam6->base; + break; + } + break; + case DCERPC_NETR_LOGONSAMLOGONWITHFLAGS: + r_flags->out.return_authenticator = NULL; + status = dcerpc_netr_LogonSamLogonWithFlags(samlogon_state->p, samlogon_state->mem_ctx, r_flags); + if (!r_flags->out.return_authenticator || + !creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) { + printf("Credential chaining failed\n"); + } + if (!NT_STATUS_IS_OK(status)) { + if (error_string) { + *error_string = strdup(nt_errstr(status)); + } + } + + validation_level = r_flags->in.validation_level; + switch (validation_level) { + case 2: + base = &r_flags->out.validation.sam2->base; + break; + case 3: + base = &r_flags->out.validation.sam3->base; + break; + case 6: + base = &r_flags->out.validation.sam6->base; + break; + } + break; + } + + + if (!NT_STATUS_IS_OK(status)) { + /* we cannot check the session key, if the logon failed... */ + return status; + } + + + /* find and decyrpt the session keys, return in parameters above */ + if (validation_level == 6) { + /* they aren't encrypted! */ + if (user_session_key) { + memcpy(user_session_key, base->key.key, 16); + } + if (lm_key) { + memcpy(lm_key, base->LMSessKey.key, 8); + } + } else if (samlogon_state->creds->negotiate_flags) { + static const char zeros[16]; + + if (memcmp(base->key.key, zeros, + sizeof(base->key.key)) != 0) { + creds_arcfour_crypt(samlogon_state->creds, + base->key.key, + sizeof(base->key.key)); + } + + if (user_session_key) { + memcpy(user_session_key, base->key.key, 16); + } + + if (memcmp(base->LMSessKey.key, zeros, + sizeof(base->LMSessKey.key)) != 0) { + creds_arcfour_crypt(samlogon_state->creds, + base->LMSessKey.key, + sizeof(base->LMSessKey.key)); + } + + if (lm_key) { + memcpy(lm_key, base->LMSessKey.key, 8); + } + } else { + static const char zeros[16]; + + if (user_session_key) { + memcpy(user_session_key, base->key.key, 16); + } + + if (memcmp(base->LMSessKey.key, zeros, + sizeof(base->LMSessKey.key)) != 0) { + creds_des_decrypt_LMKey(samlogon_state->creds, + &base->LMSessKey); + } + + if (lm_key) { + memcpy(lm_key, base->LMSessKey.key, 8); + } + } + + return status; +} + + +/* + * Test the normal 'LM and NTLM' combination + */ + +static BOOL test_lm_ntlm_broken(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) +{ + BOOL pass = True; + BOOL lm_good; + NTSTATUS nt_status; + DATA_BLOB lm_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); + DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); + DATA_BLOB session_key = data_blob_talloc(samlogon_state->mem_ctx, NULL, 16); + + uint8_t lm_key[8]; + uint8_t user_session_key[16]; + uint8_t lm_hash[16]; + uint8_t nt_hash[16]; + + ZERO_STRUCT(lm_key); + ZERO_STRUCT(user_session_key); + + lm_good = SMBencrypt(samlogon_state->password, samlogon_state->chall.data, lm_response.data); + if (!lm_good) { + ZERO_STRUCT(lm_hash); + } else { + E_deshash(samlogon_state->password, lm_hash); + } + + SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); + + E_md4hash(samlogon_state->password, nt_hash); + SMBsesskeygen_ntv1(nt_hash, session_key.data); + + nt_status = check_samlogon(samlogon_state, + break_which, + &samlogon_state->chall, + &lm_response, + &nt_response, + lm_key, + user_session_key, + error_string); + + data_blob_free(&lm_response); + + if (NT_STATUS_EQUAL(NT_STATUS_WRONG_PASSWORD, nt_status)) { + /* for 'long' passwords, the LM password is invalid */ + if (break_which == NO_NT && !lm_good) { + return True; + } + return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH)); + } + + if (!NT_STATUS_IS_OK(nt_status)) { + return False; + } + + if (break_which == NO_NT && !lm_good) { + printf("LM password is 'long' (> 14 chars and therefore invalid) but login did not fail!"); + return False; + } + + if (memcmp(lm_hash, lm_key, + sizeof(lm_key)) != 0) { + printf("LM Key does not match expectations!\n"); + printf("lm_key:\n"); + dump_data(1, (const char *)lm_key, 8); + printf("expected:\n"); + dump_data(1, (const char *)lm_hash, 8); + pass = False; + } + + switch (break_which) { + case NO_NT: + { + char lm_key_expected[16]; + memcpy(lm_key_expected, lm_hash, 8); + memset(lm_key_expected+8, '\0', 8); + if (memcmp(lm_key_expected, user_session_key, + 16) != 0) { + printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); + printf("user_session_key:\n"); + dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); + printf("expected:\n"); + dump_data(1, (const char *)lm_key_expected, sizeof(lm_key_expected)); + pass = False; + } + break; + } + default: + if (memcmp(session_key.data, user_session_key, + sizeof(user_session_key)) != 0) { + printf("NT Session Key does not match expectations!\n"); + printf("user_session_key:\n"); + dump_data(1, (const char *)user_session_key, 16); + printf("expected:\n"); + dump_data(1, (const char *)session_key.data, session_key.length); + pass = False; + } + } + return pass; +} + +/* + * Test LM authentication, no NT response supplied + */ + +static BOOL test_lm(struct samlogon_state *samlogon_state, char **error_string) +{ + + return test_lm_ntlm_broken(samlogon_state, NO_NT, error_string); +} + +/* + * Test the NTLM response only, no LM. + */ + +static BOOL test_ntlm(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lm_ntlm_broken(samlogon_state, NO_LM, error_string); +} + +/* + * Test the NTLM response only, but in the LM field. + */ + +static BOOL test_ntlm_in_lm(struct samlogon_state *samlogon_state, char **error_string) +{ + BOOL pass = True; + NTSTATUS nt_status; + DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); + + uint8_t lm_key[8]; + uint8_t lm_hash[16]; + uint8_t user_session_key[16]; + + ZERO_STRUCT(user_session_key); + + SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); + + E_deshash(samlogon_state->password, lm_hash); + + nt_status = check_samlogon(samlogon_state, + BREAK_NONE, + &samlogon_state->chall, + &nt_response, + NULL, + lm_key, + user_session_key, + error_string); + + if (!NT_STATUS_IS_OK(nt_status)) { + return False; + } + + if (memcmp(lm_hash, lm_key, + sizeof(lm_key)) != 0) { + printf("LM Key does not match expectations!\n"); + printf("lm_key:\n"); + dump_data(1, (const char *)lm_key, 8); + printf("expected:\n"); + dump_data(1, (const char *)lm_hash, 8); + pass = False; + } + if (memcmp(lm_hash, user_session_key, 8) != 0) { + char lm_key_expected[16]; + memcpy(lm_key_expected, lm_hash, 8); + memset(lm_key_expected+8, '\0', 8); + if (memcmp(lm_key_expected, user_session_key, + 16) != 0) { + printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); + printf("user_session_key:\n"); + dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); + printf("expected:\n"); + dump_data(1, (const char *)lm_key_expected, sizeof(lm_key_expected)); + pass = False; + } + } + return pass; +} + +/* + * Test the NTLM response only, but in the both the NT and LM fields. + */ + +static BOOL test_ntlm_in_both(struct samlogon_state *samlogon_state, char **error_string) +{ + BOOL pass = True; + BOOL lm_good; + NTSTATUS nt_status; + DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); + DATA_BLOB session_key = data_blob_talloc(samlogon_state->mem_ctx, NULL, 16); + + char lm_key[8]; + char lm_hash[16]; + char user_session_key[16]; + char nt_hash[16]; + + ZERO_STRUCT(lm_key); + ZERO_STRUCT(user_session_key); + + SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, + nt_response.data); + E_md4hash(samlogon_state->password, (uint8_t *)nt_hash); + SMBsesskeygen_ntv1((const uint8_t *)nt_hash, + session_key.data); + + lm_good = E_deshash(samlogon_state->password, (uint8_t *)lm_hash); + if (!lm_good) { + ZERO_STRUCT(lm_hash); + } + + nt_status = check_samlogon(samlogon_state, + BREAK_NONE, + &samlogon_state->chall, + NULL, + &nt_response, + lm_key, + user_session_key, + error_string); + + if (!NT_STATUS_IS_OK(nt_status)) { + return False; + } + + if (memcmp(lm_hash, lm_key, + sizeof(lm_key)) != 0) { + printf("LM Key does not match expectations!\n"); + printf("lm_key:\n"); + dump_data(1, lm_key, 8); + printf("expected:\n"); + dump_data(1, lm_hash, 8); + pass = False; + } + if (memcmp(session_key.data, user_session_key, + sizeof(user_session_key)) != 0) { + printf("NT Session Key does not match expectations!\n"); + printf("user_session_key:\n"); + dump_data(1, user_session_key, 16); + printf("expected:\n"); + dump_data(1, (const char *)session_key.data, session_key.length); + pass = False; + } + + + return pass; +} + +/* + * Test the NTLMv2 and LMv2 responses + */ + +static BOOL test_lmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) +{ + BOOL pass = True; + NTSTATUS nt_status; + DATA_BLOB ntlmv2_response = data_blob(NULL, 0); + DATA_BLOB lmv2_response = data_blob(NULL, 0); + DATA_BLOB lmv2_session_key = data_blob(NULL, 0); + DATA_BLOB ntlmv2_session_key = data_blob(NULL, 0); + DATA_BLOB names_blob = NTLMv2_generate_names_blob(samlogon_state->mem_ctx, lp_netbios_name(), lp_workgroup()); + + uint8_t lm_session_key[8]; + uint8_t user_session_key[16]; + + ZERO_STRUCT(lm_session_key); + ZERO_STRUCT(user_session_key); + + /* TODO - test with various domain cases, and without domain */ + if (!SMBNTLMv2encrypt(samlogon_state->account_name, samlogon_state->account_domain, + samlogon_state->password, &samlogon_state->chall, + &names_blob, + &lmv2_response, &ntlmv2_response, + &lmv2_session_key, &ntlmv2_session_key)) { + data_blob_free(&names_blob); + return False; + } + data_blob_free(&names_blob); + + nt_status = check_samlogon(samlogon_state, + break_which, + &samlogon_state->chall, + &lmv2_response, + &ntlmv2_response, + lm_session_key, + user_session_key, + error_string); + + data_blob_free(&lmv2_response); + data_blob_free(&ntlmv2_response); + + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { + return break_which == BREAK_BOTH; + } + + switch (break_which) { + case NO_NT: + if (memcmp(lmv2_session_key.data, user_session_key, + sizeof(user_session_key)) != 0) { + printf("USER (LMv2) Session Key does not match expectations!\n"); + printf("user_session_key:\n"); + dump_data(1, (const char *)user_session_key, 16); + printf("expected:\n"); + dump_data(1, (const char *)lmv2_session_key.data, ntlmv2_session_key.length); + pass = False; + } + if (memcmp(lmv2_session_key.data, lm_session_key, + sizeof(lm_session_key)) != 0) { + printf("LM (LMv2) Session Key does not match expectations!\n"); + printf("lm_session_key:\n"); + dump_data(1, (const char *)lm_session_key, 8); + printf("expected:\n"); + dump_data(1, (const char *)lmv2_session_key.data, 8); + pass = False; + } + break; + default: + if (memcmp(ntlmv2_session_key.data, user_session_key, + sizeof(user_session_key)) != 0) { + printf("USER (NTLMv2) Session Key does not match expectations!\n"); + printf("user_session_key:\n"); + dump_data(1, (const char *)user_session_key, 16); + printf("expected:\n"); + dump_data(1, (const char *)ntlmv2_session_key.data, ntlmv2_session_key.length); + pass = False; + } + if (memcmp(ntlmv2_session_key.data, lm_session_key, + sizeof(lm_session_key)) != 0) { + printf("LM (NTLMv2) Session Key does not match expectations!\n"); + printf("lm_session_key:\n"); + dump_data(1, (const char *)lm_session_key, 8); + printf("expected:\n"); + dump_data(1, (const char *)ntlmv2_session_key.data, 8); + pass = False; + } + } + + return pass; +} + +/* + * Test the NTLMv2 and LMv2 responses + */ + +static BOOL test_lmv2_ntlmv2(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_NONE, error_string); +} + +/* + * Test the LMv2 response only + */ + +static BOOL test_lmv2(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lmv2_ntlmv2_broken(samlogon_state, NO_NT, error_string); +} + +/* + * Test the NTLMv2 response only + */ + +static BOOL test_ntlmv2(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lmv2_ntlmv2_broken(samlogon_state, NO_LM, error_string); +} + +static BOOL test_lm_ntlm(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lm_ntlm_broken(samlogon_state, BREAK_NONE, error_string); +} + +static BOOL test_ntlm_lm_broken(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lm_ntlm_broken(samlogon_state, BREAK_LM, error_string); +} + +static BOOL test_ntlm_ntlm_broken(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lm_ntlm_broken(samlogon_state, BREAK_NT, error_string); +} + +static BOOL test_lm_ntlm_both_broken(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lm_ntlm_broken(samlogon_state, BREAK_BOTH, error_string); +} +static BOOL test_ntlmv2_lmv2_broken(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_LM, error_string); +} + +static BOOL test_ntlmv2_ntlmv2_broken(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_NT, error_string); +} + +static BOOL test_ntlmv2_both_broken(struct samlogon_state *samlogon_state, char **error_string) +{ + return test_lmv2_ntlmv2_broken(samlogon_state, BREAK_BOTH, error_string); +} + +/* + * Test the NTLM2 response (extra challenge in LM feild) + * + * This test is the same as the 'break LM' test, but checks that the + * server implements NTLM2 session security in the right place + * (NETLOGON is the wrong place). + */ + +static BOOL test_ntlm2(struct samlogon_state *samlogon_state, char **error_string) +{ + BOOL pass = True; + NTSTATUS nt_status; + DATA_BLOB lm_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); + DATA_BLOB nt_response = data_blob_talloc(samlogon_state->mem_ctx, NULL, 24); + + uint8_t lm_key[8]; + uint8_t nt_hash[16]; + uint8_t lm_hash[16]; + uint8_t nt_key[16]; + uint8_t user_session_key[16]; + uint8_t expected_user_session_key[16]; + uint8_t session_nonce_hash[16]; + uint8_t client_chall[8]; + + struct MD5Context md5_session_nonce_ctx; + HMACMD5Context hmac_ctx; + + ZERO_STRUCT(user_session_key); + ZERO_STRUCT(lm_key); + generate_random_buffer(client_chall, 8); + + MD5Init(&md5_session_nonce_ctx); + MD5Update(&md5_session_nonce_ctx, samlogon_state->chall.data, 8); + MD5Update(&md5_session_nonce_ctx, client_chall, 8); + MD5Final(session_nonce_hash, &md5_session_nonce_ctx); + + E_md4hash(samlogon_state->password, (uint8_t *)nt_hash); + E_deshash(samlogon_state->password, (uint8_t *)lm_hash); + SMBsesskeygen_ntv1((const uint8_t *)nt_hash, + nt_key); + + SMBNTencrypt(samlogon_state->password, samlogon_state->chall.data, nt_response.data); + + memcpy(lm_response.data, session_nonce_hash, 8); + memset(lm_response.data + 8, 0, 16); + + hmac_md5_init_rfc2104(nt_key, 16, &hmac_ctx); + hmac_md5_update(samlogon_state->chall.data, 8, &hmac_ctx); + hmac_md5_update(client_chall, 8, &hmac_ctx); + hmac_md5_final(expected_user_session_key, &hmac_ctx); + + nt_status = check_samlogon(samlogon_state, + BREAK_NONE, + &samlogon_state->chall, + &lm_response, + &nt_response, + lm_key, + user_session_key, + error_string); + + if (!NT_STATUS_IS_OK(nt_status)) { + return False; + } + + if (memcmp(lm_hash, lm_key, + sizeof(lm_key)) != 0) { + printf("LM Key does not match expectations!\n"); + printf("lm_key:\n"); + dump_data(1, (const char *)lm_key, 8); + printf("expected:\n"); + dump_data(1, (const char *)lm_hash, 8); + pass = False; + } + if (memcmp(nt_key, user_session_key, 16) != 0) { + printf("NT Session Key does not match expectations (should be first-8 LM hash)!\n"); + printf("user_session_key:\n"); + dump_data(1, (const char *)user_session_key, sizeof(user_session_key)); + printf("expected:\n"); + dump_data(1, (const char *)nt_key, sizeof(nt_key)); + pass = False; + } + return pass; +} + +static BOOL test_plaintext(struct samlogon_state *samlogon_state, enum ntlm_break break_which, char **error_string) +{ + NTSTATUS nt_status; + DATA_BLOB nt_response = data_blob(NULL, 0); + DATA_BLOB lm_response = data_blob(NULL, 0); + char *password; + char *dospw; + void *unicodepw; + + uint8_t user_session_key[16]; + uint8_t lm_key[16]; + static const uint8_t zeros[8]; + DATA_BLOB chall = data_blob_talloc(samlogon_state->mem_ctx, zeros, sizeof(zeros)); + + ZERO_STRUCT(user_session_key); + + if ((push_ucs2_talloc(samlogon_state->mem_ctx, &unicodepw, + samlogon_state->password)) == -1) { + DEBUG(0, ("push_ucs2_allocate failed!\n")); + exit(1); + } + + nt_response = data_blob_talloc(samlogon_state->mem_ctx, unicodepw, strlen_m(samlogon_state->password)*2); + + password = strupper_talloc(samlogon_state->mem_ctx, samlogon_state->password); + + if ((convert_string_talloc(samlogon_state->mem_ctx, CH_UNIX, + CH_DOS, password, + strlen(password)+1, + (void**)&dospw)) == -1) { + DEBUG(0, ("convert_string_talloc failed!\n")); + exit(1); + } + + lm_response = data_blob_talloc(samlogon_state->mem_ctx, dospw, strlen(dospw)); + + nt_status = check_samlogon(samlogon_state, + break_which, + &chall, + &lm_response, + &nt_response, + lm_key, + user_session_key, + error_string); + + if (!NT_STATUS_IS_OK(nt_status)) { + return break_which == BREAK_NT; + } + + return True; +} + +static BOOL test_plaintext_none_broken(struct samlogon_state *samlogon_state, + char **error_string) { + return test_plaintext(samlogon_state, BREAK_NONE, error_string); +} + +static BOOL test_plaintext_lm_broken(struct samlogon_state *samlogon_state, + char **error_string) { + return test_plaintext(samlogon_state, BREAK_LM, error_string); +} + +static BOOL test_plaintext_nt_broken(struct samlogon_state *samlogon_state, + char **error_string) { + return test_plaintext(samlogon_state, BREAK_NT, error_string); +} + +static BOOL test_plaintext_nt_only(struct samlogon_state *samlogon_state, + char **error_string) { + return test_plaintext(samlogon_state, NO_LM, error_string); +} + +static BOOL test_plaintext_lm_only(struct samlogon_state *samlogon_state, + char **error_string) { + return test_plaintext(samlogon_state, NO_NT, error_string); +} + +/* + Tests: + + - LM only + - NT and LM + - NT + - NT in LM field + - NT in both fields + - NTLMv2 + - NTLMv2 and LMv2 + - LMv2 + - plaintext tests (in challenge-response fields) + + check we get the correct session key in each case + check what values we get for the LM session key + +*/ + +static const struct ntlm_tests { + BOOL (*fn)(struct samlogon_state *, char **); + const char *name; + BOOL expect_fail; +} test_table[] = { + {test_lm, "LM", False}, + {test_lm_ntlm, "LM and NTLM", False}, + {test_lm_ntlm_both_broken, "LM and NTLM, both broken", False}, + {test_ntlm, "NTLM", False}, + {test_ntlm_in_lm, "NTLM in LM", False}, + {test_ntlm_in_both, "NTLM in both", False}, + {test_ntlmv2, "NTLMv2", False}, + {test_lmv2_ntlmv2, "NTLMv2 and LMv2", False}, + {test_lmv2, "LMv2", False}, + {test_ntlmv2_lmv2_broken, "NTLMv2 and LMv2, LMv2 broken", False}, + {test_ntlmv2_ntlmv2_broken, "NTLMv2 and LMv2, NTLMv2 broken", False}, + {test_ntlmv2_both_broken, "NTLMv2 and LMv2, both broken", False}, + {test_ntlm_lm_broken, "NTLM and LM, LM broken", False}, + {test_ntlm_ntlm_broken, "NTLM and LM, NTLM broken", False}, + {test_ntlm2, "NTLM2 (NTLMv2 session security)", False}, + {test_plaintext_none_broken, "Plaintext", True}, + {test_plaintext_lm_broken, "Plaintext LM broken", True}, + {test_plaintext_nt_broken, "Plaintext NT broken", True}, + {test_plaintext_nt_only, "Plaintext NT only", True}, + {test_plaintext_lm_only, "Plaintext LM only", True}, + {NULL, NULL} +}; + +/* + try a netlogon SamLogon +*/ +static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + struct creds_CredentialState *creds) +{ + int i, v, l, f; + BOOL ret = True; + int validation_levels[] = {2,3,6}; + int logon_levels[] = { 2, 6 }; + int function_levels[] = { + DCERPC_NETR_LOGONSAMLOGON, + DCERPC_NETR_LOGONSAMLOGONWITHFLAGS }; + struct samlogon_state samlogon_state; + + printf("testing netr_LogonSamLogon and netr_LogonSamLogonWithFlags\n"); + + samlogon_state.mem_ctx = mem_ctx; + samlogon_state.account_name = lp_parm_string(-1, "torture", "username"); + samlogon_state.account_domain = lp_parm_string(-1, "torture", "userdomain"); + samlogon_state.password = lp_parm_string(-1, "torture", "password"); + samlogon_state.p = p; + samlogon_state.creds = creds; + + samlogon_state.chall = data_blob_talloc(mem_ctx, NULL, 8); + + generate_random_buffer(samlogon_state.chall.data, 8); + samlogon_state.r_flags.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); + samlogon_state.r_flags.in.workstation = TEST_MACHINE_NAME; + samlogon_state.r_flags.in.credential = &samlogon_state.auth; + samlogon_state.r_flags.in.return_authenticator = &samlogon_state.auth2; + samlogon_state.r_flags.in.flags = 0; + + samlogon_state.r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); + samlogon_state.r.in.workstation = TEST_MACHINE_NAME; + samlogon_state.r.in.credential = &samlogon_state.auth; + samlogon_state.r.in.return_authenticator = &samlogon_state.auth2; + + for (i=0; test_table[i].fn; i++) { + for (v=0;v<ARRAY_SIZE(validation_levels);v++) { + for (l=0;l<ARRAY_SIZE(logon_levels);l++) { + for (f=0;f<ARRAY_SIZE(function_levels);f++) { + char *error_string = NULL; + samlogon_state.function_level = function_levels[f]; + samlogon_state.r.in.validation_level = validation_levels[v]; + samlogon_state.r.in.logon_level = logon_levels[l]; + samlogon_state.r_flags.in.validation_level = validation_levels[v]; + samlogon_state.r_flags.in.logon_level = logon_levels[l]; + if (!test_table[i].fn(&samlogon_state, &error_string)) { + printf("Testing '%s' at validation level %d, logon level %d, function %d: \n", + test_table[i].name, validation_levels[v], + logon_levels[l], function_levels[f]); + + if (test_table[i].expect_fail) { + printf(" failed (expected, test incomplete): %s\n", error_string); + } else { + printf(" failed: %s\n", error_string); + ret = False; + } + SAFE_FREE(error_string); + } + } + } + } + } + + return ret; +} + +/* + test an ADS style interactive domain logon +*/ +static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + struct creds_CredentialState *creds) +{ + NTSTATUS status; + struct netr_LogonSamLogonWithFlags r; + struct netr_Authenticator a, ra; + struct netr_PasswordInfo pinfo; + const char *plain_pass; + + ZERO_STRUCT(a); + ZERO_STRUCT(r); + ZERO_STRUCT(ra); + + creds_client_authenticator(creds, &a); + + r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); + r.in.workstation = TEST_MACHINE_NAME; + r.in.credential = &a; + r.in.return_authenticator = &ra; + r.in.logon_level = 5; + r.in.logon.password = &pinfo; + r.in.validation_level = 6; + r.in.flags = 0; + + pinfo.identity_info.domain_name.string = lp_parm_string(-1, "torture", "userdomain"); + pinfo.identity_info.parameter_control = 0; + pinfo.identity_info.logon_id_low = 0; + pinfo.identity_info.logon_id_high = 0; + pinfo.identity_info.account_name.string = lp_parm_string(-1, "torture", "username"); + pinfo.identity_info.workstation.string = TEST_MACHINE_NAME; + + plain_pass = lp_parm_string(-1, "torture", "password"); + + E_deshash(plain_pass, pinfo.lmpassword.hash); + E_md4hash(plain_pass, pinfo.ntpassword.hash); + + if (creds->negotiate_flags) { + creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); + creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); + } else { + creds_des_encrypt(creds, &pinfo.lmpassword); + creds_des_encrypt(creds, &pinfo.ntpassword); + } + + printf("Testing netr_LogonSamLogonWithFlags\n"); + + status = dcerpc_netr_LogonSamLogonWithFlags(p, mem_ctx, &r); + if (!NT_STATUS_IS_OK(status)) { + printf("netr_LogonSamLogonWithFlags - %s\n", nt_errstr(status)); + return False; + } + + if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + printf("Credential chaining failed\n"); + return False; + } + + return True; +} + + + +BOOL torture_rpc_samlogon(void) +{ + NTSTATUS status; + struct dcerpc_pipe *p; + TALLOC_CTX *mem_ctx; + BOOL ret = True; + void *join_ctx; + const char *machine_pass; + + struct creds_CredentialState creds; + + mem_ctx = talloc_init("torture_rpc_netlogon"); + + join_ctx = torture_join_domain(TEST_MACHINE_NAME, lp_workgroup(), ACB_SVRTRUST, + &machine_pass); + if (!join_ctx) { + printf("Failed to join as BDC\n"); + return False; + } + + status = torture_rpc_connection(&p, + DCERPC_NETLOGON_NAME, + DCERPC_NETLOGON_UUID, + DCERPC_NETLOGON_VERSION); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + + if (!test_SetupCredentials(p, mem_ctx, + TEST_MACHINE_NAME, machine_pass, &creds)) { + ret = False; + } + + if (!test_InteractiveLogon(p, mem_ctx, &creds)) { + ret = False; + } + + if (!test_SamLogon(p, mem_ctx, &creds)) { + ret = False; + } + + if (!test_SetupCredentials2(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, + TEST_MACHINE_NAME, machine_pass, &creds)) { + return False; + } + + if (!test_SamLogon(p, mem_ctx, &creds)) { + ret = False; + } + + if (!test_InteractiveLogon(p, mem_ctx, &creds)) { + ret = False; + } + + if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_FLAGS, + TEST_MACHINE_NAME, machine_pass, &creds)) { + return False; + } + + if (!test_SamLogon(p, mem_ctx, &creds)) { + ret = False; + } + + if (!test_InteractiveLogon(p, mem_ctx, &creds)) { + ret = False; + } + + if (!test_SetupCredentials3(p, mem_ctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, + TEST_MACHINE_NAME, machine_pass, &creds)) { + return False; + } + + if (!test_SamLogon(p, mem_ctx, &creds)) { + ret = False; + } + + if (!test_InteractiveLogon(p, mem_ctx, &creds)) { + ret = False; + } + + talloc_destroy(mem_ctx); + + torture_rpc_close(p); + + torture_leave_domain(join_ctx); + + return ret; +} diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 3355786d35..6941a203b1 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -22,6 +22,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_samr.h" +#include "librpc/gen_ndr/ndr_netlogon.h" #define TEST_MACHINE_NAME "schanneltest" @@ -98,6 +99,23 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, goto failed; } + status = dcerpc_pipe_connect_b(&p, &b, + DCERPC_NETLOGON_UUID, + DCERPC_NETLOGON_VERSION, + lp_workgroup(), + TEST_MACHINE_NAME, + machine_password); + if (!NT_STATUS_IS_OK(status)) { + printf("Failed to connect with schannel\n"); + goto failed; + } + +#if 0 + if (!test_netlogon_ops(p, mem_ctx)) { + printf("Failed to process schannel secured ops\n"); + goto failed; + } +#endif torture_leave_domain(join_ctx); dcerpc_pipe_close(p); diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c index e592af3c5e..55f508941d 100644 --- a/source4/torture/rpc/testjoin.c +++ b/source4/torture/rpc/testjoin.c @@ -85,10 +85,10 @@ static NTSTATUS DeleteUser_byname(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, an opaque pointer is returned. Pass it to torture_leave_domain() when finished */ -void *torture_join_domain(const char *machine_name, - const char *domain, - uint16 acct_flags, - const char **machine_password) +struct test_join *torture_join_domain(const char *machine_name, + const char *domain, + uint16 acct_flags, + const char **machine_password) { NTSTATUS status; struct samr_Connect c; @@ -209,7 +209,7 @@ again: if (!NT_STATUS_IS_OK(status)) { printf("SetUserInfo level %u - no session key - %s\n", s.in.level, nt_errstr(status)); - torture_leave_domain(&join); + torture_leave_domain(join); goto failed; } @@ -235,8 +235,9 @@ again: goto failed; } - *machine_password = join->machine_password; - + if (machine_password) { + *machine_password = join->machine_password; + } return join; failed: @@ -248,9 +249,8 @@ failed: /* leave the domain, deleting the machine acct */ -void torture_leave_domain(void *join_ctx) +void torture_leave_domain(struct test_join *join) { - struct test_join *join = join_ctx; struct samr_DeleteUser d; NTSTATUS status; @@ -276,9 +276,9 @@ struct test_join_ads_dc { struct test_join *join; }; -void *torture_join_domain_ads_dc(const char *machine_name, - const char *domain, - const char **machine_password) +struct test_join_ads_dc *torture_join_domain_ads_dc(const char *machine_name, + const char *domain, + const char **machine_password) { struct test_join_ads_dc *join; @@ -354,9 +354,8 @@ void *torture_join_domain_ads_dc(const char *machine_name, return join; } -void torture_leave_domain_ads_dc(void *join_ctx) +void torture_leave_domain_ads_dc(struct test_join_ads_dc *join) { - struct test_join_ads_dc *join = join_ctx; if (join->join) { torture_leave_domain(join->join); diff --git a/source4/torture/torture.c b/source4/torture/torture.c index 878325d448..975b83e6ad 100644 --- a/source4/torture/torture.c +++ b/source4/torture/torture.c @@ -2438,6 +2438,7 @@ static struct { {"RPC-SPOOLSS", torture_rpc_spoolss, 0}, {"RPC-SAMR", torture_rpc_samr, 0}, {"RPC-NETLOGON", torture_rpc_netlogon, 0}, + {"RPC-SAMLOGON", torture_rpc_samlogon, 0}, {"RPC-SCHANNEL", torture_rpc_schannel, 0}, {"RPC-WKSSVC", torture_rpc_wkssvc, 0}, {"RPC-SRVSVC", torture_rpc_srvsvc, 0}, |