path: root/source4/torture/rpc/remote_pac.c

/*
   Unix SMB/CIFS implementation.

   test suite for netlogon PAC operations

   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2012

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include "auth/auth.h"
#include "auth/auth_sam_reply.h"
#include "auth/gensec/gensec.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
#include "lib/cmdline/cmdline.h"
#include "torture/rpc/torture_rpc.h"
#include "libcli/auth/libcli_auth.h"
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "librpc/gen_ndr/ndr_krb5pac.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "param/param.h"
#include <ldb.h>
#include "ldb_wrap.h"
#include "dsdb/samdb/samdb.h"

#define TEST_MACHINE_NAME_BDC "torturepacbdc"
#define TEST_MACHINE_NAME_WKSTA "torturepacwksta"
#define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc"
#define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk"
#define TEST_MACHINE_NAME_S4U2PROXY_WKSTA "tests4u2proxywk"

struct pac_data {
	DATA_BLOB pac_blob;
	struct PAC_SIGNATURE_DATA *pac_srv_sig;
	struct PAC_SIGNATURE_DATA *pac_kdc_sig;
};

/* A helper function which avoids touching the local databases to
 * generate the session info, as we just want to verify the PAC
 * details, not the full local token */
static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
					       TALLOC_CTX *mem_ctx,
					       struct smb_krb5_context *smb_krb5_context,
					       DATA_BLOB *pac_blob,
					       const char *principal_name,
					       const struct tsocket_address *remote_address,
					       uint32_t session_info_flags,
					       struct auth_session_info **session_info)
{
	NTSTATUS nt_status;
	struct auth_user_info_dc *user_info_dc;
	TALLOC_CTX *tmp_ctx;
	struct pac_data *pac_data;

	if (pac_blob == NULL) {
		DBG_ERR("pac_blob missing\n");
		return NT_STATUS_NO_IMPERSONATION_TOKEN;
	}

	tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);

	auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data);

	pac_data->pac_blob = data_blob_dup_talloc(pac_data, *pac_blob);
	if (pac_data->pac_blob.length != pac_blob->length) {
		talloc_free(tmp_ctx);
		return NT_STATUS_NO_MEMORY;
	}

	pac_data->pac_srv_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
	if (!pac_data->pac_srv_sig) {
		talloc_free(tmp_ctx);
		return NT_STATUS_NO_MEMORY;
	}
	pac_data->pac_kdc_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
	if (!pac_data->pac_kdc_sig) {
		talloc_free(tmp_ctx);
		return NT_STATUS_NO_MEMORY;
	}

	nt_status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
						      *pac_blob,
						      smb_krb5_context->krb5_context,
						      &user_info_dc,
						      pac_data->pac_srv_sig,
						      pac_data->pac_kdc_sig);
	if (!NT_STATUS_IS_OK(nt_status)) {
		talloc_free(tmp_ctx);
		return nt_status;
	}

	talloc_steal(pac_data, pac_data->pac_srv_sig);
	talloc_steal(pac_data, pac_data->pac_kdc_sig);

	if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
		session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
	}

	session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
	nt_status = auth_generate_session_info(mem_ctx,
					       NULL,
					       NULL,
					       user_info_dc, session_info_flags,
					       session_info);
	if (!NT_STATUS_IS_OK(nt_status)) {
		talloc_free(tmp_ctx);
		return nt_status;
	}

	talloc_free(tmp_ctx);
	return nt_status;
}

/* Check to see if we can pass the PAC across to the NETLOGON server for validation */

static const struct PAC_BUFFER *get_pac_buffer(const struct PAC_DATA *pac_data,
					       enum PAC_TYPE type)
{
	const struct PAC_BUFFER *pac_buf = NULL;
	uint32_t i;

	for (i = 0; i < pac_data->num_buffers; ++i) {
		pac_buf = &pac_data->buffers[i];

		if (pac_buf->type == type) {
			break;
		}
	}

	return pac_buf;
}

/* Also happens to be a really good one-step verification of our Kerberos stack */

static bool netlogon_validate_pac(struct torture_context *tctx,
				  struct dcerpc_pipe *p1,
				  struct cli_credentials *server_creds,
				  enum netr_SchannelType secure_channel_type,
				  const char *test_machine_name,
				  uint32_t negotiate_flags,
				  struct pac_data *pac_data,
				  struct auth_session_info *session_info);

static bool test_PACVerify(struct torture_context *tctx,
			   struct dcerpc_pipe *p,
			   struct cli_credentials *credentials,
			   enum netr_SchannelType secure_channel_type,
			   const char *test_machine_name,
			   uint32_t negotiate_flags)
{
	NTSTATUS status;
	bool ok;
	const char *pkinit_ccache = torture_setting_string(tctx, "pkinit_ccache", NULL);
	bool pkinit_in_use = pkinit_ccache != NULL;
	bool expect_pac_upn_dns_info = torture_setting_bool(tctx, "expect_pac_upn_dns_info", true);
	size_t num_pac_buffers;
	struct gensec_security *gensec_client_context;
	struct gensec_security *gensec_server_context;
	struct cli_credentials *client_creds;
	struct cli_credentials *server_creds;

	DATA_BLOB client_to_server, server_to_client;
	struct PAC_DATA pac_data_struct;
	enum ndr_err_code ndr_err;

	struct auth4_context *auth_context;
	struct auth_session_info *session_info;
	struct pac_data *pac_data;
	const struct PAC_BUFFER *pac_buf = NULL;

	TALLOC_CTX *tmp_ctx = talloc_new(tctx);
	torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");

	torture_comment(tctx,
		"Testing PAC Verify (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n",
		secure_channel_type, test_machine_name, negotiate_flags);

	if (pkinit_in_use) {
		struct cli_credentials *tmp_creds = NULL;
		const char *error_string = NULL;
		int rc;

		torture_comment(tctx,
				"Using pkinit_ccache=%s\n",
				pkinit_ccache);

		tmp_creds = cli_credentials_init(tctx);
		torture_assert(tctx, tmp_creds, "Failed to create credentials");

		rc = cli_credentials_set_ccache(tmp_creds,
						tctx->lp_ctx,
						pkinit_ccache,
						CRED_SPECIFIED,
						&error_string);
		torture_assert_int_equal(tctx,
					 rc,
					 0,
					 "cli_credentials_set_ccache failed");
		cli_credentials_set_kerberos_state(tmp_creds,
						   CRED_USE_KERBEROS_REQUIRED,
						   CRED_SPECIFIED);

		/*
		 * Copy the credentials in order to use a different MEMORY krb5
		 * ccache for each client/server setup. The MEMORY cache
		 * identifier is a pointer to the creds container. If we copy
		 * it the pointer changes and we will get a new clean memory
		 * cache.
		 */
		client_creds =
			cli_credentials_shallow_copy(tmp_ctx, tmp_creds);
		torture_assert(tctx,
			       client_creds,
			       "Failed to copy of credentials");
	} else {
		/*
		 * Copy the credentials in order to us