search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib:crypto: Add tests for GKDI key derivation
[Samba.git] / lib / crypto / test_gkdi_key_derivation.c
blob22f33561a575b6922e83522d446d0a5dc284d35b
1 /*
2 * Unix SMB/CIFS implementation.
3 *
4 * Copyright (C) Catalyst.Net Ltd 2023
5 *
6 * This program is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <https://www.gnu.org/licenses/>.
18 */
19
20 #include <stdarg.h>
21 #include <stddef.h>
22 #include <stdint.h>
23 #include <setjmp.h>
24 #include <cmocka.h>
25
26 #include "replace.h"
27 #include <talloc.h>
28 #include "libcli/util/ntstatus.h"
29 #include "lib/crypto/gkdi.h"
30
31 static const uint8_t gmsa_security_descriptor[] = {
32 /* O:SYD:(A;;FRFW;;;S-1-5-9) */
33 0x01, 0x00, 0x04, 0x80, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
34 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x02, 0x00, 0x1c, 0x00,
35 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x9f, 0x01, 0x12, 0x00,
36 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00,
37 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00};
38
39 #define GKID(l0_idx_, l1_idx_, l2_idx_) \
40 ((struct Gkid){.l0_idx = l0_idx_, .l1_idx = l1_idx_, .l2_idx = l2_idx_})
41
42 #define GUID_LITERAL( \
43 time_low_, time_mid_, time_hi_and_version_, clock_seq_, node_) \
44 ((struct GUID){.time_low = (0x##time_low_), \
45 .time_mid = (0x##time_mid_), \
46 .time_hi_and_version = (0x##time_hi_and_version_), \
47 .clock_seq = {(uint32_t)(0x##clock_seq_) >> 8, \
48 (uint8_t)(0x##clock_seq_)}, \
49 .node = {(uint64_t)(0x##node_) >> 40, \
50 (uint8_t)((uint64_t)(0x##node_) >> 32), \
51 (uint8_t)((uint64_t)(0x##node_) >> 24), \
52 (uint8_t)((uint64_t)(0x##node_) >> 16), \
53 (uint8_t)((uint64_t)(0x##node_) >> 8), \
54 (uint8_t)(0x##node_)}})
55
56 struct test_vector {
57 const char *name; /* The name of the test scenario. */
58 struct Gkid gkid; /* The GKID of the key to derive. */
59 struct ProvRootKey root_key;
60 NTSTATUS expected_status;
61 uint8_t expected_key[GKDI_KEY_LEN]; /* The expected derived key. */
62 };
63
64 #define DATA_BLOB_CONST(data_, length_) \
65 ((DATA_BLOB){.data = (discard_const_p(uint8_t, data_)), \
66 .length = (length_)})
67
68 #define ARRAY(...) ((const uint8_t[]){__VA_ARGS__})
69 #define ROOT_KEY_DATA(...) \
70 DATA_BLOB_CONST(ARRAY(__VA_ARGS__), sizeof(ARRAY(__VA_ARGS__)))
71 #define EXPECTED_KEY(...) {__VA_ARGS__}
72 #define ROOT_KEY_VERSION(version) (version)
73
74 #define ARBITRARY_ROOT_KEY_DATA \
75 ROOT_KEY_DATA(72, 159, 53, 49, 197, 55, 119, 77, 67, 45, 107, \
76 151, 227, 188, 31, 67, 210, 232, 198, 220, 23, 235, \
77 14, 79, 217, 160, 135, 13, 47, 30, 191, 146, 226, \
78 73, 102, 104, 168, 181, 189, 17, 174, 162, 211, 45, \
79 10, 171, 113, 111, 72, 254, 86, 159, 92, 155, 80, \
80 255, 63, 155, 245, 222, 174, 165, 114, 251)
81
82 #define ARBITRARY_GUID GUID_LITERAL(4cdf4285, c46a, 62a3, 2f7d, 95f97342685b)
83
84 #define SUCCESS_VECTOR( \
85 name_, root_key_id, algorithm, gkid_, root_key_data, expected_key_) \
86 { \
87 .name = (name_), .gkid = (gkid_), \
88 .root_key = {.version = root_key_version_1, \
89 .id = (root_key_id), \
90 .data = (root_key_data), \
91 .kdf_algorithm = \
92 {.id = KDF_ALGORITHM_SP800_108_CTR_HMAC, \
93 .param.sp800_108 = (algorithm)}}, \
94 .expected_status = NT_STATUS_OK, \
95 .expected_key = expected_key_, \
96 }
97
98 #define FAILURE_VECTOR_VERSION(name_, \
99 root_key_id, \
100 algorithm, \
101 gkid_, \
102 root_key_version, \
103 root_key_data, \
104 expected_status_) \
105 { \
106 .name = (name_), .gkid = (gkid_), \
107 .root_key = {.version = (root_key_version), \
108 .id = (root_key_id), \
109 .data = (root_key_data), \
110 .kdf_algorithm = \
111 {.id = KDF_ALGORITHM_SP800_108_CTR_HMAC, \
112 .param.sp800_108 = (algorithm)}}, \
113 .expected_status = (expected_status_), .expected_key = {}, \
114 }
115
116 #define FAILURE_VECTOR( \
117 name_, root_key_id, algorithm, gkid_, root_key_data, expected_status_) \
118 FAILURE_VECTOR_VERSION(name_, \
119 root_key_id, \
120 algorithm, \
121 gkid_, \
122 root_key_version_1, \
123 root_key_data, \
124 expected_status_)
125
126 /* Test vectors derived from samba.tests.krb5.gkdi_tests Python tests. */
127 static const struct test_vector gkdi_vectors[] = {
128 SUCCESS_VECTOR(
129 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_current_l0_idx_"
130 "l1_seed_key",
131 GUID_LITERAL(89f70521, 9d66, 441f, c314, 1b462f9b1052),
132 KDF_PARAM_SHA512,
133 GKID(255, 24, -1),
134 ROOT_KEY_DATA(166, 239, 135, 219, 187, 248, 107, 107, 190, 85,
135 117, 11, 148, 31, 19, 202, 153, 239, 229, 24,
136 94, 46, 43, 222, 213, 184, 56, 216, 160, 231,
137 118, 71, 5, 55, 230, 140, 174, 69, 167, 160,
138 244, 177, 214, 201, 191, 84, 148, 195, 248, 121,
139 225, 114, 227, 38, 85, 124, 219, 182, 165, 110,
140 135, 153, 167, 34),
141 EXPECTED_KEY(189, 83, 138, 7, 52, 144, 243, 207, 148, 81,
142 201, 51, 2, 93, 233, 178, 44, 151, 234, 221,
143 175, 250, 148, 179, 121, 226, 185, 25, 164, 190,
144 209, 71, 91, 198, 127, 106, 145, 117, 177, 57,
145 198, 146, 4, 197, 125, 67, 0, 160, 20, 31,
146 254, 52, 209, 44, 237, 132, 97, 69, 147, 177,
147 170, 19, 175, 28)),
148 SUCCESS_VECTOR(
149 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_current_l0_idx_"
150 "l2_seed_key",
151 GUID_LITERAL(1a3d6c30, aa81, cb7f, d3fe, 80775d135dfe),
152 KDF_PARAM_SHA512,
153 GKID(321, 0, 12),
154 ROOT_KEY_DATA(223, 217, 91, 227, 21, 58, 8, 5, 198, 86,
155 148, 231, 210, 132, 170, 206, 90, 176, 170, 73,
156 51, 80, 2, 94, 184, 219, 198, 223, 11, 78,
157 146, 86, 251, 76, 191, 190, 98, 55, 206, 55,
158 50, 105, 78, 38, 8, 118, 0, 118, 182, 112,
159 130, 211, 154, 189, 60, 15, 237, 186, 27, 136,
160 115, 100, 80, 100),
161 EXPECTED_KEY(187, 189, 147, 118, 205, 22, 194, 71, 237, 64,
162 245, 145, 45, 25, 8, 33, 140, 8, 240, 145,
163 91, 174, 2, 254, 2, 203, 251, 55, 83, 189,
164 228, 6, 249, 197, 83, 172, 217, 81, 67, 207,
165 99, 144, 106, 4, 64, 227, 207, 35, 125, 35,
166 53, 174, 78, 75, 156, 210, 217, 70, 167, 19,
167 81, 235, 203, 123)),
168 SUCCESS_VECTOR(
169 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_current_l0_idx_"
170 "both_seed_keys (next older L1)",
171 GUID_LITERAL(09de0b38, c743, 7abf, 44ea, 7a3c3e404314),
172 KDF_PARAM_SHA512,
173 GKID(123, 20, -1),
174 ROOT_KEY_DATA(213, 145, 45, 14, 179, 189, 96, 225, 55, 27,
175 30, 82, 93, 216, 59, 231, 252, 91, 175, 119,
176 1, 139, 13, 186, 107, 217, 72, 183, 169, 142,
177 190, 90, 243, 118, 116, 51, 37, 6, 164, 108,
178 82, 193, 8, 166, 47, 42, 62, 137, 37, 26,
179 209, 189, 230, 213, 57, 0, 70, 121, 192, 101,
180 136, 83, 187, 104),
181 EXPECTED_KEY(177, 247, 197, 137, 110, 125, 199, 145, 217, 192,
182 170, 248, 202, 125, 186, 184, 193, 114, 164, 248,
183 184, 115, 219, 72, 138, 60, 76, 189, 15, 85,
184 155, 17, 82, 255, 186, 57, 212, 175, 242, 217,
185 232, 170, 218, 144, 178, 122, 60, 148, 165, 175,
186 153, 111, 75, 143, 88, 74, 79, 55, 204, 171,
187 77, 80, 93, 61)),
188 SUCCESS_VECTOR(
189 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_current_l0_idx_"
190 "both_seed_keys (L2)",
191 GUID_LITERAL(09de0b38, c743, 7abf, 44ea, 7a3c3e404314),
192 KDF_PARAM_SHA512,
193 GKID(123, 21, 0),
194 ROOT_KEY_DATA(213, 145, 45, 14, 179, 189, 96, 225, 55, 27,
195 30, 82, 93, 216, 59, 231, 252, 91, 175, 119,
196 1, 139, 13, 186, 107, 217, 72, 183, 169, 142,
197 190, 90, 243, 118, 116, 51, 37, 6, 164, 108,
198 82, 193, 8, 166, 47, 42, 62, 137, 37, 26,
199 209, 189, 230, 213, 57, 0, 70, 121, 192, 101,
200 136, 83, 187, 104),
201 EXPECTED_KEY(19, 60, 155, 189, 32, 217, 34, 122, 235, 56,
202 223, 205, 59, 230, 188, 191, 197, 152, 59, 163,
203 114, 2, 8, 143, 245, 200, 167, 5, 17, 33,
204 69, 6, 166, 156, 25, 90, 136, 7, 205, 132,
205 75, 203, 149, 94, 149, 105, 200, 228, 209, 151,
206 117, 159, 40, 87, 124, 193, 38, 209, 95, 22,
207 167, 218, 78, 224)),
208 SUCCESS_VECTOR(
209 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_previous_l0_"
210 "idx",
211 GUID_LITERAL(27136e8f, e093, 6fe3, e57f, 1d915b102e1c),
212 KDF_PARAM_SHA512,
213 GKID(100, 31, -1),
214 ROOT_KEY_DATA(180, 17, 24, 198, 10, 25, 202, 250, 94, 207,
215 133, 141, 26, 42, 34, 22, 82, 123, 45, 174,
216 223, 56, 110, 157, 89, 158, 66, 164, 106, 221,
217 108, 125, 201, 56, 104, 97, 151, 97, 200, 128,
218 255, 54, 116, 167, 124, 110, 95, 191, 52, 52,
219 209, 48, 169, 114, 123, 178, 205, 42, 37, 87,
220 189, 207, 199, 82),
221 EXPECTED_KEY(147, 92, 189, 192, 97, 152, 235, 40, 250, 68,
222 184, 216, 39, 143, 81, 7, 44, 70, 19, 153,
223 146, 54, 88, 80, 65, 237, 232, 231, 45, 2,
224 254, 149, 227, 69, 79, 4, 99, 130, 203, 192,
225 167, 0, 119, 155, 121, 71, 77, 215, 224, 128,
226 80, 157, 118, 48, 45, 41, 55, 64, 126, 150,
227 227, 211, 208, 34)),
228 SUCCESS_VECTOR(
229 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_sha1 (next "
230 "older L1)",
231 GUID_LITERAL(970abad6, fe55, 073a, caf1, b801d3f26bd3),
232 KDF_PARAM_SHA1,
233 GKID(1, 1, -1),
234 ROOT_KEY_DATA(59, 237, 3, 191, 15, 183, 212, 1, 49, 73,
235 21, 79, 36, 202, 45, 89, 185, 141, 182, 213,
236 136, 203, 31, 84, 236, 160, 131, 133, 94, 37,
237 235, 40, 211, 86, 42, 1, 173, 199, 140, 75,
238 112, 224, 183, 42, 89, 81, 88, 99, 231, 115,
239 43, 133, 63, 186, 2, 221, 118, 70, 230, 49,
240 8, 68, 18, 17),
241 EXPECTED_KEY(87, 108, 182, 143, 46, 82, 235, 115, 159, 129,
242 123, 72, 140, 53, 144, 216, 111, 28, 44, 54,
243 95, 63, 201, 32, 29, 156, 127, 238, 116, 148,
244 133, 61, 88, 116, 110, 225, 62, 72, 241, 138,
245 166, 250, 105, 247, 21, 125, 227, 208, 125, 227,
246 78, 19, 131, 103, 146, 183, 192, 136, 255, 182,
247 145, 74, 137, 194)),
248 SUCCESS_VECTOR(
249 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_sha1 (L2)",
250 GUID_LITERAL(970abad6, fe55, 073a, caf1, b801d3f26bd3),
251 KDF_PARAM_SHA1,
252 GKID(1, 2, 3),
253 ROOT_KEY_DATA(59, 237, 3, 191, 15, 183, 212, 1, 49, 73,
254 21, 79, 36, 202, 45, 89, 185, 141, 182, 213,
255 136, 203, 31, 84, 236, 160, 131, 133, 94, 37,
256 235, 40, 211, 86, 42, 1, 173, 199, 140, 75,
257 112, 224, 183, 42, 89, 81, 88, 99, 231, 115,
258 43, 133, 63, 186, 2, 221, 118, 70, 230, 49,
259 8, 68, 18, 17),
260 EXPECTED_KEY(63, 251, 130, 90, 218, 241, 22, 182, 83, 50,
261 7, 213, 104, 163, 14, 211, 211, 242, 28, 104,
262 132, 9, 65, 201, 69, 102, 132, 249, 175, 161,
263 27, 5, 110, 12, 89, 57, 27, 77, 136, 196,
264 149, 217, 132, 195, 214, 128, 2, 156, 197, 197,
265 148, 99, 15, 52, 23, 145, 25, 193, 197, 172,
266 170, 229, 233, 14)),
267 SUCCESS_VECTOR(
268 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_sha256 (next "
269 "older L1)",
270 GUID_LITERAL(45e26207, ed33, dcd5, 925a, 518a0deef69e),
271 KDF_PARAM_SHA256,
272 GKID(222, 21, -1),
273 ROOT_KEY_DATA(40, 181, 182, 80, 61, 60, 29, 36, 129, 77,
274 231, 129, 187, 123, 252, 227, 239, 105, 238, 209,
275 206, 72, 9, 55, 43, 238, 44, 80, 98, 112,
276 197, 240, 181, 198, 223, 89, 116, 114, 98, 63,
277 37, 108, 134, 218, 160, 153, 30, 138, 17, 161,
278 112, 95, 33, 178, 207, 220, 11, 185, 219, 75,
279 162, 50, 70, 162),
280 EXPECTED_KEY(87, 172, 237, 110, 117, 248, 63, 58, 244, 248,
281 121, 179, 139, 96, 240, 144, 180, 46, 75, 250,
282 2, 47, 174, 62, 111, 217, 66, 128, 180, 105,
283 176, 236, 21, 216, 184, 83, 168, 112, 181, 251,
284 223, 40, 112, 140, 206, 25, 39, 59, 116, 165,
285 115, 172, 190, 13, 237, 168, 239, 81, 93, 180,
286 105, 30, 45, 203)),
287 SUCCESS_VECTOR(
288 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_sha256 (L2)",
289 GUID_LITERAL(45e26207, ed33, dcd5, 925a, 518a0deef69e),
290 KDF_PARAM_SHA256,
291 GKID(222, 22, 22),
292 ROOT_KEY_DATA(40, 181, 182, 80, 61, 60, 29, 36, 129, 77,
293 231, 129, 187, 123, 252, 227, 239, 105, 238, 209,
294 206, 72, 9, 55, 43, 238, 44, 80, 98, 112,
295 197, 240, 181, 198, 223, 89, 116, 114, 98, 63,
296 37, 108, 134, 218, 160, 153, 30, 138, 17, 161,
297 112, 95, 33, 178, 207, 220, 11, 185, 219, 75,
298 162, 50, 70, 162),
299 EXPECTED_KEY(117, 42, 8, 121, 174, 36, 36, 192, 80, 76,
300 116, 147, 89, 159, 19, 229, 136, 225, 187, 220,
301 37, 47, 131, 50, 90, 213, 177, 251, 145, 194,
302 76, 137, 1, 212, 64, 243, 255, 159, 251, 165,
303 159, 205, 101, 187, 151, 87, 50, 217, 243, 131,
304 221, 80, 184, 152, 23, 75, 185, 57, 62, 56,
305 61, 37, 213, 64)),
306 SUCCESS_VECTOR(
307 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_sha384 (next "
308 "older L1)",
309 GUID_LITERAL(66e6d9f7, 4924, f3fc, fe34, 605634d42ebd),
310 KDF_PARAM_SHA384,
311 GKID(287, 27, -1),
312 ROOT_KEY_DATA(35, 229, 186, 134, 203, 216, 143, 123, 67, 46,
313 230, 109, 187, 3, 191, 78, 235, 244, 1, 203,
314 252, 61, 247, 53, 212, 215, 40, 181, 3, 200,
315 127, 132, 50, 7, 198, 246, 21, 63, 25, 13,
316 254, 133, 168, 108, 184, 216, 183, 77, 241, 59,
317 37, 48, 89, 129, 190, 141, 126, 41, 201, 110,
318 229, 76, 150, 48),
319 EXPECTED_KEY(250, 186, 221, 122, 154, 99, 223, 87, 214, 131,
320 45, 247, 167, 53, 174, 187, 110, 24, 24, 136,
321 178, 234, 243, 1, 162, 228, 255, 154, 112, 36,
322 109, 56, 171, 29, 36, 22, 50, 91, 243, 235,
323 114, 106, 2, 103, 186, 180, 189, 149, 12, 114,
324 145, 240, 94, 165, 241, 113, 151, 236, 229, 105,
325 146, 175, 62, 184)),
326 SUCCESS_VECTOR(
327 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_sha384 (L2)",
328 GUID_LITERAL(66e6d9f7, 4924, f3fc, fe34, 605634d42ebd),
329 KDF_PARAM_SHA384,
330 GKID(287, 28, 27),
331 ROOT_KEY_DATA(35, 229, 186, 134, 203, 216, 143, 123, 67, 46,
332 230, 109, 187, 3, 191, 78, 235, 244, 1, 203,
333 252, 61, 247, 53, 212, 215, 40, 181, 3, 200,
334 127, 132, 50, 7, 198, 246, 21, 63, 25, 13,
335 254, 133, 168, 108, 184, 216, 183, 77, 241, 59,
336 37, 48, 89, 129, 190, 141, 126, 41, 201, 110,
337 229, 76, 150, 48),
338 EXPECTED_KEY(236, 28, 101, 99, 75, 86, 148, 129, 142, 29,
339 52, 29, 169, 153, 109, 184, 242, 161, 239, 106,
340 44, 119, 106, 113, 38, 167, 235, 209, 139, 55,
341 160, 115, 175, 218, 196, 76, 65, 177, 103, 177,
342 78, 75, 135, 45, 72, 91, 187, 109, 123, 112,
343 150, 66, 21, 208, 232, 74, 47, 241, 66, 169,
344 217, 67, 242, 5)),
345 SUCCESS_VECTOR(
346 "samba.tests.krb5.gkdi_tests.GkdiSelfTests.test_derive_key_"
347 "exact",
348 GUID_LITERAL(d95fb06f, 5a9c, 1829, e20d, 27f3f2ecfbeb),
349 KDF_PARAM_SHA512,
350 GKID(333, 22, 11),
351 ROOT_KEY_DATA(72, 159, 53, 49, 197, 55, 119, 77, 67, 45,
352 107, 151, 227, 188, 31, 67, 210, 232, 198, 220,
353 23, 235, 14, 79, 217, 160, 135, 13, 47, 30,
354 191, 146, 226, 73, 102, 104, 168, 181, 189, 17,
355 174, 162, 211, 45, 10, 171, 113, 111, 72, 254,
356 86, 159, 92, 155, 80, 255, 63, 155, 245, 222,
357 174, 165, 114, 251),
358 EXPECTED_KEY(214, 171, 59, 20, 244, 244, 200, 144, 138, 163,
359 70, 64, 17, 179, 159, 16, 168, 191, 173, 185,
360 151, 74, 249, 15, 125, 154, 159, 237, 226, 253,
361 198, 229, 246, 138, 98, 142, 192, 15, 153, 148,
362 163, 171, 216, 165, 42, 233, 226, 219, 79, 104,
363 232, 54, 72, 49, 30, 157, 119, 101, 242, 83,
364 85, 21, 181, 226)),
365 FAILURE_VECTOR_VERSION("unsupported root key version (0)",
366 ARBITRARY_GUID,
367 KDF_PARAM_SHA512,
368 GKID(0, 0, 0),
369 ROOT_KEY_VERSION(0),
370 ARBITRARY_ROOT_KEY_DATA,
371 NT_STATUS_NOT_SUPPORTED),
372 FAILURE_VECTOR_VERSION("unsupported root key version (2)",
373 ARBITRARY_GUID,
374 KDF_PARAM_SHA512,
375 GKID(0, 0, 0),
376 ROOT_KEY_VERSION(2),
377 ARBITRARY_ROOT_KEY_DATA,
378 NT_STATUS_NOT_SUPPORTED),
379 FAILURE_VECTOR("unsupported algorithm (−1)",
380 ARBITRARY_GUID,
381 -1 /* an unsupported algorithm */,
382 GKID(0, 0, 0),
383 ARBITRARY_ROOT_KEY_DATA,
384 NT_STATUS_NOT_SUPPORTED),
385 FAILURE_VECTOR("wrong length (32 bytes short) for root key data",
386 ARBITRARY_GUID,
387 KDF_PARAM_SHA512,
388 GKID(0, 0, 0),
389 ROOT_KEY_DATA(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10,
390 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21,
391 22, 23, 24, 25, 26, 27, 28, 29, 30, 31),
392 NT_STATUS_NOT_SUPPORTED),
393 FAILURE_VECTOR("default GKID (−1, −1, −1)",
394 ARBITRARY_GUID,
395 KDF_PARAM_SHA512,
396 GKID(-1, -1, -1),
397 ARBITRARY_ROOT_KEY_DATA,
398 NT_STATUS_INVALID_PARAMETER),
399 FAILURE_VECTOR("invalid GKID (−2, −1, −1)",
400 ARBITRARY_GUID,
401 KDF_PARAM_SHA512,
402 GKID(-2, -1, -1),
403 ARBITRARY_ROOT_KEY_DATA,
404 NT_STATUS_INVALID_PARAMETER),
405 FAILURE_VECTOR("invalid GKID (−1, 0, 0)",
406 ARBITRARY_GUID,
407 KDF_PARAM_SHA512,
408 GKID(-1, 0, 0),
409 ARBITRARY_ROOT_KEY_DATA,
410 NT_STATUS_INVALID_PARAMETER),
411 FAILURE_VECTOR("invalid GKID (0, −1, 0)",
412 ARBITRARY_GUID,
413 KDF_PARAM_SHA512,
414 GKID(0, -1, 0),
415 ARBITRARY_ROOT_KEY_DATA,
416 NT_STATUS_INVALID_PARAMETER),
417 FAILURE_VECTOR("invalid GKID (0, −2, −1)",
418 ARBITRARY_GUID,
419 KDF_PARAM_SHA512,
420 GKID(0, -2, -1),
421 ARBITRARY_ROOT_KEY_DATA,
422 NT_STATUS_INVALID_PARAMETER),
423 FAILURE_VECTOR("invalid GKID (0, 0, −2)",
424 ARBITRARY_GUID,
425 KDF_PARAM_SHA512,
426 GKID(0, 0, -2),
427 ARBITRARY_ROOT_KEY_DATA,
428 NT_STATUS_INVALID_PARAMETER),
429 FAILURE_VECTOR("invalid GKID (123, 0, 32)",
430 ARBITRARY_GUID,
431 KDF_PARAM_SHA512,
432 GKID(123, 0, 32),
433 ARBITRARY_ROOT_KEY_DATA,
434 NT_STATUS_INVALID_PARAMETER),
435 FAILURE_VECTOR("invalid GKID (456, 32, 0)",
436 ARBITRARY_GUID,
437 KDF_PARAM_SHA512,
438 GKID(456, 32, 0),
439 ARBITRARY_ROOT_KEY_DATA,
440 NT_STATUS_INVALID_PARAMETER),
441 FAILURE_VECTOR("try to derive L0 seed key (333, −1, −1)",
442 ARBITRARY_GUID,
443 KDF_PARAM_SHA512,
444 GKID(333, -1, -1),
445 ARBITRARY_ROOT_KEY_DATA,
446 NT_STATUS_INVALID_PARAMETER),
447 };
448
449 static void test_gkdi_key_derivation(void **state)
450 {
451 TALLOC_CTX *mem_ctx = NULL;
452 size_t n;
453
454 mem_ctx = talloc_new(NULL);
455 assert_non_null(mem_ctx);
456
457 for (n = 0; n < ARRAY_SIZE(gkdi_vectors); ++n) {
458 const struct test_vector *test_vector = &gkdi_vectors[n];
459 uint8_t out[GKDI_KEY_LEN] = {};
460 NTSTATUS status;
461
462 print_message("Running: %s\n", test_vector->name);
463
464 status = compute_seed_key(
465 mem_ctx,
466 DATA_BLOB_CONST(gmsa_security_descriptor,
467 sizeof gmsa_security_descriptor),
468 &test_vector->root_key,
469 test_vector->gkid,
470 out);
471 assert_int_equal(NT_STATUS_V(test_vector->expected_status),
472 NT_STATUS_V(status));
473 assert_memory_equal(test_vector->expected_key,
474 out,
475 GKDI_KEY_LEN);
476 }
477
478 talloc_free(mem_ctx);
479 }
480
481 int main(int argc, char *argv[])
482 {
483 static const struct CMUnitTest tests[] = {
484 cmocka_unit_test(test_gkdi_key_derivation),
485 };
486
487 if (argc == 2) {
488 cmocka_set_test_filter(argv[1]);
489 }
490 cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
491 return cmocka_run_group_tests(tests, NULL, NULL);
492 }
Samba GIT mirror