2 Unix SMB/CIFS implementation.
4 Test NTP authentication support
6 Copyright (C) Andrew Bartlet <abartlet@samba.org> 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "torture/smbtorture.h"
25 #include "lib/stream/packet.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "libcli/util/tstream.h"
28 #include "torture/rpc/torture_rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "system/network.h"
36 #define TEST_MACHINE_NAME "ntpsigndtest"
38 struct signd_client_state
{
39 struct tsocket_address
*local_address
;
40 struct tsocket_address
*remote_address
;
42 struct tstream_context
*tstream
;
43 struct tevent_queue
*send_queue
;
45 uint8_t request_hdr
[4];
46 struct iovec request_iov
[2];
54 * A torture test to show that the unix domain socket protocol is
55 * operating correctly, and the signatures are as expected
57 static bool test_ntp_signd(struct torture_context
*tctx
,
58 struct dcerpc_pipe
*p
,
59 struct cli_credentials
*credentials
)
61 struct netlogon_creds_CredentialState
*creds
;
62 TALLOC_CTX
*mem_ctx
= talloc_new(tctx
);
64 struct netr_ServerReqChallenge r
;
65 struct netr_ServerAuthenticate3 a
;
66 struct netr_Credential credentials1
, credentials2
, credentials3
;
68 const char *machine_name
;
69 const struct samr_Password
*pwhash
= cli_credentials_get_nt_hash(credentials
, mem_ctx
);
70 uint32_t negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
72 struct sign_request sign_req
;
73 struct signed_reply signed_reply
;
74 DATA_BLOB sign_req_blob
;
76 struct signd_client_state
*signd_client
;
77 struct tevent_req
*req
;
83 enum ndr_err_code ndr_err
;
87 machine_name
= cli_credentials_get_workstation(credentials
);
89 torture_comment(tctx
, "Testing ServerReqChallenge\n");
91 r
.in
.server_name
= NULL
;
92 r
.in
.computer_name
= machine_name
;
93 r
.in
.credentials
= &credentials1
;
94 r
.out
.return_credentials
= &credentials2
;
96 generate_random_buffer(credentials1
.data
, sizeof(credentials1
.data
));
98 torture_assert_ntstatus_ok(tctx
,
99 dcerpc_netr_ServerReqChallenge_r(p
->binding_handle
, tctx
, &r
),
100 "ServerReqChallenge failed");
101 torture_assert_ntstatus_ok(tctx
, r
.out
.result
,
102 "ServerReqChallenge failed");
104 a
.in
.server_name
= NULL
;
105 a
.in
.account_name
= talloc_asprintf(tctx
, "%s$", machine_name
);
106 a
.in
.secure_channel_type
= SEC_CHAN_WKSTA
;
107 a
.in
.computer_name
= machine_name
;
108 a
.in
.negotiate_flags
= &negotiate_flags
;
109 a
.in
.credentials
= &credentials3
;
110 a
.out
.return_credentials
= &credentials3
;
111 a
.out
.negotiate_flags
= &negotiate_flags
;
114 creds
= netlogon_creds_client_init(tctx
, a
.in
.account_name
,
116 a
.in
.secure_channel_type
,
117 &credentials1
, &credentials2
,
118 pwhash
, &credentials3
,
121 torture_assert(tctx
, creds
!= NULL
, "memory allocation");
123 torture_comment(tctx
, "Testing ServerAuthenticate3\n");
125 torture_assert_ntstatus_ok(tctx
,
126 dcerpc_netr_ServerAuthenticate3_r(p
->binding_handle
, tctx
, &a
),
127 "ServerAuthenticate3 failed");
128 torture_assert_ntstatus_ok(tctx
, a
.out
.result
,
129 "ServerAuthenticate3 failed");
131 netlogon_creds_client_check(creds
, &credentials3
),
132 "Credential chaining failed");
134 sign_req
.op
= SIGN_TO_CLIENT
;
135 sign_req
.packet_id
= 1;
136 sign_req
.key_id
= rid
;
137 sign_req
.packet_to_sign
= data_blob_string_const("I am a tea pot");
139 ndr_err
= ndr_push_struct_blob(&sign_req_blob
,
142 (ndr_push_flags_fn_t
)ndr_push_sign_request
);
144 NDR_ERR_CODE_IS_SUCCESS(ndr_err
),
145 "Failed to push sign_req");
147 signd_client
= talloc(mem_ctx
, struct signd_client_state
);
149 /* Create socket addresses */
150 torture_comment(tctx
, "Creating the socket addresses\n");
151 rc
= tsocket_address_unix_from_path(signd_client
, "",
152 &signd_client
->local_address
);
153 torture_assert(tctx
, rc
== 0,
154 "Failed to create local address from unix path.");
156 unix_address
= talloc_asprintf(signd_client
,
158 lpcfg_ntp_signd_socket_directory(tctx
->lp_ctx
));
159 rc
= tsocket_address_unix_from_path(mem_ctx
,
161 &signd_client
->remote_address
);
162 torture_assert(tctx
, rc
== 0,
163 "Failed to create remote address from unix path.");
165 /* Connect to the unix socket */
166 torture_comment(tctx
, "Connecting to the unix socket\n");
167 req
= tstream_unix_connect_send(signd_client
,
169 signd_client
->local_address
,
170 signd_client
->remote_address
);
171 torture_assert(tctx
, req
!= NULL
,
172 "Failed to create a tstream unix connect request.");
174 ok
= tevent_req_poll(req
, tctx
->ev
);
175 torture_assert(tctx
, ok
== true,
176 "Failed to poll for tstream_unix_connect_send.");
178 rc
= tstream_unix_connect_recv(req
,
181 &signd_client
->tstream
);
183 torture_assert(tctx
, rc
== 0, "Failed to connect to signd!");
185 /* Allocate the send queue */
186 signd_client
->send_queue
= tevent_queue_create(signd_client
,
187 "signd_client_queue");
188 torture_assert(tctx
, signd_client
->send_queue
!= NULL
,
189 "Failed to create send queue!");
192 * Create the request buffer.
193 * First add the length of the request buffer
195 RSIVAL(signd_client
->request_hdr
, 0, sign_req_blob
.length
);
196 signd_client
->request_iov
[0].iov_base
= (char *) signd_client
->request_hdr
;
197 signd_client
->request_iov
[0].iov_len
= 4;
199 signd_client
->request_iov
[1].iov_base
= (char *) sign_req_blob
.data
;
200 signd_client
->request_iov
[1].iov_len
= sign_req_blob
.length
;
202 /* Fire the request buffer */
203 torture_comment(tctx
, "Sending the request\n");
204 req
= tstream_writev_queue_send(signd_client
,
206 signd_client
->tstream
,
207 signd_client
->send_queue
,
208 signd_client
->request_iov
, 2);
209 torture_assert(tctx
, req
!= NULL
,
210 "Failed to send the signd request.");
212 ok
= tevent_req_poll(req
, tctx
->ev
);
213 torture_assert(tctx
, ok
== true,
214 "Failed to poll for tstream_writev_queue_send.");
216 rc
= tstream_writev_queue_recv(req
, &sys_errno
);
218 torture_assert(tctx
, rc
> 0, "Failed to send data");
220 /* Wait for a reply */
221 torture_comment(tctx
, "Waiting for the reply\n");
222 req
= tstream_read_pdu_blob_send(signd_client
,
224 signd_client
->tstream
,
225 4, /*initial_read_size */
226 packet_full_request_u32
,
228 torture_assert(tctx
, req
!= NULL
,
229 "Failed to setup a read for pdu_blob.");
231 ok
= tevent_req_poll(req
, tctx
->ev
);
232 torture_assert(tctx
, ok
== true,
233 "Failed to poll for tstream_read_pdu_blob_send.");
235 signd_client
->status
= tstream_read_pdu_blob_recv(req
,
237 &signd_client
->reply
);
238 torture_assert_ntstatus_ok(tctx
, signd_client
->status
,
239 "Error reading signd_client reply packet");
241 /* Skip length header */
242 signd_client
->reply
.data
+= 4;
243 signd_client
->reply
.length
-= 4;
245 /* Check if the reply buffer is valid */
246 torture_comment(tctx
, "Validating the reply buffer\n");
247 ndr_err
= ndr_pull_struct_blob_all(&signd_client
->reply
,
250 (ndr_pull_flags_fn_t
)ndr_pull_signed_reply
);
251 torture_assert(tctx
, NDR_ERR_CODE_IS_SUCCESS(ndr_err
),
252 ndr_map_error2string(ndr_err
));
254 torture_assert_u64_equal(tctx
, signed_reply
.version
,
255 NTP_SIGND_PROTOCOL_VERSION_0
,
257 torture_assert_u64_equal(tctx
, signed_reply
.packet_id
,
258 sign_req
.packet_id
, "Invalid Packet ID");
259 torture_assert_u64_equal(tctx
, signed_reply
.op
,
261 "Should have replied with signing success");
262 torture_assert_u64_equal(tctx
, signed_reply
.signed_packet
.length
,
263 sign_req
.packet_to_sign
.length
+ 20,
264 "Invalid reply length from signd");
265 torture_assert_u64_equal(tctx
, rid
,
266 IVAL(signed_reply
.signed_packet
.data
,
267 sign_req
.packet_to_sign
.length
),
268 "Incorrect RID in reply");
270 /* Check computed signature */
272 MD5Update(&ctx
, pwhash
->hash
, sizeof(pwhash
->hash
));
273 MD5Update(&ctx
, sign_req
.packet_to_sign
.data
,
274 sign_req
.packet_to_sign
.length
);
277 torture_assert_mem_equal(tctx
,
278 &signed_reply
.signed_packet
.data
[sign_req
.packet_to_sign
.length
+ 4],
279 sig
, 16, "Signature on reply was incorrect!");
281 talloc_free(mem_ctx
);
286 NTSTATUS
torture_ntp_init(void)
288 struct torture_suite
*suite
= torture_suite_create(talloc_autofree_context(), "ntp");
289 struct torture_rpc_tcase
*tcase
;
291 tcase
= torture_suite_add_machine_workstation_rpc_iface_tcase(suite
,
292 "signd", &ndr_table_netlogon
, TEST_MACHINE_NAME
);
294 torture_rpc_tcase_add_test_creds(tcase
, "ntp_signd", test_ntp_signd
);
296 suite
->description
= talloc_strdup(suite
, "NTP tests");
298 torture_register_suite(suite
);