search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
docs: mention --update and --encrypt in smbget manpage.
[Samba.git] / source4 / torture / ntp / ntp_signd.c
blob5f097fedd01e3444681ef9ac517c5f3d3e35ec34
1 /*
2 Unix SMB/CIFS implementation.
3
4 Test NTP authentication support
5
6 Copyright (C) Andrew Bartlet <abartlet@samba.org> 2008
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "torture/smbtorture.h"
24 #include <tevent.h>
25 #include "lib/stream/packet.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "libcli/util/tstream.h"
28 #include "torture/rpc/torture_rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "system/network.h"
35
36 #define TEST_MACHINE_NAME "ntpsigndtest"
37
38 struct signd_client_state {
39 struct tsocket_address *local_address;
40 struct tsocket_address *remote_address;
41
42 struct tstream_context *tstream;
43 struct tevent_queue *send_queue;
44
45 uint8_t request_hdr[4];
46 struct iovec request_iov[2];
47
48 DATA_BLOB reply;
49
50 NTSTATUS status;
51 };
52
53 /*
54 * A torture test to show that the unix domain socket protocol is
55 * operating correctly, and the signatures are as expected
56 */
57 static bool test_ntp_signd(struct torture_context *tctx,
58 struct dcerpc_pipe *p,
59 struct cli_credentials *credentials)
60 {
61 struct netlogon_creds_CredentialState *creds;
62 TALLOC_CTX *mem_ctx = talloc_new(tctx);
63
64 struct netr_ServerReqChallenge r;
65 struct netr_ServerAuthenticate3 a;
66 struct netr_Credential credentials1, credentials2, credentials3;
67 uint32_t rid;
68 const char *machine_name;
69 const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
70 uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
71
72 struct sign_request sign_req;
73 struct signed_reply signed_reply;
74 DATA_BLOB sign_req_blob;
75
76 struct signd_client_state *signd_client;
77 struct tevent_req *req;
78 char *unix_address;
79 int sys_errno;
80
81 MD5_CTX ctx;
82 uint8_t sig[16];
83 enum ndr_err_code ndr_err;
84 bool ok;
85 int rc;
86
87 machine_name = cli_credentials_get_workstation(credentials);
88
89 torture_comment(tctx, "Testing ServerReqChallenge\n");
90
91 r.in.server_name = NULL;
92 r.in.computer_name = machine_name;
93 r.in.credentials = &credentials1;
94 r.out.return_credentials = &credentials2;
95
96 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
97
98 torture_assert_ntstatus_ok(tctx,
99 dcerpc_netr_ServerReqChallenge_r(p->binding_handle, tctx, &r),
100 "ServerReqChallenge failed");
101 torture_assert_ntstatus_ok(tctx, r.out.result,
102 "ServerReqChallenge failed");
103
104 a.in.server_name = NULL;
105 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
106 a.in.secure_channel_type = SEC_CHAN_WKSTA;
107 a.in.computer_name = machine_name;
108 a.in.negotiate_flags = &negotiate_flags;
109 a.in.credentials = &credentials3;
110 a.out.return_credentials = &credentials3;
111 a.out.negotiate_flags = &negotiate_flags;
112 a.out.rid = &rid;
113
114 creds = netlogon_creds_client_init(tctx, a.in.account_name,
115 a.in.computer_name,
116 a.in.secure_channel_type,
117 &credentials1, &credentials2,
118 pwhash, &credentials3,
119 negotiate_flags);
120
121 torture_assert(tctx, creds != NULL, "memory allocation");
122
123 torture_comment(tctx, "Testing ServerAuthenticate3\n");
124
125 torture_assert_ntstatus_ok(tctx,
126 dcerpc_netr_ServerAuthenticate3_r(p->binding_handle, tctx, &a),
127 "ServerAuthenticate3 failed");
128 torture_assert_ntstatus_ok(tctx, a.out.result,
129 "ServerAuthenticate3 failed");
130 torture_assert(tctx,
131 netlogon_creds_client_check(creds, &credentials3),
132 "Credential chaining failed");
133
134 sign_req.op = SIGN_TO_CLIENT;
135 sign_req.packet_id = 1;
136 sign_req.key_id = rid;
137 sign_req.packet_to_sign = data_blob_string_const("I am a tea pot");
138
139 ndr_err = ndr_push_struct_blob(&sign_req_blob,
140 mem_ctx,
141 &sign_req,
142 (ndr_push_flags_fn_t)ndr_push_sign_request);
143 torture_assert(tctx,
144 NDR_ERR_CODE_IS_SUCCESS(ndr_err),
145 "Failed to push sign_req");
146
147 signd_client = talloc(mem_ctx, struct signd_client_state);
148
149 /* Create socket addresses */
150 torture_comment(tctx, "Creating the socket addresses\n");
151 rc = tsocket_address_unix_from_path(signd_client, "",
152 &signd_client->local_address);
153 torture_assert(tctx, rc == 0,
154 "Failed to create local address from unix path.");
155
156 unix_address = talloc_asprintf(signd_client,
157 "%s/socket",
158 lpcfg_ntp_signd_socket_directory(tctx->lp_ctx));
159 rc = tsocket_address_unix_from_path(mem_ctx,
160 unix_address,
161 &signd_client->remote_address);
162 torture_assert(tctx, rc == 0,
163 "Failed to create remote address from unix path.");
164
165 /* Connect to the unix socket */
166 torture_comment(tctx, "Connecting to the unix socket\n");
167 req = tstream_unix_connect_send(signd_client,
168 tctx->ev,
169 signd_client->local_address,
170 signd_client->remote_address);
171 torture_assert(tctx, req != NULL,
172 "Failed to create a tstream unix connect request.");
173
174 ok = tevent_req_poll(req, tctx->ev);
175 torture_assert(tctx, ok == true,
176 "Failed to poll for tstream_unix_connect_send.");
177
178 rc = tstream_unix_connect_recv(req,
179 &sys_errno,
180 signd_client,
181 &signd_client->tstream);
182 TALLOC_FREE(req);
183 torture_assert(tctx, rc == 0, "Failed to connect to signd!");
184
185 /* Allocate the send queue */
186 signd_client->send_queue = tevent_queue_create(signd_client,
187 "signd_client_queue");
188 torture_assert(tctx, signd_client->send_queue != NULL,
189 "Failed to create send queue!");
190
191 /*
192 * Create the request buffer.
193 * First add the length of the request buffer
194 */
195 RSIVAL(signd_client->request_hdr, 0, sign_req_blob.length);
196 signd_client->request_iov[0].iov_base = (char *) signd_client->request_hdr;
197 signd_client->request_iov[0].iov_len = 4;
198
199 signd_client->request_iov[1].iov_base = (char *) sign_req_blob.data;
200 signd_client->request_iov[1].iov_len = sign_req_blob.length;
201
202 /* Fire the request buffer */
203 torture_comment(tctx, "Sending the request\n");
204 req = tstream_writev_queue_send(signd_client,
205 tctx->ev,
206 signd_client->tstream,
207 signd_client->send_queue,
208 signd_client->request_iov, 2);
209 torture_assert(tctx, req != NULL,
210 "Failed to send the signd request.");
211
212 ok = tevent_req_poll(req, tctx->ev);
213 torture_assert(tctx, ok == true,
214 "Failed to poll for tstream_writev_queue_send.");
215
216 rc = tstream_writev_queue_recv(req, &sys_errno);
217 TALLOC_FREE(req);
218 torture_assert(tctx, rc > 0, "Failed to send data");
219
220 /* Wait for a reply */
221 torture_comment(tctx, "Waiting for the reply\n");
222 req = tstream_read_pdu_blob_send(signd_client,
223 tctx->ev,
224 signd_client->tstream,
225 4, /*initial_read_size */
226 packet_full_request_u32,
227 NULL);
228 torture_assert(tctx, req != NULL,
229 "Failed to setup a read for pdu_blob.");
230
231 ok = tevent_req_poll(req, tctx->ev);
232 torture_assert(tctx, ok == true,
233 "Failed to poll for tstream_read_pdu_blob_send.");
234
235 signd_client->status = tstream_read_pdu_blob_recv(req,
236 signd_client,
237 &signd_client->reply);
238 torture_assert_ntstatus_ok(tctx, signd_client->status,
239 "Error reading signd_client reply packet");
240
241 /* Skip length header */
242 signd_client->reply.data += 4;
243 signd_client->reply.length -= 4;
244
245 /* Check if the reply buffer is valid */
246 torture_comment(tctx, "Validating the reply buffer\n");
247 ndr_err = ndr_pull_struct_blob_all(&signd_client->reply,
248 mem_ctx,
249 &signed_reply,
250 (ndr_pull_flags_fn_t)ndr_pull_signed_reply);
251 torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err),
252 ndr_map_error2string(ndr_err));
253
254 torture_assert_u64_equal(tctx, signed_reply.version,
255 NTP_SIGND_PROTOCOL_VERSION_0,
256 "Invalid Version");
257 torture_assert_u64_equal(tctx, signed_reply.packet_id,
258 sign_req.packet_id, "Invalid Packet ID");
259 torture_assert_u64_equal(tctx, signed_reply.op,
260 SIGNING_SUCCESS,
261 "Should have replied with signing success");
262 torture_assert_u64_equal(tctx, signed_reply.signed_packet.length,
263 sign_req.packet_to_sign.length + 20,
264 "Invalid reply length from signd");
265 torture_assert_u64_equal(tctx, rid,
266 IVAL(signed_reply.signed_packet.data,
267 sign_req.packet_to_sign.length),
268 "Incorrect RID in reply");
269
270 /* Check computed signature */
271 MD5Init(&ctx);
272 MD5Update(&ctx, pwhash->hash, sizeof(pwhash->hash));
273 MD5Update(&ctx, sign_req.packet_to_sign.data,
274 sign_req.packet_to_sign.length);
275 MD5Final(sig, &ctx);
276
277 torture_assert_mem_equal(tctx,
278 &signed_reply.signed_packet.data[sign_req.packet_to_sign.length + 4],
279 sig, 16, "Signature on reply was incorrect!");
280
281 talloc_free(mem_ctx);
282
283 return true;
284 }
285
286 NTSTATUS torture_ntp_init(void)
287 {
288 struct torture_suite *suite = torture_suite_create(talloc_autofree_context(), "ntp");
289 struct torture_rpc_tcase *tcase;
290
291 tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite,
292 "signd", &ndr_table_netlogon, TEST_MACHINE_NAME);
293
294 torture_rpc_tcase_add_test_creds(tcase, "ntp_signd", test_ntp_signd);
295
296 suite->description = talloc_strdup(suite, "NTP tests");
297
298 torture_register_suite(suite);
299
300 return NT_STATUS_OK;
301 }
302
Samba GIT mirror