search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-torture: Migrate ntp_signd test to tsocket.
[Samba/nascimento.git] / source4 / torture / ntp / ntp_signd.c
blob763563263be817978f0ab5ea0bec6f701202741a
1 /*
2 Unix SMB/CIFS implementation.
3
4 Test NTP authentication support
5
6 Copyright (C) Andrew Bartlet <abartlet@samba.org> 2008
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "torture/smbtorture.h"
24 #include <tevent.h>
25 #include "lib/stream/packet.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "libcli/util/tstream.h"
28 #include "torture/rpc/rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "system/network.h"
35
36 #define TEST_MACHINE_NAME "ntpsigndtest"
37
38 struct signd_client_state {
39 struct tsocket_address *local_address;
40 struct tsocket_address *remote_address;
41
42 struct tstream_context *tstream;
43 struct tevent_queue *send_queue;
44
45 uint8_t request_hdr[4];
46 struct iovec request_iov[2];
47
48 DATA_BLOB reply;
49
50 NTSTATUS status;
51 };
52
53 /*
54 * A torture test to show that the unix domain socket protocol is
55 * operating correctly, and the signatures are as expected
56 */
57 static bool test_ntp_signd(struct torture_context *tctx,
58 struct dcerpc_pipe *p,
59 struct cli_credentials *credentials)
60 {
61 struct netlogon_creds_CredentialState *creds;
62 TALLOC_CTX *mem_ctx = talloc_new(tctx);
63
64 struct netr_ServerReqChallenge r;
65 struct netr_ServerAuthenticate3 a;
66 struct netr_Credential credentials1, credentials2, credentials3;
67 uint32_t rid;
68 const char *machine_name;
69 const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
70 uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
71
72 struct sign_request sign_req;
73 struct signed_reply signed_reply;
74 DATA_BLOB sign_req_blob;
75
76 struct signd_client_state *signd_client;
77 struct tevent_req *req;
78 char *unix_address;
79 int sys_errno;
80
81 NTSTATUS status;
82
83 struct MD5Context ctx;
84 uint8_t sig[16];
85 enum ndr_err_code ndr_err;
86 bool ok;
87 int rc;
88
89 machine_name = cli_credentials_get_workstation(credentials);
90
91 torture_comment(tctx, "Testing ServerReqChallenge\n");
92
93 r.in.server_name = NULL;
94 r.in.computer_name = machine_name;
95 r.in.credentials = &credentials1;
96 r.out.return_credentials = &credentials2;
97
98 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
99
100 status = dcerpc_netr_ServerReqChallenge(p, tctx, &r);
101 torture_assert_ntstatus_ok(tctx, status, "ServerReqChallenge");
102
103 a.in.server_name = NULL;
104 a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
105 a.in.secure_channel_type = SEC_CHAN_WKSTA;
106 a.in.computer_name = machine_name;
107 a.in.negotiate_flags = &negotiate_flags;
108 a.in.credentials = &credentials3;
109 a.out.return_credentials = &credentials3;
110 a.out.negotiate_flags = &negotiate_flags;
111 a.out.rid = &rid;
112
113 creds = netlogon_creds_client_init(tctx, a.in.account_name,
114 a.in.computer_name,
115 &credentials1, &credentials2,
116 pwhash, &credentials3,
117 negotiate_flags);
118
119 torture_assert(tctx, creds != NULL, "memory allocation");
120
121 torture_comment(tctx, "Testing ServerAuthenticate3\n");
122
123 status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a);
124 torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
125 torture_assert(tctx,
126 netlogon_creds_client_check(creds, &credentials3),
127 "Credential chaining failed");
128
129 sign_req.op = SIGN_TO_CLIENT;
130 sign_req.packet_id = 1;
131 sign_req.key_id = rid;
132 sign_req.packet_to_sign = data_blob_string_const("I am a tea pot");
133
134 ndr_err = ndr_push_struct_blob(&sign_req_blob,
135 mem_ctx,
136 NULL,
137 &sign_req,
138 (ndr_push_flags_fn_t)ndr_push_sign_request);
139 torture_assert(tctx,
140 NDR_ERR_CODE_IS_SUCCESS(ndr_err),
141 "Failed to push sign_req");
142
143 signd_client = talloc(mem_ctx, struct signd_client_state);
144
145 /* Create socket addresses */
146 torture_comment(tctx, "Creating the socket addresses\n");
147 rc = tsocket_address_unix_from_path(signd_client, "",
148 &signd_client->local_address);
149 torture_assert(tctx, rc == 0,
150 "Failed to create local address from unix path.");
151
152 unix_address = talloc_asprintf(signd_client,
153 "%s/socket",
154 lp_ntp_signd_socket_directory(tctx->lp_ctx));
155 rc = tsocket_address_unix_from_path(mem_ctx,
156 unix_address,
157 &signd_client->remote_address);
158 torture_assert(tctx, rc == 0,
159 "Failed to create remote address from unix path.");
160
161 /* Connect to the unix socket */
162 torture_comment(tctx, "Connecting to the unix socket\n");
163 req = tstream_unix_connect_send(signd_client,
164 tctx->ev,
165 signd_client->local_address,
166 signd_client->remote_address);
167 torture_assert(tctx, req != NULL,
168 "Failed to create a tstream unix connect request.");
169
170 ok = tevent_req_poll(req, tctx->ev);
171 torture_assert(tctx, ok == true,
172 "Failed to poll for tstream_unix_connect_send.");
173
174 rc = tstream_unix_connect_recv(req,
175 &sys_errno,
176 signd_client,
177 &signd_client->tstream);
178 TALLOC_FREE(req);
179 torture_assert(tctx, rc == 0, "Failed to connect to signd!");
180
181 /* Allocate the send queue */
182 signd_client->send_queue = tevent_queue_create(signd_client,
183 "signd_client_queue");
184 torture_assert(tctx, signd_client->send_queue != NULL,
185 "Failed to create send queue!");
186
187 /*
188 * Create the request buffer.
189 * First add the length of the request buffer
190 */
191 RSIVAL(signd_client->request_hdr, 0, sign_req_blob.length);
192 signd_client->request_iov[0].iov_base = signd_client->request_hdr;
193 signd_client->request_iov[0].iov_len = 4;
194
195 signd_client->request_iov[1].iov_base = sign_req_blob.data;
196 signd_client->request_iov[1].iov_len = sign_req_blob.length;
197
198 /* Fire the request buffer */
199 torture_comment(tctx, "Sending the request\n");
200 req = tstream_writev_queue_send(signd_client,
201 tctx->ev,
202 signd_client->tstream,
203 signd_client->send_queue,
204 signd_client->request_iov, 2);
205 torture_assert(tctx, req != NULL,
206 "Failed to send the signd request.");
207
208 ok = tevent_req_poll(req, tctx->ev);
209 torture_assert(tctx, ok == true,
210 "Failed to poll for tstream_writev_queue_send.");
211
212 rc = tstream_writev_queue_recv(req, &sys_errno);
213 TALLOC_FREE(req);
214 torture_assert(tctx, rc > 0, "Failed to send data");
215
216 /* Wait for a reply */
217 torture_comment(tctx, "Waiting for the reply\n");
218 req = tstream_read_pdu_blob_send(signd_client,
219 tctx->ev,
220 signd_client->tstream,
221 4, /*initial_read_size */
222 packet_full_request_u32,
223 NULL);
224 torture_assert(tctx, req != NULL,
225 "Failed to setup a read for pdu_blob.");
226
227 ok = tevent_req_poll(req, tctx->ev);
228 torture_assert(tctx, ok == true,
229 "Failed to poll for tstream_read_pdu_blob_send.");
230
231 signd_client->status = tstream_read_pdu_blob_recv(req,
232 signd_client,
233 &signd_client->reply);
234 torture_assert_ntstatus_ok(tctx, signd_client->status,
235 "Error reading signd_client reply packet");
236
237 /* Skip length header */
238 signd_client->reply.data += 4;
239 signd_client->reply.length -= 4;
240
241 /* Check if the reply buffer is valid */
242 torture_comment(tctx, "Validating the reply buffer\n");
243 ndr_err = ndr_pull_struct_blob_all(&signd_client->reply,
244 mem_ctx,
245 lp_iconv_convenience(tctx->lp_ctx),
246 &signed_reply,
247 (ndr_pull_flags_fn_t)ndr_pull_signed_reply);
248 torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err),
249 ndr_map_error2string(ndr_err));
250
251 torture_assert_u64_equal(tctx, signed_reply.version,
252 NTP_SIGND_PROTOCOL_VERSION_0,
253 "Invalid Version");
254 torture_assert_u64_equal(tctx, signed_reply.packet_id,
255 sign_req.packet_id, "Invalid Packet ID");
256 torture_assert_u64_equal(tctx, signed_reply.op,
257 SIGNING_SUCCESS,
258 "Should have replied with signing success");
259 torture_assert_u64_equal(tctx, signed_reply.signed_packet.length,
260 sign_req.packet_to_sign.length + 20,
261 "Invalid reply length from signd");
262 torture_assert_u64_equal(tctx, rid,
263 IVAL(signed_reply.signed_packet.data,
264 sign_req.packet_to_sign.length),
265 "Incorrect RID in reply");
266
267 /* Check computed signature */
268 MD5Init(&ctx);
269 MD5Update(&ctx, pwhash->hash, sizeof(pwhash->hash));
270 MD5Update(&ctx, sign_req.packet_to_sign.data,
271 sign_req.packet_to_sign.length);
272 MD5Final(sig, &ctx);
273
274 torture_assert_mem_equal(tctx,
275 &signed_reply.signed_packet.data[sign_req.packet_to_sign.length + 4],
276 sig, 16, "Signature on reply was incorrect!");
277
278 talloc_free(mem_ctx);
279
280 return true;
281 }
282
283 NTSTATUS torture_ntp_init(void)
284 {
285 struct torture_suite *suite = torture_suite_create(talloc_autofree_context(), "NTP");
286 struct torture_rpc_tcase *tcase;
287
288 tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "SIGND",
289 &ndr_table_netlogon, TEST_MACHINE_NAME);
290
291 torture_rpc_tcase_add_test_creds(tcase, "ntp_signd", test_ntp_signd);
292
293 suite->description = talloc_strdup(suite, "NTP tests");
294
295 torture_register_suite(suite);
296
297 return NT_STATUS_OK;
298 }
299