2 Unix SMB/CIFS implementation.
4 Test NTP authentication support
6 Copyright (C) Andrew Bartlet <abartlet@samba.org> 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "torture/smbtorture.h"
25 #include "lib/stream/packet.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "libcli/util/tstream.h"
28 #include "torture/rpc/rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "system/network.h"
36 #define TEST_MACHINE_NAME "ntpsigndtest"
38 struct signd_client_state
{
39 struct tsocket_address
*local_address
;
40 struct tsocket_address
*remote_address
;
42 struct tstream_context
*tstream
;
43 struct tevent_queue
*send_queue
;
45 uint8_t request_hdr
[4];
46 struct iovec request_iov
[2];
54 * A torture test to show that the unix domain socket protocol is
55 * operating correctly, and the signatures are as expected
57 static bool test_ntp_signd(struct torture_context
*tctx
,
58 struct dcerpc_pipe
*p
,
59 struct cli_credentials
*credentials
)
61 struct netlogon_creds_CredentialState
*creds
;
62 TALLOC_CTX
*mem_ctx
= talloc_new(tctx
);
64 struct netr_ServerReqChallenge r
;
65 struct netr_ServerAuthenticate3 a
;
66 struct netr_Credential credentials1
, credentials2
, credentials3
;
68 const char *machine_name
;
69 const struct samr_Password
*pwhash
= cli_credentials_get_nt_hash(credentials
, mem_ctx
);
70 uint32_t negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
72 struct sign_request sign_req
;
73 struct signed_reply signed_reply
;
74 DATA_BLOB sign_req_blob
;
76 struct signd_client_state
*signd_client
;
77 struct tevent_req
*req
;
83 struct MD5Context ctx
;
85 enum ndr_err_code ndr_err
;
89 machine_name
= cli_credentials_get_workstation(credentials
);
91 torture_comment(tctx
, "Testing ServerReqChallenge\n");
93 r
.in
.server_name
= NULL
;
94 r
.in
.computer_name
= machine_name
;
95 r
.in
.credentials
= &credentials1
;
96 r
.out
.return_credentials
= &credentials2
;
98 generate_random_buffer(credentials1
.data
, sizeof(credentials1
.data
));
100 status
= dcerpc_netr_ServerReqChallenge_r(p
->binding_handle
, tctx
, &r
);
101 torture_assert_ntstatus_ok(tctx
, status
, "ServerReqChallenge");
103 a
.in
.server_name
= NULL
;
104 a
.in
.account_name
= talloc_asprintf(tctx
, "%s$", machine_name
);
105 a
.in
.secure_channel_type
= SEC_CHAN_WKSTA
;
106 a
.in
.computer_name
= machine_name
;
107 a
.in
.negotiate_flags
= &negotiate_flags
;
108 a
.in
.credentials
= &credentials3
;
109 a
.out
.return_credentials
= &credentials3
;
110 a
.out
.negotiate_flags
= &negotiate_flags
;
113 creds
= netlogon_creds_client_init(tctx
, a
.in
.account_name
,
115 &credentials1
, &credentials2
,
116 pwhash
, &credentials3
,
119 torture_assert(tctx
, creds
!= NULL
, "memory allocation");
121 torture_comment(tctx
, "Testing ServerAuthenticate3\n");
123 status
= dcerpc_netr_ServerAuthenticate3_r(p
->binding_handle
, tctx
, &a
);
124 torture_assert_ntstatus_ok(tctx
, status
, "ServerAuthenticate3");
126 netlogon_creds_client_check(creds
, &credentials3
),
127 "Credential chaining failed");
129 sign_req
.op
= SIGN_TO_CLIENT
;
130 sign_req
.packet_id
= 1;
131 sign_req
.key_id
= rid
;
132 sign_req
.packet_to_sign
= data_blob_string_const("I am a tea pot");
134 ndr_err
= ndr_push_struct_blob(&sign_req_blob
,
138 (ndr_push_flags_fn_t
)ndr_push_sign_request
);
140 NDR_ERR_CODE_IS_SUCCESS(ndr_err
),
141 "Failed to push sign_req");
143 signd_client
= talloc(mem_ctx
, struct signd_client_state
);
145 /* Create socket addresses */
146 torture_comment(tctx
, "Creating the socket addresses\n");
147 rc
= tsocket_address_unix_from_path(signd_client
, "",
148 &signd_client
->local_address
);
149 torture_assert(tctx
, rc
== 0,
150 "Failed to create local address from unix path.");
152 unix_address
= talloc_asprintf(signd_client
,
154 lp_ntp_signd_socket_directory(tctx
->lp_ctx
));
155 rc
= tsocket_address_unix_from_path(mem_ctx
,
157 &signd_client
->remote_address
);
158 torture_assert(tctx
, rc
== 0,
159 "Failed to create remote address from unix path.");
161 /* Connect to the unix socket */
162 torture_comment(tctx
, "Connecting to the unix socket\n");
163 req
= tstream_unix_connect_send(signd_client
,
165 signd_client
->local_address
,
166 signd_client
->remote_address
);
167 torture_assert(tctx
, req
!= NULL
,
168 "Failed to create a tstream unix connect request.");
170 ok
= tevent_req_poll(req
, tctx
->ev
);
171 torture_assert(tctx
, ok
== true,
172 "Failed to poll for tstream_unix_connect_send.");
174 rc
= tstream_unix_connect_recv(req
,
177 &signd_client
->tstream
);
179 torture_assert(tctx
, rc
== 0, "Failed to connect to signd!");
181 /* Allocate the send queue */
182 signd_client
->send_queue
= tevent_queue_create(signd_client
,
183 "signd_client_queue");
184 torture_assert(tctx
, signd_client
->send_queue
!= NULL
,
185 "Failed to create send queue!");
188 * Create the request buffer.
189 * First add the length of the request buffer
191 RSIVAL(signd_client
->request_hdr
, 0, sign_req_blob
.length
);
192 signd_client
->request_iov
[0].iov_base
= signd_client
->request_hdr
;
193 signd_client
->request_iov
[0].iov_len
= 4;
195 signd_client
->request_iov
[1].iov_base
= sign_req_blob
.data
;
196 signd_client
->request_iov
[1].iov_len
= sign_req_blob
.length
;
198 /* Fire the request buffer */
199 torture_comment(tctx
, "Sending the request\n");
200 req
= tstream_writev_queue_send(signd_client
,
202 signd_client
->tstream
,
203 signd_client
->send_queue
,
204 signd_client
->request_iov
, 2);
205 torture_assert(tctx
, req
!= NULL
,
206 "Failed to send the signd request.");
208 ok
= tevent_req_poll(req
, tctx
->ev
);
209 torture_assert(tctx
, ok
== true,
210 "Failed to poll for tstream_writev_queue_send.");
212 rc
= tstream_writev_queue_recv(req
, &sys_errno
);
214 torture_assert(tctx
, rc
> 0, "Failed to send data");
216 /* Wait for a reply */
217 torture_comment(tctx
, "Waiting for the reply\n");
218 req
= tstream_read_pdu_blob_send(signd_client
,
220 signd_client
->tstream
,
221 4, /*initial_read_size */
222 packet_full_request_u32
,
224 torture_assert(tctx
, req
!= NULL
,
225 "Failed to setup a read for pdu_blob.");
227 ok
= tevent_req_poll(req
, tctx
->ev
);
228 torture_assert(tctx
, ok
== true,
229 "Failed to poll for tstream_read_pdu_blob_send.");
231 signd_client
->status
= tstream_read_pdu_blob_recv(req
,
233 &signd_client
->reply
);
234 torture_assert_ntstatus_ok(tctx
, signd_client
->status
,
235 "Error reading signd_client reply packet");
237 /* Skip length header */
238 signd_client
->reply
.data
+= 4;
239 signd_client
->reply
.length
-= 4;
241 /* Check if the reply buffer is valid */
242 torture_comment(tctx
, "Validating the reply buffer\n");
243 ndr_err
= ndr_pull_struct_blob_all(&signd_client
->reply
,
245 lp_iconv_convenience(tctx
->lp_ctx
),
247 (ndr_pull_flags_fn_t
)ndr_pull_signed_reply
);
248 torture_assert(tctx
, NDR_ERR_CODE_IS_SUCCESS(ndr_err
),
249 ndr_map_error2string(ndr_err
));
251 torture_assert_u64_equal(tctx
, signed_reply
.version
,
252 NTP_SIGND_PROTOCOL_VERSION_0
,
254 torture_assert_u64_equal(tctx
, signed_reply
.packet_id
,
255 sign_req
.packet_id
, "Invalid Packet ID");
256 torture_assert_u64_equal(tctx
, signed_reply
.op
,
258 "Should have replied with signing success");
259 torture_assert_u64_equal(tctx
, signed_reply
.signed_packet
.length
,
260 sign_req
.packet_to_sign
.length
+ 20,
261 "Invalid reply length from signd");
262 torture_assert_u64_equal(tctx
, rid
,
263 IVAL(signed_reply
.signed_packet
.data
,
264 sign_req
.packet_to_sign
.length
),
265 "Incorrect RID in reply");
267 /* Check computed signature */
269 MD5Update(&ctx
, pwhash
->hash
, sizeof(pwhash
->hash
));
270 MD5Update(&ctx
, sign_req
.packet_to_sign
.data
,
271 sign_req
.packet_to_sign
.length
);
274 torture_assert_mem_equal(tctx
,
275 &signed_reply
.signed_packet
.data
[sign_req
.packet_to_sign
.length
+ 4],
276 sig
, 16, "Signature on reply was incorrect!");
278 talloc_free(mem_ctx
);
283 NTSTATUS
torture_ntp_init(void)
285 struct torture_suite
*suite
= torture_suite_create(talloc_autofree_context(), "NTP");
286 struct torture_rpc_tcase
*tcase
;
288 tcase
= torture_suite_add_machine_workstation_rpc_iface_tcase(suite
, "SIGND",
289 &ndr_table_netlogon
, TEST_MACHINE_NAME
);
291 torture_rpc_tcase_add_test_creds(tcase
, "ntp_signd", test_ntp_signd
);
293 suite
->description
= talloc_strdup(suite
, "NTP tests");
295 torture_register_suite(suite
);