1963e5732461d44fef3dbba8000623c8d95bc2c6
[gd/samba-autobuild/.git] / source4 / torture / ntp / ntp_signd.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Test NTP authentication support
5
6    Copyright (C) Andrew Bartlet <abartlet@samba.org> 2008
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "torture/smbtorture.h"
24 #include <tevent.h>
25 #include "lib/stream/packet.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "libcli/util/tstream.h"
28 #include "torture/rpc/torture_rpc.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "system/network.h"
35 #include "torture/ntp/proto.h"
36
37 #define TEST_MACHINE_NAME "ntpsigndtest"
38
39 struct signd_client_state {
40         struct tsocket_address *local_address;
41         struct tsocket_address *remote_address;
42
43         struct tstream_context *tstream;
44         struct tevent_queue *send_queue;
45
46         uint8_t request_hdr[4];
47         struct iovec request_iov[2];
48
49         DATA_BLOB reply;
50
51         NTSTATUS status;
52 };
53
54 /*
55  * A torture test to show that the unix domain socket protocol is
56  * operating correctly, and the signatures are as expected
57  */
58 static bool test_ntp_signd(struct torture_context *tctx,
59                            struct dcerpc_pipe *p,
60                            struct cli_credentials *credentials)
61 {
62         struct netlogon_creds_CredentialState *creds;
63         TALLOC_CTX *mem_ctx = talloc_new(tctx);
64
65         struct netr_ServerReqChallenge r;
66         struct netr_ServerAuthenticate3 a;
67         struct netr_Credential credentials1, credentials2, credentials3;
68         uint32_t rid;
69         const char *machine_name;
70         const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
71         uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
72
73         struct sign_request sign_req;
74         struct signed_reply signed_reply;
75         DATA_BLOB sign_req_blob;
76
77         struct signd_client_state *signd_client;
78         struct tevent_req *req;
79         char *unix_address;
80         int sys_errno;
81
82         MD5_CTX ctx;
83         uint8_t sig[16];
84         enum ndr_err_code ndr_err;
85         bool ok;
86         int rc;
87
88         machine_name = cli_credentials_get_workstation(credentials);
89
90         torture_comment(tctx, "Testing ServerReqChallenge\n");
91
92         r.in.server_name = NULL;
93         r.in.computer_name = machine_name;
94         r.in.credentials = &credentials1;
95         r.out.return_credentials = &credentials2;
96
97         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
98
99         torture_assert_ntstatus_ok(tctx,
100                 dcerpc_netr_ServerReqChallenge_r(p->binding_handle, tctx, &r),
101                 "ServerReqChallenge failed");
102         torture_assert_ntstatus_ok(tctx, r.out.result,
103                 "ServerReqChallenge failed");
104
105         a.in.server_name = NULL;
106         a.in.account_name = talloc_asprintf(tctx, "%s$", machine_name);
107         a.in.secure_channel_type = SEC_CHAN_WKSTA;
108         a.in.computer_name = machine_name;
109         a.in.negotiate_flags = &negotiate_flags;
110         a.in.credentials = &credentials3;
111         a.out.return_credentials = &credentials3;
112         a.out.negotiate_flags = &negotiate_flags;
113         a.out.rid = &rid;
114
115         creds = netlogon_creds_client_init(tctx, a.in.account_name,
116                                            a.in.computer_name,
117                                            a.in.secure_channel_type,
118                                            &credentials1, &credentials2, 
119                                            pwhash, &credentials3,
120                                            negotiate_flags);
121         
122         torture_assert(tctx, creds != NULL, "memory allocation");
123
124         torture_comment(tctx, "Testing ServerAuthenticate3\n");
125
126         torture_assert_ntstatus_ok(tctx,
127                 dcerpc_netr_ServerAuthenticate3_r(p->binding_handle, tctx, &a),
128                 "ServerAuthenticate3 failed");
129         torture_assert_ntstatus_ok(tctx, a.out.result,
130                 "ServerAuthenticate3 failed");
131         torture_assert(tctx,
132                        netlogon_creds_client_check(creds, &credentials3),
133                        "Credential chaining failed");
134
135         sign_req.op = SIGN_TO_CLIENT;
136         sign_req.packet_id = 1;
137         sign_req.key_id = rid;
138         sign_req.packet_to_sign = data_blob_string_const("I am a tea pot");
139         
140         ndr_err = ndr_push_struct_blob(&sign_req_blob,
141                                        mem_ctx,
142                                        &sign_req,
143                                        (ndr_push_flags_fn_t)ndr_push_sign_request);
144         torture_assert(tctx,
145                        NDR_ERR_CODE_IS_SUCCESS(ndr_err),
146                        "Failed to push sign_req");
147
148         signd_client = talloc(mem_ctx, struct signd_client_state);
149
150         /* Create socket addresses */
151         torture_comment(tctx, "Creating the socket addresses\n");
152         rc = tsocket_address_unix_from_path(signd_client, "",
153                                        &signd_client->local_address);
154         torture_assert(tctx, rc == 0,
155                        "Failed to create local address from unix path.");
156
157         unix_address = talloc_asprintf(signd_client,
158                                         "%s/socket",
159                                         lpcfg_ntp_signd_socket_directory(tctx->lp_ctx));
160         rc = tsocket_address_unix_from_path(mem_ctx,
161                                             unix_address,
162                                             &signd_client->remote_address);
163         torture_assert(tctx, rc == 0,
164                        "Failed to create remote address from unix path.");
165
166         /* Connect to the unix socket */
167         torture_comment(tctx, "Connecting to the unix socket\n");
168         req = tstream_unix_connect_send(signd_client,
169                                         tctx->ev,
170                                         signd_client->local_address,
171                                         signd_client->remote_address);
172         torture_assert(tctx, req != NULL,
173                        "Failed to create a tstream unix connect request.");
174
175         ok = tevent_req_poll(req, tctx->ev);
176         torture_assert(tctx, ok == true,
177                        "Failed to poll for tstream_unix_connect_send.");
178
179         rc = tstream_unix_connect_recv(req,
180                                        &sys_errno,
181                                        signd_client,
182                                        &signd_client->tstream);
183         TALLOC_FREE(req);
184         torture_assert(tctx, rc == 0, "Failed to connect to signd!");
185
186         /* Allocate the send queue */
187         signd_client->send_queue = tevent_queue_create(signd_client,
188                                                        "signd_client_queue");
189         torture_assert(tctx, signd_client->send_queue != NULL,
190                        "Failed to create send queue!");
191
192         /*
193          * Create the request buffer.
194          * First add the length of the request buffer
195          */
196         RSIVAL(signd_client->request_hdr, 0, sign_req_blob.length);
197         signd_client->request_iov[0].iov_base = (char *) signd_client->request_hdr;
198         signd_client->request_iov[0].iov_len = 4;
199
200         signd_client->request_iov[1].iov_base = (char *) sign_req_blob.data;
201         signd_client->request_iov[1].iov_len = sign_req_blob.length;
202
203         /* Fire the request buffer */
204         torture_comment(tctx, "Sending the request\n");
205         req = tstream_writev_queue_send(signd_client,
206                                         tctx->ev,
207                                         signd_client->tstream,
208                                         signd_client->send_queue,
209                                         signd_client->request_iov, 2);
210         torture_assert(tctx, req != NULL,
211                        "Failed to send the signd request.");
212
213         ok = tevent_req_poll(req, tctx->ev);
214         torture_assert(tctx, ok == true,
215                        "Failed to poll for tstream_writev_queue_send.");
216
217         rc = tstream_writev_queue_recv(req, &sys_errno);
218         TALLOC_FREE(req);
219         torture_assert(tctx, rc > 0, "Failed to send data");
220
221         /* Wait for a reply */
222         torture_comment(tctx, "Waiting for the reply\n");
223         req = tstream_read_pdu_blob_send(signd_client,
224                                          tctx->ev,
225                                          signd_client->tstream,
226                                          4, /*initial_read_size */
227                                          packet_full_request_u32,
228                                          NULL);
229         torture_assert(tctx, req != NULL,
230                        "Failed to setup a read for pdu_blob.");
231
232         ok = tevent_req_poll(req, tctx->ev);
233         torture_assert(tctx, ok == true,
234                        "Failed to poll for tstream_read_pdu_blob_send.");
235
236         signd_client->status = tstream_read_pdu_blob_recv(req,
237                                                           signd_client,
238                                                           &signd_client->reply);
239         torture_assert_ntstatus_ok(tctx, signd_client->status,
240                                    "Error reading signd_client reply packet");
241
242         /* Skip length header */
243         signd_client->reply.data += 4;
244         signd_client->reply.length -= 4;
245
246         /* Check if the reply buffer is valid */
247         torture_comment(tctx, "Validating the reply buffer\n");
248         ndr_err = ndr_pull_struct_blob_all(&signd_client->reply,
249                                            mem_ctx,
250                                            &signed_reply,
251                                            (ndr_pull_flags_fn_t)ndr_pull_signed_reply);
252         torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err),
253                         ndr_map_error2string(ndr_err));
254
255         torture_assert_u64_equal(tctx, signed_reply.version,
256                                  NTP_SIGND_PROTOCOL_VERSION_0,
257                                  "Invalid Version");
258         torture_assert_u64_equal(tctx, signed_reply.packet_id,
259                                  sign_req.packet_id, "Invalid Packet ID");
260         torture_assert_u64_equal(tctx, signed_reply.op,
261                                  SIGNING_SUCCESS,
262                                  "Should have replied with signing success");
263         torture_assert_u64_equal(tctx, signed_reply.signed_packet.length,
264                                  sign_req.packet_to_sign.length + 20,
265                                  "Invalid reply length from signd");
266         torture_assert_u64_equal(tctx, rid,
267                                  IVAL(signed_reply.signed_packet.data,
268                                  sign_req.packet_to_sign.length),
269                                  "Incorrect RID in reply");
270
271         /* Check computed signature */
272         MD5Init(&ctx);
273         MD5Update(&ctx, pwhash->hash, sizeof(pwhash->hash));
274         MD5Update(&ctx, sign_req.packet_to_sign.data,
275                   sign_req.packet_to_sign.length);
276         MD5Final(sig, &ctx);
277
278         torture_assert_mem_equal(tctx,
279                                  &signed_reply.signed_packet.data[sign_req.packet_to_sign.length + 4],
280                                  sig, 16, "Signature on reply was incorrect!");
281
282         talloc_free(mem_ctx);
283
284         return true;
285 }
286
287 NTSTATUS torture_ntp_init(TALLOC_CTX *ctx)
288 {
289         struct torture_suite *suite = torture_suite_create(talloc_autofree_context(), "ntp");
290         struct torture_rpc_tcase *tcase;
291
292         tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite,
293                                   "signd", &ndr_table_netlogon, TEST_MACHINE_NAME);
294
295         torture_rpc_tcase_add_test_creds(tcase, "ntp_signd", test_ntp_signd);
296
297         suite->description = talloc_strdup(suite, "NTP tests");
298
299         torture_register_suite(suite);
300
301         return NT_STATUS_OK;
302 }
303