/*
* Copyright (C) 2017 Michael Brown <mbrown@fensystems.co.uk>.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*
* You can also choose to distribute this program under the terms of
* the Unmodified Binary Distribution Licence (as given in the file
* COPYING.UBDL), provided that you have satisfied its requirements.
*/
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
/** @file
*
* NTLM authentication self-tests
*
* The test vectors are taken from the MS-NLMP specification document.
*
*/
/* Forcibly enable assertions */
#undef NDEBUG
#include <stdlib.h>
#include <string.h>
#include <byteswap.h>
#include <ipxe/ntlm.h>
#include <ipxe/test.h>
/** A key generation test */
struct ntlm_key_test {
/** Domain name (or NULL) */
const char *domain;
/** User name (or NULL) */
const char *username;
/** Password (or NULL) */
const char *password;
/** Expected key */
struct ntlm_key expected;
};
/** An authentication test */
struct ntlm_authenticate_test {
/** Domain name (or NULL) */
const char *domain;
/** User name (or NULL) */
const char *username;
/** Password (or NULL) */
const char *password;
/** Workstation (or NULL) */
const char *workstation;
/** Nonce */
struct ntlm_nonce nonce;
/** Challenge message */
struct ntlm_challenge *challenge;
/** Length of Challenge message */
size_t challenge_len;
/** Expected Authenticate message */
struct ntlm_authenticate *expected;
/** Expected length of Authenticate message */
size_t expected_len;
};
/** Define inline message data */
#define DATA(...) { __VA_ARGS__ }
/** Define a key generation digest test */
#define KEY_TEST( name, DOMAIN, USERNAME, PASSWORD, EXPECTED ) \
static struct ntlm_key_test name = { \
.domain = DOMAIN, \
.username = USERNAME, \
.password = PASSWORD, \
.expected = { \
.raw = EXPECTED, \
}, \
};
/** Define an authentication test */
#define AUTHENTICATE_TEST( name, DOMAIN, USERNAME, PASSWORD, \
WORKSTATION, NONCE, CHALLENGE, EXPECTED ) \
static const uint8_t name ## _challenge[] = CHALLENGE; \
static const uint8_t name ## _expected[] = EXPECTED; \
static struct ntlm_authenticate_test name = { \
.domain = DOMAIN, \
.username = USERNAME, \
.password = PASSWORD, \
.workstation = WORKSTATION, \
.nonce = { \
.raw = NONCE, \
}, \
.challenge = ( ( void * ) name ## _challenge ), \
.challenge_len = sizeof ( name ## _challenge ), \
.expected = ( ( void * ) name ## _expected ), \
.expected_len = sizeof ( name ## _expected ), \
};
/** NTOWFv2() test from MS-NLMP specification */
KEY_TEST ( msnlmp_ntowfv2, "Domain", "User", "Password",
DATA ( 0x0c, 0x86, 0x8a, 0x40, 0x3b, 0xfd, 0x7a, 0x93, 0xa3, 0x00,
0x1e, 0xf2, 0x2e, 0xf0, 0x2e, 0x3f ) );
/** Authentication test from MS-NLMP specification */
AUTHENTICATE_TEST ( msnlmp_authenticate,
"Domain", "User", "Password", "COMPUTER",
DATA ( 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa ),
DATA ( 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x02, 0x00,
0x00, 0x00, 0x0c, 0x00, 0x0c, 0x00, 0x38, 0x00, 0x00, 0x00,
0x33, 0x82, 0x8a, 0xe2, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
0xcd, 0xef, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x24, 0x00, 0x24, 0x00, 0x44, 0x00, 0x00, 0x00, 0x06, 0x00,
0x70, 0x17, 0x00, 0x00, 0x00, 0x0f, 0x53, 0x00, 0x65, 0x00,
0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x02, 0x00,
0x0c, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00,
0x69, 0x00, 0x6e, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x53, 0x00,
0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00,
0x00, 0x00, 0x00, 0x00 ),
DATA ( 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00,
0x00, 0x00, 0x18, 0x00, 0x18, 0x00, 0x6c, 0x00, 0x00, 0x00,
0x54, 0x00, 0x54, 0x00, 0x84, 0x00, 0x00, 0x00, 0x0c, 0x00,
0x0c, 0x00, 0x48, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00,
0x54, 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x5c, 0x00,
0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0xd8, 0x00, 0x00, 0x00,
0x35, 0x82, 0x88, 0xe2, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00,
0x00, 0x0f, 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00,
0x69, 0x00, 0x6e, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00,
0x72, 0x00, 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, 0x50, 0x00,
0x55, 0x00, 0x54, 0x00, 0x45, 0x00, 0x52, 0x00, 0x86, 0xc3,
0x50, 0x97, 0xac, 0x9c, 0xec, 0x10, 0x25, 0x54, 0x76, 0x4a,
0x57, 0xcc, 0xcc, 0x19, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
0xaa, 0xaa, 0x68, 0xcd, 0x0a, 0xb8, 0x51, 0xe5, 0x1c, 0x96,
0xaa, 0xbc, 0x92, 0x7b, 0xeb, 0xef, 0x6a, 0x1c, 0x01, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0c, 0x00,
0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x69, 0x00,
0x6e, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x53, 0x00, 0x65, 0x00,
0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xda, 0xd2, 0x54,
0x4f, 0xc9, 0x79, 0x90, 0x94, 0xce, 0x1c, 0xe9, 0x0b, 0xc9,
0xd0, 0x3e ) );
/**
* Report key generation test result
*
* @v test Key generation test
* @v file Test code file
* @v line Test code line
*/
static void ntlm_key_okx ( struct ntlm_key_test *test,
const char *file, unsigned int line ) {
struct ntlm_key key;
ntlm_key ( test->domain, test->username, test->password, &key );
okx ( memcmp ( &key, &test->expected, sizeof ( key ) ) == 0,
file, line );
}
#define ntlm_key_ok( test ) \
ntlm_key_okx ( test, __FILE__, __LINE__ )
/**
* Report NTLM variable-length data test result
*
* @v msg Message header
* @v msg_len Length of message
* @v data Variable-length data descriptor
* @v expected Expected message header
* @v expected_data Expected variable-length data descriptor
* @v field Field name
* @v file Test code file
* @v line Test code line
*/
static void ntlm_data_okx ( struct ntlm_header *msg, size_t msg_len,
struct ntlm_data *data,
struct ntlm_header *expected,
struct ntlm_data *expected_data,
const char *field, const char *file,
unsigned int line ) {
size_t offset;
size_t len;
void *raw;
void *expected_raw;
/* Verify data lies within message */
okx ( data->len == data->max_len, file, line );
offset = le32_to_cpu ( data->offset );
len = le16_to_cpu ( data->len );
okx ( offset <= msg_len, file, line );
okx ( len <= ( msg_len - offset ), file, line );
/* Verify content matches expected content */
raw = ( ( ( void * ) msg ) + offset );
expected_raw = ( ( ( void * ) expected ) +
le32_to_cpu ( expected_data->offset ) );
DBGC ( msg, "NTLM %s expected:\n", field );
DBGC_HDA ( msg, 0, expected_raw, le16_to_cpu ( expected_data->len ) );
DBGC ( msg, "NTLM %s actual:\n", field );
DBGC_HDA ( msg, 0, raw, len );
okx ( data->len == expected_data->len, file, line );
okx ( memcmp ( raw, expected_raw, len ) == 0, file, line );
}
#define ntlm_data_ok( msg, msg_len, data, expected, expected_data ) \
ntlm_data_okx ( msg, msg_len, data, expected, expected_data, \
__FILE__, __LINE__ )
/**
* Report NTLM authentication test result
*
* @v test Authentication test
* @v file Test code file
* @v line Test code line
*/
static void ntlm_authenticate_okx ( struct ntlm_authenticate_test *test,
const char *file, unsigned int line ) {
struct ntlm_authenticate *expected = test->expected;
struct ntlm_challenge_info info;
struct ntlm_authenticate *auth;
struct ntlm_key key;
struct ntlm_lm_response lm;
struct ntlm_nt_response nt;
size_t len;
/* Parse Challenge message */
okx ( ntlm_challenge ( test->challenge, test->challenge_len,
&info ) == 0, file, line );
/* Generate key */
ntlm_key ( test->domain, test->username, test->password, &key );
/* Generate responses */
ntlm_response ( &info, &key, &test->nonce, &lm, &nt );
/* Allocate buffer for Authenticate message */
len = ntlm_authenticate_len ( &info, test->domain, test->username,
test->workstation );
okx ( len >= sizeof ( *auth ), file, line );
auth = malloc ( len );
okx ( auth != NULL, file, line );
/* Construct Authenticate message */
okx ( ntlm_authenticate ( &info, test->domain, test->username,
test->workstation, &lm, &nt, auth ) == len,
file, line );
/* Verify header */
okx ( memcmp ( &auth->header, &expected->header,
sizeof ( auth->header ) ) == 0, file, line );
/* Verify LAN Manager response */
ntlm_data_okx ( &auth->header, len, &auth->lm, &expected->header,
&expected->lm, "LM", file, line );
/* Verify NT response */
ntlm_data_okx ( &auth->header, len, &auth->nt, &expected->header,
&expected->nt, "NT", file, line );
/* Verify domain name */
ntlm_data_okx ( &auth->header, len, &auth->domain, &expected->header,
&expected->domain, "domain", file, line );
/* Verify user name */
ntlm_data_okx ( &auth->header, len, &auth->user, &expected->header,
&expected->user, "user", file, line );
/* Verify workstation name */
ntlm_data_okx ( &auth->header, len, &auth->workstation,
&expected->header, &expected->workstation,
"workstation",file, line );
/* Verify session key */
if ( auth->flags & NTLM_NEGOTIATE_KEY_EXCH ) {
ntlm_data_okx ( &auth->header, len, &auth->session,
&expected->header, &expected->session,
"session", file, line );
}
/* Free Authenticate message */
free ( auth );
}
#define ntlm_authenticate_ok( test ) \
ntlm_authenticate_okx ( test, __FILE__, __LINE__ )
/**
* Perform NTLM self-test
*
*/
static void ntlm_test_exec ( void ) {
/* Verify key generation */
ntlm_key_ok ( &msnlmp_ntowfv2 );
/* Verify authentication response */
ntlm_authenticate_ok ( &msnlmp_authenticate );
}
/** NTLM self-test */
struct self_test ntlm_test __self_test = {
.name = "ntlm",
.exec = ntlm_test_exec,
};
