summaryrefslogblamecommitdiffstats
path: root/src/tests/ntlm_test.c
blob: 65a8b8c676969445940ca09cbcc0416ca0ab3298 (plain) (tree)























































































































































































































































































































                                                                              
/*
 * Copyright (C) 2017 Michael Brown <mbrown@fensystems.co.uk>.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 *
 * You can also choose to distribute this program under the terms of
 * the Unmodified Binary Distribution Licence (as given in the file
 * COPYING.UBDL), provided that you have satisfied its requirements.
 */

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

/** @file
 *
 * NTLM authentication self-tests
 *
 * The test vectors are taken from the MS-NLMP specification document.
 *
 */

/* Forcibly enable assertions */
#undef NDEBUG

#include <stdlib.h>
#include <string.h>
#include <byteswap.h>
#include <ipxe/ntlm.h>
#include <ipxe/test.h>

/** A key generation test */
struct ntlm_key_test {
	/** Domain name (or NULL) */
	const char *domain;
	/** User name (or NULL) */
	const char *username;
	/** Password (or NULL) */
	const char *password;
	/** Expected key */
	struct ntlm_key expected;
};

/** An authentication test */
struct ntlm_authenticate_test {
	/** Domain name (or NULL) */
	const char *domain;
	/** User name (or NULL) */
	const char *username;
	/** Password (or NULL) */
	const char *password;
	/** Workstation (or NULL) */
	const char *workstation;
	/** Nonce */
	struct ntlm_nonce nonce;
	/** Challenge message */
	struct ntlm_challenge *challenge;
	/** Length of Challenge message */
	size_t challenge_len;
	/** Expected Authenticate message */
	struct ntlm_authenticate *expected;
	/** Expected length of Authenticate message */
	size_t expected_len;
};

/** Define inline message data */
#define DATA(...) { __VA_ARGS__ }

/** Define a key generation digest test */
#define KEY_TEST( name, DOMAIN, USERNAME, PASSWORD, EXPECTED )		\
	static struct ntlm_key_test name = {				\
		.domain = DOMAIN,					\
		.username = USERNAME,					\
		.password = PASSWORD,					\
		.expected = {						\
			.raw = EXPECTED,				\
		},							\
	};

/** Define an authentication test */
#define AUTHENTICATE_TEST( name, DOMAIN, USERNAME, PASSWORD,		\
			   WORKSTATION, NONCE, CHALLENGE, EXPECTED )	\
	static const uint8_t name ## _challenge[] = CHALLENGE;		\
	static const uint8_t name ## _expected[] = EXPECTED;		\
	static struct ntlm_authenticate_test name = {			\
		.domain = DOMAIN,					\
		.username = USERNAME,					\
		.password = PASSWORD,					\
		.workstation = WORKSTATION,				\
		.nonce = {						\
			.raw = NONCE,					\
		},							\
		.challenge = ( ( void * ) name ## _challenge ),		\
		.challenge_len = sizeof ( name ## _challenge ),		\
		.expected = ( ( void * ) name ## _expected ),		\
		.expected_len = sizeof ( name ## _expected ),		\
	};

/** NTOWFv2() test from MS-NLMP specification */
KEY_TEST ( msnlmp_ntowfv2, "Domain", "User", "Password",
	DATA ( 0x0c, 0x86, 0x8a, 0x40, 0x3b, 0xfd, 0x7a, 0x93, 0xa3, 0x00,
	       0x1e, 0xf2, 0x2e, 0xf0, 0x2e, 0x3f ) );

/** Authentication test from MS-NLMP specification */
AUTHENTICATE_TEST ( msnlmp_authenticate,
	"Domain", "User", "Password", "COMPUTER",
	DATA ( 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa ),
	DATA ( 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x02, 0x00,
	       0x00, 0x00, 0x0c, 0x00, 0x0c, 0x00, 0x38, 0x00, 0x00, 0x00,
	       0x33, 0x82, 0x8a, 0xe2, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
	       0xcd, 0xef, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	       0x24, 0x00, 0x24, 0x00, 0x44, 0x00, 0x00, 0x00, 0x06, 0x00,
	       0x70, 0x17, 0x00, 0x00, 0x00, 0x0f, 0x53, 0x00, 0x65, 0x00,
	       0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x02, 0x00,
	       0x0c, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00,
	       0x69, 0x00, 0x6e, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x53, 0x00,
	       0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00,
	       0x00, 0x00, 0x00, 0x00 ),
	DATA ( 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00,
	       0x00, 0x00, 0x18, 0x00, 0x18, 0x00, 0x6c, 0x00, 0x00, 0x00,
	       0x54, 0x00, 0x54, 0x00, 0x84, 0x00, 0x00, 0x00, 0x0c, 0x00,
	       0x0c, 0x00, 0x48, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00,
	       0x54, 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x5c, 0x00,
	       0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0xd8, 0x00, 0x00, 0x00,
	       0x35, 0x82, 0x88, 0xe2, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00,
	       0x00, 0x0f, 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00,
	       0x69, 0x00, 0x6e, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00,
	       0x72, 0x00, 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, 0x50, 0x00,
	       0x55, 0x00, 0x54, 0x00, 0x45, 0x00, 0x52, 0x00, 0x86, 0xc3,
	       0x50, 0x97, 0xac, 0x9c, 0xec, 0x10, 0x25, 0x54, 0x76, 0x4a,
	       0x57, 0xcc, 0xcc, 0x19, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
	       0xaa, 0xaa, 0x68, 0xcd, 0x0a, 0xb8, 0x51, 0xe5, 0x1c, 0x96,
	       0xaa, 0xbc, 0x92, 0x7b, 0xeb, 0xef, 0x6a, 0x1c, 0x01, 0x01,
	       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	       0x00, 0x00, 0x00, 0x00, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
	       0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0c, 0x00,
	       0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x69, 0x00,
	       0x6e, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x53, 0x00, 0x65, 0x00,
	       0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x00, 0x00,
	       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xda, 0xd2, 0x54,
	       0x4f, 0xc9, 0x79, 0x90, 0x94, 0xce, 0x1c, 0xe9, 0x0b, 0xc9,
	       0xd0, 0x3e ) );

/**
 * Report key generation test result
 *
 * @v test		Key generation test
 * @v file		Test code file
 * @v line		Test code line
 */
static void ntlm_key_okx ( struct ntlm_key_test *test,
			   const char *file, unsigned int line ) {
	struct ntlm_key key;

	ntlm_key ( test->domain, test->username, test->password, &key );
	okx ( memcmp ( &key, &test->expected, sizeof ( key ) ) == 0,
	      file, line );
}
#define ntlm_key_ok( test )						\
	ntlm_key_okx ( test, __FILE__, __LINE__ )

/**
 * Report NTLM variable-length data test result
 *
 * @v msg		Message header
 * @v msg_len		Length of message
 * @v data		Variable-length data descriptor
 * @v expected		Expected message header
 * @v expected_data	Expected variable-length data descriptor
 * @v field		Field name
 * @v file		Test code file
 * @v line		Test code line
 */
static void ntlm_data_okx ( struct ntlm_header *msg, size_t msg_len,
			    struct ntlm_data *data,
			    struct ntlm_header *expected,
			    struct ntlm_data *expected_data,
			    const char *field, const char *file,
			    unsigned int line ) {
	size_t offset;
	size_t len;
	void *raw;
	void *expected_raw;

	/* Verify data lies within message */
	okx ( data->len == data->max_len, file, line );
	offset = le32_to_cpu ( data->offset );
	len = le16_to_cpu ( data->len );
	okx ( offset <= msg_len, file, line );
	okx ( len <= ( msg_len - offset ), file, line );

	/* Verify content matches expected content */
	raw = ( ( ( void * ) msg ) + offset );
	expected_raw = ( ( ( void * ) expected ) +
			 le32_to_cpu ( expected_data->offset ) );
	DBGC ( msg, "NTLM %s expected:\n", field );
	DBGC_HDA ( msg, 0, expected_raw, le16_to_cpu ( expected_data->len ) );
	DBGC ( msg, "NTLM %s actual:\n", field );
	DBGC_HDA ( msg, 0, raw, len );
	okx ( data->len == expected_data->len, file, line );
	okx ( memcmp ( raw, expected_raw, len ) == 0, file, line );
}
#define ntlm_data_ok( msg, msg_len, data, expected, expected_data )	\
	ntlm_data_okx ( msg, msg_len, data, expected, expected_data,	\
			__FILE__, __LINE__ )

/**
 * Report NTLM authentication test result
 *
 * @v test		Authentication test
 * @v file		Test code file
 * @v line		Test code line
 */
static void ntlm_authenticate_okx ( struct ntlm_authenticate_test *test,
				    const char *file, unsigned int line ) {
	struct ntlm_authenticate *expected = test->expected;
	struct ntlm_challenge_info info;
	struct ntlm_authenticate *auth;
	struct ntlm_key key;
	struct ntlm_lm_response lm;
	struct ntlm_nt_response nt;
	size_t len;

	/* Parse Challenge message */
	okx ( ntlm_challenge ( test->challenge, test->challenge_len,
			       &info ) == 0, file, line );

	/* Generate key */
	ntlm_key ( test->domain, test->username, test->password, &key );

	/* Generate responses */
	ntlm_response ( &info, &key, &test->nonce, &lm, &nt );

	/* Allocate buffer for Authenticate message */
	len = ntlm_authenticate_len ( &info, test->domain, test->username,
				      test->workstation );
	okx ( len >= sizeof ( *auth ), file, line );
	auth = malloc ( len );
	okx ( auth != NULL, file, line );

	/* Construct Authenticate message */
	okx ( ntlm_authenticate ( &info, test->domain, test->username,
				  test->workstation, &lm, &nt, auth ) == len,
	      file, line );

	/* Verify header */
	okx ( memcmp ( &auth->header, &expected->header,
		       sizeof ( auth->header ) ) == 0, file, line );

	/* Verify LAN Manager response */
	ntlm_data_okx ( &auth->header, len, &auth->lm, &expected->header,
			&expected->lm, "LM", file, line );

	/* Verify NT response */
	ntlm_data_okx ( &auth->header, len, &auth->nt, &expected->header,
			&expected->nt, "NT", file, line );

	/* Verify domain name */
	ntlm_data_okx ( &auth->header, len, &auth->domain, &expected->header,
			&expected->domain, "domain", file, line );

	/* Verify user name */
	ntlm_data_okx ( &auth->header, len, &auth->user, &expected->header,
			&expected->user, "user", file, line );

	/* Verify workstation name */
	ntlm_data_okx ( &auth->header, len, &auth->workstation,
			&expected->header, &expected->workstation,
			"workstation",file, line );

	/* Verify session key */
	if ( auth->flags & NTLM_NEGOTIATE_KEY_EXCH ) {
		ntlm_data_okx ( &auth->header, len, &auth->session,
				&expected->header, &expected->session,
				"session", file, line );
	}

	/* Free Authenticate message */
	free ( auth );
}
#define ntlm_authenticate_ok( test )					\
	ntlm_authenticate_okx ( test, __FILE__, __LINE__ )

/**
 * Perform NTLM self-test
 *
 */
static void ntlm_test_exec ( void ) {

	/* Verify key generation */
	ntlm_key_ok ( &msnlmp_ntowfv2 );

	/* Verify authentication response */
	ntlm_authenticate_ok ( &msnlmp_authenticate );
}

/** NTLM self-test */
struct self_test ntlm_test __self_test = {
	.name = "ntlm",
	.exec = ntlm_test_exec,
};