/* * Copyright (C) 2017 Michael Brown . * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; either version 2 of the * License, or any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301, USA. * * You can also choose to distribute this program under the terms of * the Unmodified Binary Distribution Licence (as given in the file * COPYING.UBDL), provided that you have satisfied its requirements. */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); /** @file * * NTLM authentication self-tests * * The test vectors are taken from the MS-NLMP specification document. * */ /* Forcibly enable assertions */ #undef NDEBUG #include #include #include #include #include /** A key generation test */ struct ntlm_key_test { /** Domain name (or NULL) */ const char *domain; /** User name (or NULL) */ const char *username; /** Password (or NULL) */ const char *password; /** Expected key */ struct ntlm_key expected; }; /** An authentication test */ struct ntlm_authenticate_test { /** Domain name (or NULL) */ const char *domain; /** User name (or NULL) */ const char *username; /** Password (or NULL) */ const char *password; /** Workstation (or NULL) */ const char *workstation; /** Nonce */ struct ntlm_nonce nonce; /** Challenge message */ struct ntlm_challenge *challenge; /** Length of Challenge message */ size_t challenge_len; /** Expected Authenticate message */ struct ntlm_authenticate *expected; /** Expected length of Authenticate message */ size_t expected_len; }; /** Define inline message data */ #define DATA(...) { __VA_ARGS__ } /** Define a key generation digest test */ #define KEY_TEST( name, DOMAIN, USERNAME, PASSWORD, EXPECTED ) \ static struct ntlm_key_test name = { \ .domain = DOMAIN, \ .username = USERNAME, \ .password = PASSWORD, \ .expected = { \ .raw = EXPECTED, \ }, \ }; /** Define an authentication test */ #define AUTHENTICATE_TEST( name, DOMAIN, USERNAME, PASSWORD, \ WORKSTATION, NONCE, CHALLENGE, EXPECTED ) \ static const uint8_t name ## _challenge[] = CHALLENGE; \ static const uint8_t name ## _expected[] = EXPECTED; \ static struct ntlm_authenticate_test name = { \ .domain = DOMAIN, \ .username = USERNAME, \ .password = PASSWORD, \ .workstation = WORKSTATION, \ .nonce = { \ .raw = NONCE, \ }, \ .challenge = ( ( void * ) name ## _challenge ), \ .challenge_len = sizeof ( name ## _challenge ), \ .expected = ( ( void * ) name ## _expected ), \ .expected_len = sizeof ( name ## _expected ), \ }; /** NTOWFv2() test from MS-NLMP specification */ KEY_TEST ( msnlmp_ntowfv2, "Domain", "User", "Password", DATA ( 0x0c, 0x86, 0x8a, 0x40, 0x3b, 0xfd, 0x7a, 0x93, 0xa3, 0x00, 0x1e, 0xf2, 0x2e, 0xf0, 0x2e, 0x3f ) ); /** Authentication test from MS-NLMP specification */ AUTHENTICATE_TEST ( msnlmp_authenticate, "Domain", "User", "Password", "COMPUTER", DATA ( 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa ), DATA ( 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x0c, 0x00, 0x38, 0x00, 0x00, 0x00, 0x33, 0x82, 0x8a, 0xe2, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x24, 0x00, 0x44, 0x00, 0x00, 0x00, 0x06, 0x00, 0x70, 0x17, 0x00, 0x00, 0x00, 0x0f, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x02, 0x00, 0x0c, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00 ), DATA ( 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x54, 0x00, 0x54, 0x00, 0x84, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x54, 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0xd8, 0x00, 0x00, 0x00, 0x35, 0x82, 0x88, 0xe2, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00, 0x0f, 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00, 0x72, 0x00, 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, 0x50, 0x00, 0x55, 0x00, 0x54, 0x00, 0x45, 0x00, 0x52, 0x00, 0x86, 0xc3, 0x50, 0x97, 0xac, 0x9c, 0xec, 0x10, 0x25, 0x54, 0x76, 0x4a, 0x57, 0xcc, 0xcc, 0x19, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0x68, 0xcd, 0x0a, 0xb8, 0x51, 0xe5, 0x1c, 0x96, 0xaa, 0xbc, 0x92, 0x7b, 0xeb, 0xef, 0x6a, 0x1c, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0c, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xda, 0xd2, 0x54, 0x4f, 0xc9, 0x79, 0x90, 0x94, 0xce, 0x1c, 0xe9, 0x0b, 0xc9, 0xd0, 0x3e ) ); /** * Report key generation test result * * @v test Key generation test * @v file Test code file * @v line Test code line */ static void ntlm_key_okx ( struct ntlm_key_test *test, const char *file, unsigned int line ) { struct ntlm_key key; ntlm_key ( test->domain, test->username, test->password, &key ); okx ( memcmp ( &key, &test->expected, sizeof ( key ) ) == 0, file, line ); } #define ntlm_key_ok( test ) \ ntlm_key_okx ( test, __FILE__, __LINE__ ) /** * Report NTLM variable-length data test result * * @v msg Message header * @v msg_len Length of message * @v data Variable-length data descriptor * @v expected Expected message header * @v expected_data Expected variable-length data descriptor * @v field Field name * @v file Test code file * @v line Test code line */ static void ntlm_data_okx ( struct ntlm_header *msg, size_t msg_len, struct ntlm_data *data, struct ntlm_header *expected, struct ntlm_data *expected_data, const char *field, const char *file, unsigned int line ) { size_t offset; size_t len; void *raw; void *expected_raw; /* Verify data lies within message */ okx ( data->len == data->max_len, file, line ); offset = le32_to_cpu ( data->offset ); len = le16_to_cpu ( data->len ); okx ( offset <= msg_len, file, line ); okx ( len <= ( msg_len - offset ), file, line ); /* Verify content matches expected content */ raw = ( ( ( void * ) msg ) + offset ); expected_raw = ( ( ( void * ) expected ) + le32_to_cpu ( expected_data->offset ) ); DBGC ( msg, "NTLM %s expected:\n", field ); DBGC_HDA ( msg, 0, expected_raw, le16_to_cpu ( expected_data->len ) ); DBGC ( msg, "NTLM %s actual:\n", field ); DBGC_HDA ( msg, 0, raw, len ); okx ( data->len == expected_data->len, file, line ); okx ( memcmp ( raw, expected_raw, len ) == 0, file, line ); } #define ntlm_data_ok( msg, msg_len, data, expected, expected_data ) \ ntlm_data_okx ( msg, msg_len, data, expected, expected_data, \ __FILE__, __LINE__ ) /** * Report NTLM authentication test result * * @v test Authentication test * @v file Test code file * @v line Test code line */ static void ntlm_authenticate_okx ( struct ntlm_authenticate_test *test, const char *file, unsigned int line ) { struct ntlm_authenticate *expected = test->expected; struct ntlm_challenge_info info; struct ntlm_authenticate *auth; struct ntlm_key key; struct ntlm_lm_response lm; struct ntlm_nt_response nt; size_t len; /* Parse Challenge message */ okx ( ntlm_challenge ( test->challenge, test->challenge_len, &info ) == 0, file, line ); /* Generate key */ ntlm_key ( test->domain, test->username, test->password, &key ); /* Generate responses */ ntlm_response ( &info, &key, &test->nonce, &lm, &nt ); /* Allocate buffer for Authenticate message */ len = ntlm_authenticate_len ( &info, test->domain, test->username, test->workstation ); okx ( len >= sizeof ( *auth ), file, line ); auth = malloc ( len ); okx ( auth != NULL, file, line ); /* Construct Authenticate message */ okx ( ntlm_authenticate ( &info, test->domain, test->username, test->workstation, &lm, &nt, auth ) == len, file, line ); /* Verify header */ okx ( memcmp ( &auth->header, &expected->header, sizeof ( auth->header ) ) == 0, file, line ); /* Verify LAN Manager response */ ntlm_data_okx ( &auth->header, len, &auth->lm, &expected->header, &expected->lm, "LM", file, line ); /* Verify NT response */ ntlm_data_okx ( &auth->header, len, &auth->nt, &expected->header, &expected->nt, "NT", file, line ); /* Verify domain name */ ntlm_data_okx ( &auth->header, len, &auth->domain, &expected->header, &expected->domain, "domain", file, line ); /* Verify user name */ ntlm_data_okx ( &auth->header, len, &auth->user, &expected->header, &expected->user, "user", file, line ); /* Verify workstation name */ ntlm_data_okx ( &auth->header, len, &auth->workstation, &expected->header, &expected->workstation, "workstation",file, line ); /* Verify session key */ if ( auth->flags & NTLM_NEGOTIATE_KEY_EXCH ) { ntlm_data_okx ( &auth->header, len, &auth->session, &expected->header, &expected->session, "session", file, line ); } /* Free Authenticate message */ free ( auth ); } #define ntlm_authenticate_ok( test ) \ ntlm_authenticate_okx ( test, __FILE__, __LINE__ ) /** * Perform NTLM self-test * */ static void ntlm_test_exec ( void ) { /* Verify key generation */ ntlm_key_ok ( &msnlmp_ntowfv2 ); /* Verify authentication response */ ntlm_authenticate_ok ( &msnlmp_authenticate ); } /** NTLM self-test */ struct self_test ntlm_test __self_test = { .name = "ntlm", .exec = ntlm_test_exec, };