2 Unit tests for the encrypted secrets code in encrypted_secrets.c
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 int ldb_encrypted_secrets_module_init(const char *version);
27 #define TEST_ENCRYPTED_SECRETS
28 #include "../encrypted_secrets.c"
32 struct tevent_context *ev;
33 struct ldb_context *ldb;
34 struct ldb_module *module;
37 const char *lockfile; /* lockfile is separate */
43 /* -------------------------------------------------------------------------- */
45 * Replace the dsdb helper routines used by the operational_init function
48 int dsdb_module_search_dn(
49 struct ldb_module *module,
51 struct ldb_result **_res,
52 struct ldb_dn *basedn,
53 const char * const *attrs,
55 struct ldb_request *parent)
57 struct ldb_context *ldb = ldb_module_get_ctx(module);
58 struct ldb_message *msg = ldb_msg_new(ldb);
59 struct ldb_result *res = talloc_zero(mem_ctx, struct ldb_result);
61 msg->dn = ldb_dn_new(msg, ldb, "@SAMBA_DSDB");
64 SAMBA_REQUIRED_FEATURES_ATTR,
65 SAMBA_ENCRYPTED_SECRETS_FEATURE);
67 res->msgs = talloc_array(mem_ctx, struct ldb_message*, 1);
73 int dsdb_module_reference_dn(
74 struct ldb_module *module,
77 const char *attribute,
79 struct ldb_request *parent)
83 /* -------------------------------------------------------------------------- */
85 static void unlink_old_db(struct ldbtest_ctx *test_ctx)
90 ret = unlink(test_ctx->lockfile);
91 if (ret == -1 && errno != ENOENT) {
96 ret = unlink(test_ctx->dbfile);
97 if (ret == -1 && errno != ENOENT) {
102 ret = unlink(test_ctx->keyfile);
103 if (ret == -1 && errno != ENOENT) {
108 static void write_key(void **state, DATA_BLOB key) {
110 struct ldbtest_ctx *test_ctx = talloc_get_type_abort(*state,
115 fp = fopen(test_ctx->keyfile, "wb");
118 written = fwrite(key.data, 1, key.length, fp);
119 assert_int_equal(written, key.length);
123 static const struct ldb_module_ops eol_ops = {
133 static int setup(void **state)
135 struct ldbtest_ctx *test_ctx = NULL;
136 struct ldb_module *eol = NULL;
139 test_ctx = talloc_zero(NULL, struct ldbtest_ctx);
140 assert_non_null(test_ctx);
142 test_ctx->ev = tevent_context_init(test_ctx);
143 assert_non_null(test_ctx->ev);
145 test_ctx->ldb = ldb_init(test_ctx, test_ctx->ev);
146 assert_non_null(test_ctx->ldb);
150 test_ctx->module = ldb_module_new(
154 &ldb_encrypted_secrets_module_ops);
155 assert_non_null(test_ctx->module);
156 eol = ldb_module_new(test_ctx, test_ctx->ldb, "eol", &eol_ops);
157 assert_non_null(eol);
158 ldb_module_set_next(test_ctx->module, eol);
160 test_ctx->dbfile = talloc_strdup(test_ctx, "apitest.ldb");
161 assert_non_null(test_ctx->dbfile);
163 test_ctx->lockfile = talloc_asprintf(test_ctx, "%s-lock",
165 assert_non_null(test_ctx->lockfile);
167 test_ctx->keyfile = talloc_strdup(test_ctx, SECRETS_KEY_FILE);
168 assert_non_null(test_ctx->keyfile);
170 test_ctx->dbpath = talloc_asprintf(test_ctx,
171 TEST_BE"://%s", test_ctx->dbfile);
172 assert_non_null(test_ctx->dbpath);
174 unlink_old_db(test_ctx);
176 rc = ldb_connect(test_ctx->ldb, test_ctx->dbpath, 0, NULL);
177 assert_int_equal(rc, 0);
182 static int setup_with_key(void **state)
184 struct ldbtest_ctx *test_ctx = NULL;
185 DATA_BLOB key = data_blob_null;
186 uint8_t key_data[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
187 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
192 key.length = sizeof(key_data);
194 write_key(state, key);
196 test_ctx = talloc_get_type_abort(*state, struct ldbtest_ctx);
198 struct ldb_message *msg = ldb_msg_new(test_ctx->ldb);
199 msg->dn = ldb_dn_new(msg, test_ctx->ldb, "@SAMBA_DSDB");
202 SAMBA_REQUIRED_FEATURES_ATTR,
203 SAMBA_ENCRYPTED_SECRETS_FEATURE);
204 ldb_add(test_ctx->ldb, msg);
207 rc = es_init(test_ctx->module);
208 assert_int_equal(rc, LDB_SUCCESS);
213 static int teardown(void **state)
215 struct ldbtest_ctx *test_ctx = talloc_get_type_abort(*state,
218 unlink_old_db(test_ctx);
219 talloc_free(test_ctx);
223 * No key file present.
225 * The key should be empty and encrypt_secrets should be false.
227 static void test_no_key_file(void **state)
229 struct ldbtest_ctx *test_ctx =
230 talloc_get_type_abort(*state, struct ldbtest_ctx);
231 struct es_data *data = NULL;
235 rc = es_init(test_ctx->module);
236 assert_int_equal(rc, LDB_SUCCESS);
238 data = talloc_get_type(ldb_module_get_private(test_ctx->module),
241 assert_false(data->encrypt_secrets);
242 assert_int_equal(0, data->keys[0].length);
249 * The key should be loaded and encrypt secrets should be true;
251 static void test_key_file(void **state)
253 struct ldbtest_ctx *test_ctx =
254 talloc_get_type_abort(*state, struct ldbtest_ctx);
255 struct es_data *data = NULL;
257 DATA_BLOB key = data_blob_null;
258 uint8_t key_data[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
259 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
262 key.length = sizeof(key_data);
264 write_key(state, key);
267 rc = es_init(test_ctx->module);
268 assert_int_equal(rc, LDB_SUCCESS);
270 data = talloc_get_type(ldb_module_get_private(test_ctx->module),
273 assert_true(data->encrypt_secrets);
274 assert_int_equal(16, data->keys[0].length);
275 assert_int_equal(0, data_blob_cmp(&key, &data->keys[0]));
280 * Key file present, short key.
282 * The key should be not be loaded and an error returned.
284 static void test_key_file_short_key(void **state)
286 struct ldbtest_ctx *test_ctx =
287 talloc_get_type_abort(*state, struct ldbtest_ctx);
289 DATA_BLOB key = data_blob_null;
290 uint8_t key_data[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
291 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e};
294 key.length = sizeof(key_data);
296 write_key(state, key);
299 rc = es_init(test_ctx->module);
300 assert_int_equal(rc, LDB_ERR_OPERATIONS_ERROR);
304 * Key file present, long key.
306 * Only the first 16 bytes of the key should be loaded.
308 static void test_key_file_long_key(void **state)
310 struct ldbtest_ctx *test_ctx =
311 talloc_get_type_abort(*state, struct ldbtest_ctx);
312 struct es_data *data = NULL;
314 DATA_BLOB key = data_blob_null;
315 uint8_t key_data[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
316 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0xf,
320 key.length = sizeof(key_data);
322 write_key(state, key);
324 rc = es_init(test_ctx->module);
325 assert_int_equal(rc, LDB_SUCCESS);
327 data = talloc_get_type(ldb_module_get_private(test_ctx->module),
330 assert_true(data->encrypt_secrets);
331 assert_int_equal(16, data->keys[0].length);
334 * Should have only read the first 16 bytes of the written key
337 assert_int_equal(0, data_blob_cmp(&key, &data->keys[0]));
340 #ifdef HAVE_GNUTLS_AEAD
342 * Test gnutls_encryption and decryption.
344 static void test_gnutls_value_encryption(void **state)
346 struct ldbtest_ctx *test_ctx =
347 talloc_get_type_abort(*state, struct ldbtest_ctx);
348 struct ldb_val plain_text = data_blob_null;
349 struct ldb_val cipher_text = data_blob_null;
350 struct EncryptedSecret es;
352 struct es_data *data = talloc_get_type(
353 ldb_module_get_private(test_ctx->module),
355 int err = LDB_SUCCESS;
358 plain_text = data_blob_string_const("A text value");
359 cipher_text = gnutls_encrypt_aead(
365 assert_int_equal(LDB_SUCCESS, err);
367 rc = ndr_pull_struct_blob(
371 (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret);
372 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
373 assert_true(check_header(&es));
376 struct PlaintextSecret *decrypted =
377 talloc_zero(test_ctx, struct PlaintextSecret);
385 assert_int_equal(LDB_SUCCESS, err);
388 decrypted->cleartext.length);
391 &decrypted->cleartext,
396 struct PlaintextSecret *decrypted =
397 talloc_zero(test_ctx, struct PlaintextSecret);
405 assert_int_equal(LDB_SUCCESS, err);
408 decrypted->cleartext.length);
411 &decrypted->cleartext,
415 #endif /* HAVE_GNUTLS_AEAD */
417 #ifdef HAVE_GNUTLS_AEAD
418 static void test_gnutls_altered_header(void **state)
420 struct ldbtest_ctx *test_ctx =
421 talloc_get_type_abort(*state, struct ldbtest_ctx);
422 struct ldb_val plain_text = data_blob_null;
423 struct ldb_val cipher_text = data_blob_null;
424 struct EncryptedSecret es;
426 struct es_data *data = talloc_get_type(
427 ldb_module_get_private(test_ctx->module),
429 int err = LDB_SUCCESS;
432 plain_text = data_blob_string_const("A text value");
433 cipher_text = gnutls_encrypt_aead(
439 assert_int_equal(LDB_SUCCESS, err);
441 rc = ndr_pull_struct_blob(
445 (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret);
446 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
447 assert_true(check_header(&es));
450 struct PlaintextSecret *decrypted =
451 talloc_zero(test_ctx, struct PlaintextSecret);
459 assert_int_equal(LDB_SUCCESS, err);
462 decrypted->cleartext.length);
465 &decrypted->cleartext,
468 es.header.flags = es.header.flags ^ 0xffffffff;
470 struct PlaintextSecret *decrypted =
471 talloc_zero(test_ctx, struct PlaintextSecret);
479 assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err);
482 #endif /* HAVE_GNUTLS_AEAD */
484 #ifdef HAVE_GNUTLS_AEAD
485 static void test_gnutls_altered_data(void **state)
487 struct ldbtest_ctx *test_ctx =
488 talloc_get_type_abort(*state, struct ldbtest_ctx);
489 struct ldb_val plain_text = data_blob_null;
490 struct ldb_val cipher_text = data_blob_null;
491 struct EncryptedSecret es;
493 struct es_data *data = talloc_get_type(
494 ldb_module_get_private(test_ctx->module),
496 int err = LDB_SUCCESS;
499 plain_text = data_blob_string_const("A text value");
500 cipher_text = gnutls_encrypt_aead(
506 assert_int_equal(LDB_SUCCESS, err);
508 rc = ndr_pull_struct_blob(
512 (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret);
513 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
514 assert_true(check_header(&es));
517 struct PlaintextSecret *decrypted =
518 talloc_zero(test_ctx, struct PlaintextSecret);
526 assert_int_equal(LDB_SUCCESS, err);
529 decrypted->cleartext.length);
532 &decrypted->cleartext,
535 es.encrypted.data[0] = es.encrypted.data[0] ^ 0xff;
537 struct PlaintextSecret *decrypted =
538 talloc_zero(test_ctx, struct PlaintextSecret);
546 assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err);
549 #endif /* HAVE_GNUTLS_AEAD */
551 #ifdef HAVE_GNUTLS_AEAD
552 static void test_gnutls_altered_iv(void **state)
554 struct ldbtest_ctx *test_ctx =
555 talloc_get_type_abort(*state, struct ldbtest_ctx);
556 struct ldb_val plain_text = data_blob_null;
557 struct ldb_val cipher_text = data_blob_null;
558 struct EncryptedSecret es;
560 struct es_data *data = talloc_get_type(
561 ldb_module_get_private(test_ctx->module),
563 int err = LDB_SUCCESS;
566 plain_text = data_blob_string_const("A text value");
567 cipher_text = gnutls_encrypt_aead(
573 assert_int_equal(LDB_SUCCESS, err);
575 rc = ndr_pull_struct_blob(
579 (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret);
580 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
581 assert_true(check_header(&es));
584 struct PlaintextSecret *decrypted =
585 talloc_zero(test_ctx, struct PlaintextSecret);
593 assert_int_equal(LDB_SUCCESS, err);
596 decrypted->cleartext.length);
599 &decrypted->cleartext,
602 es.iv.data[0] = es.iv.data[0] ^ 0xff;
604 struct PlaintextSecret *decrypted =
605 talloc_zero(test_ctx, struct PlaintextSecret);
613 assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err);
616 #endif /* HAVE_GNUTLS_AEAD */
618 * Test samba encryption and decryption and decryption.
620 static void test_samba_value_encryption(void **state)
622 struct ldbtest_ctx *test_ctx =
623 talloc_get_type_abort(*state, struct ldbtest_ctx);
624 struct ldb_val plain_text = data_blob_null;
625 struct ldb_val cipher_text = data_blob_null;
626 struct EncryptedSecret es;
628 struct es_data *data = talloc_get_type(
629 ldb_module_get_private(test_ctx->module),
631 int err = LDB_SUCCESS;
634 plain_text = data_blob_string_const("A text value");
635 cipher_text = samba_encrypt_aead(
641 assert_int_equal(LDB_SUCCESS, err);
643 rc = ndr_pull_struct_blob(
647 (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret);
648 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
649 assert_true(check_header(&es));
651 #ifdef HAVE_GNUTLS_AEAD
653 struct PlaintextSecret *decrypted =
654 talloc_zero(test_ctx, struct PlaintextSecret);
662 assert_int_equal(LDB_SUCCESS, err);
665 decrypted->cleartext.length);
668 &decrypted->cleartext,
671 #endif /* HAVE_GNUTLS_AEAD */
675 struct PlaintextSecret *decrypted =
676 talloc_zero(test_ctx, struct PlaintextSecret);
684 assert_int_equal(LDB_SUCCESS, err);
687 decrypted->cleartext.length);
690 &decrypted->cleartext,
696 static void test_samba_altered_header(void **state)
698 struct ldbtest_ctx *test_ctx =
699 talloc_get_type_abort(*state, struct ldbtest_ctx);
700 struct ldb_val plain_text = data_blob_null;
701 struct ldb_val cipher_text = data_blob_null;
702 struct EncryptedSecret es;
704 struct es_data *data = talloc_get_type(
705 ldb_module_get_private(test_ctx->module),
707 int err = LDB_SUCCESS;
710 plain_text = data_blob_string_const("A text value");
711 cipher_text = samba_encrypt_aead(
717 assert_int_equal(LDB_SUCCESS, err);
719 rc = ndr_pull_struct_blob(
723 (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret);
724 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
725 assert_true(check_header(&es));
728 struct PlaintextSecret *decrypted =
729 talloc_zero(test_ctx, struct PlaintextSecret);
737 assert_int_equal(LDB_SUCCESS, err);
740 decrypted->cleartext.length);
743 &decrypted->cleartext,
746 es.header.flags = es.header.flags ^ 0xffffffff;
748 struct PlaintextSecret *decrypted =
749 talloc_zero(test_ctx, struct PlaintextSecret);
757 assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err);
761 static void test_samba_altered_data(void **state)
763 struct ldbtest_ctx *test_ctx =
764 talloc_get_type_abort(*state, struct ldbtest_ctx);
765 struct ldb_val plain_text = data_blob_null;
766 struct ldb_val cipher_text = data_blob_null;
767 struct EncryptedSecret es;
769 struct es_data *data = talloc_get_type(
770 ldb_module_get_private(test_ctx->module),
772 int err = LDB_SUCCESS;
775 plain_text = data_blob_string_const("A text value");
776 cipher_text = samba_encrypt_aead(
782 assert_int_equal(LDB_SUCCESS, err);
784 rc = ndr_pull_struct_blob(
788 (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret);
789 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
790 assert_true(check_header(&es));
793 struct PlaintextSecret *decrypted =
794 talloc_zero(test_ctx, struct PlaintextSecret);
802 assert_int_equal(LDB_SUCCESS, err);
805 decrypted->cleartext.length);
808 &decrypted->cleartext,
811 es.encrypted.data[0] = es.encrypted.data[0] ^ 0xff;
813 struct PlaintextSecret *decrypted =
814 talloc_zero(test_ctx, struct PlaintextSecret);
822 assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err);
826 static void test_samba_altered_iv(void **state)
828 struct ldbtest_ctx *test_ctx =
829 talloc_get_type_abort(*state, struct ldbtest_ctx);
830 struct ldb_val plain_text = data_blob_null;
831 struct ldb_val cipher_text = data_blob_null;
832 struct EncryptedSecret es;
834 struct es_data *data = talloc_get_type(
835 ldb_module_get_private(test_ctx->module),
837 int err = LDB_SUCCESS;
840 plain_text = data_blob_string_const("A text value");
841 cipher_text = samba_encrypt_aead(
847 assert_int_equal(LDB_SUCCESS, err);
849 rc = ndr_pull_struct_blob(
853 (ndr_pull_flags_fn_t) ndr_pull_EncryptedSecret);
854 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
855 assert_true(check_header(&es));
858 struct PlaintextSecret *decrypted =
859 talloc_zero(test_ctx, struct PlaintextSecret);
867 assert_int_equal(LDB_SUCCESS, err);
870 decrypted->cleartext.length);
873 &decrypted->cleartext,
876 es.iv.data[0] = es.iv.data[0] ^ 0xff;
878 struct PlaintextSecret *decrypted =
879 talloc_zero(test_ctx, struct PlaintextSecret);
887 assert_int_equal(LDB_ERR_OPERATIONS_ERROR, err);
892 * Test message encryption.
893 * Test the secret attributes of a message are encrypted and decrypted.
894 * Test that the non secret attributes are not encrypted.
897 static void test_message_encryption_decryption(void **state)
899 struct ldbtest_ctx *test_ctx =
900 talloc_get_type_abort(*state, struct ldbtest_ctx);
901 struct ldb_context *ldb = test_ctx->ldb;
902 const char * const secrets[] = {DSDB_SECRET_ATTRIBUTES};
903 const size_t num_secrets
904 = (sizeof(secrets)/sizeof(secrets[0]));
905 struct ldb_message *msg = ldb_msg_new(ldb);
906 const struct ldb_message *encrypted_msg = NULL;
907 struct es_data *data = talloc_get_type(
908 ldb_module_get_private(test_ctx->module),
910 struct ldb_message_element *el = NULL;
911 int ret = LDB_SUCCESS;
914 msg->dn = ldb_dn_new(msg, ldb, "dc=test");
915 ldb_msg_add_string(msg, "cmocka_test_name01", "value01");
916 for (i=0; i < num_secrets; i++) {
922 ldb_msg_add_string(msg, "cmocka_test_name02", "value02");
924 encrypted_msg = encrypt_secret_attributes(
930 assert_int_equal(LDB_SUCCESS, ret);
933 * Check that all the secret attributes have been encrypted
936 for (i=0; i < num_secrets; i++) {
937 el = ldb_msg_find_element(encrypted_msg, secrets[i]);
939 for (j = 0; j < el->num_values; j++) {
940 int rc = LDB_SUCCESS;
941 struct ldb_val dc = decrypt_value(
947 assert_int_equal(LDB_SUCCESS, rc);
952 TALLOC_FREE(dc.data);
957 * Check that the normal attributes have not been encrypted
959 el = ldb_msg_find_element(encrypted_msg, "cmocka_test_name01");
964 el->values[0].length);
966 el = ldb_msg_find_element(encrypted_msg, "cmocka_test_name02");
971 el->values[0].length);
974 * Now decrypt the message
976 ret = decrypt_secret_attributes(test_ctx->ldb,
977 discard_const(encrypted_msg),
979 assert_int_equal(LDB_SUCCESS, ret);
982 * Check that all the secret attributes have been decrypted
984 for (i=0; i < num_secrets; i++) {
985 el = ldb_msg_find_element(encrypted_msg, secrets[i]);
987 for (j = 0; j < el->num_values; j++) {
991 el->values[j].length);
996 * Check that the normal attributes are intact
998 el = ldb_msg_find_element(msg, "cmocka_test_name01");
1000 assert_memory_equal(
1003 el->values[0].length);
1005 el = ldb_msg_find_element(msg, "cmocka_test_name02");
1006 assert_non_null(el);
1007 assert_memory_equal(
1010 el->values[0].length);
1014 static void test_check_header(void **state)
1016 struct ldbtest_ctx *test_ctx =
1017 talloc_get_type_abort(*state, struct ldbtest_ctx);
1019 struct ldb_val enc = data_blob_null;
1020 struct EncryptedSecret *es = NULL;
1024 * Valid EncryptedSecret
1026 es = makeEncryptedSecret(test_ctx->ldb, test_ctx);
1027 rc = ndr_push_struct_blob(
1031 (ndr_push_flags_fn_t) ndr_push_EncryptedSecret);
1032 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
1033 assert_true(check_header(es));
1034 TALLOC_FREE(enc.data);
1038 * invalid magic value
1040 es = makeEncryptedSecret(test_ctx->ldb, test_ctx);
1041 es->header.magic = 0xca5cadee;
1042 rc = ndr_push_struct_blob(
1046 (ndr_push_flags_fn_t) ndr_push_EncryptedSecret);
1047 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
1048 assert_false(check_header(es));
1049 TALLOC_FREE(enc.data);
1055 es = makeEncryptedSecret(test_ctx->ldb, test_ctx);
1056 es->header.version = SECRET_ATTRIBUTE_VERSION + 1;
1057 rc = ndr_push_struct_blob(
1061 (ndr_push_flags_fn_t) ndr_push_EncryptedSecret);
1062 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
1063 assert_false(check_header(es));
1064 TALLOC_FREE(enc.data);
1070 es = makeEncryptedSecret(test_ctx->ldb, test_ctx);
1071 es->header.algorithm = SECRET_ENCRYPTION_ALGORITHM + 1;
1072 rc = ndr_push_struct_blob(
1076 (ndr_push_flags_fn_t) ndr_push_EncryptedSecret);
1077 assert_true(NDR_ERR_CODE_IS_SUCCESS(rc));
1078 assert_false(check_header(es));
1079 TALLOC_FREE(enc.data);
1084 * Attempt to decrypt a message containing an unencrypted secret attribute
1087 static void test_unencrypted_secret(void **state)
1089 struct ldbtest_ctx *test_ctx =
1090 talloc_get_type_abort(*state, struct ldbtest_ctx);
1091 struct ldb_context *ldb = test_ctx->ldb;
1092 struct ldb_message *msg = ldb_msg_new(ldb);
1093 struct es_data *data = talloc_get_type(
1094 ldb_module_get_private(test_ctx->module),
1096 int ret = LDB_SUCCESS;
1098 msg->dn = ldb_dn_new(msg, ldb, "dc=test");
1099 ldb_msg_add_string(msg, "unicodePwd", "value01");
1101 ret = decrypt_secret_attributes(test_ctx->ldb, msg, data);
1102 assert_int_equal(LDB_ERR_OPERATIONS_ERROR, ret);
1107 const struct CMUnitTest tests[] = {
1108 cmocka_unit_test_setup_teardown(
1112 cmocka_unit_test_setup_teardown(
1116 cmocka_unit_test_setup_teardown(
1117 test_key_file_short_key,
1120 cmocka_unit_test_setup_teardown(
1121 test_key_file_long_key,
1124 cmocka_unit_test_setup_teardown(
1128 #ifdef HAVE_GNUTLS_AEAD
1129 cmocka_unit_test_setup_teardown(
1130 test_gnutls_value_encryption,
1133 cmocka_unit_test_setup_teardown(
1134 test_gnutls_altered_header,
1137 cmocka_unit_test_setup_teardown(
1138 test_gnutls_altered_data,
1141 cmocka_unit_test_setup_teardown(
1142 test_gnutls_altered_iv,
1145 #endif /* HAVE_GNUTLS_AEAD */
1146 cmocka_unit_test_setup_teardown(
1147 test_samba_value_encryption,
1150 cmocka_unit_test_setup_teardown(
1151 test_samba_altered_header,
1154 cmocka_unit_test_setup_teardown(
1155 test_samba_altered_data,
1158 cmocka_unit_test_setup_teardown(
1159 test_samba_altered_iv,
1162 cmocka_unit_test_setup_teardown(
1163 test_message_encryption_decryption,
1166 cmocka_unit_test_setup_teardown(
1167 test_unencrypted_secret,
1172 cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
1173 return cmocka_run_group_tests(tests, NULL, NULL);