summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-08-06 23:25:00 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:31:27 -0500
commit200a67f812d3fc7b22d5f8e9234f67e357c5f5e3 (patch)
tree854d001d635af7fc7c93013a82ba46cd24b82802
parentc46b658eecdb33c11b00c3059210fb0846373c9b (diff)
downloadsamba-200a67f812d3fc7b22d5f8e9234f67e357c5f5e3.tar.gz
samba-200a67f812d3fc7b22d5f8e9234f67e357c5f5e3.tar.bz2
samba-200a67f812d3fc7b22d5f8e9234f67e357c5f5e3.zip
r9167: Further PAC parionia: ensure the checksum fails if we modify it.
Andrew Bartlett (This used to be commit ea4cc6bcbed4f26855d2f67d914c73453c524406)
-rw-r--r--source4/torture/auth/pac.c51
1 files changed, 45 insertions, 6 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index 43a9fd44b5..c6bec47238 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -308,7 +308,7 @@ static BOOL torture_pac_saved_check(void)
return False;
}
- tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
+ tmp_blob = data_blob(saved_pac, sizeof(saved_pac));
/*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
@@ -371,6 +371,11 @@ static BOOL torture_pac_saved_check(void)
if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"),
server_info_out->account_sid)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+
printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
dom_sid_string(mem_ctx, server_info_out->account_sid));
@@ -385,12 +390,12 @@ static BOOL torture_pac_saved_check(void)
&server_keyblock,
&validate_blob);
- krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
- &krbtgt_keyblock);
- krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
- &server_keyblock);
-
if (ret != 0) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+
DEBUG(0, ("PAC push failed\n"));
talloc_free(mem_ctx);
return False;
@@ -403,6 +408,11 @@ static BOOL torture_pac_saved_check(void)
* pointer, padding etc algorithms as win2k3.
*/
if (tmp_blob.length != validate_blob.length) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+
DEBUG(0, ("PAC push failed: orignial buffer length[%u] != created buffer length[%u]\n",
(unsigned)tmp_blob.length, (unsigned)validate_blob.length));
talloc_free(mem_ctx);
@@ -410,12 +420,41 @@ static BOOL torture_pac_saved_check(void)
}
if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+
DEBUG(0, ("PAC push failed: length[%u] matches, but data does not\n",
(unsigned)tmp_blob.length));
talloc_free(mem_ctx);
return False;
}
+ /* Finally... Bugger up the signature, and check we fail the checksum */
+
+ tmp_blob.data[tmp_blob.length - 2] = 0xff;
+ nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
+ tmp_blob,
+ smb_krb5_context,
+ &krbtgt_keyblock,
+ &server_keyblock);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("PAC decoding DID NOT fail on broken checksum\n"));
+
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+
talloc_free(mem_ctx);
return True;
}