summaryrefslogtreecommitdiff
path: root/source4/torture/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-08-06 23:07:21 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:31:26 -0500
commitc46b658eecdb33c11b00c3059210fb0846373c9b (patch)
tree571c797b4976b0e55c699e569d44e02f5a09f518 /source4/torture/auth
parent910c1d55c24f52cb38b4b54db641a5d67764ea58 (diff)
downloadsamba-c46b658eecdb33c11b00c3059210fb0846373c9b.tar.gz
samba-c46b658eecdb33c11b00c3059210fb0846373c9b.tar.bz2
samba-c46b658eecdb33c11b00c3059210fb0846373c9b.zip
r9166: This checks more of auth subsystem in the PAC test.
Andrew Bartlett (This used to be commit 1fa87223eb66825ef2dd93966652fa84de6b0b2f)
Diffstat (limited to 'source4/torture/auth')
-rw-r--r--source4/torture/auth/pac.c134
1 files changed, 117 insertions, 17 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index 74a31af890..43a9fd44b5 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -34,6 +34,8 @@ static BOOL torture_pac_self_check(void)
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check");
DATA_BLOB tmp_blob;
struct PAC_DATA *pac_data;
+ struct PAC_LOGON_INFO *logon_info;
+ union netr_Validation validation;
/* Generate a nice, arbitary keyblock */
uint8_t server_bytes[16];
@@ -46,6 +48,7 @@ static BOOL torture_pac_self_check(void)
struct smb_krb5_context *smb_krb5_context;
struct auth_serversupplied_info *server_info;
+ struct auth_serversupplied_info *server_info_out;
ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
@@ -62,10 +65,10 @@ static BOOL torture_pac_self_check(void)
server_bytes, sizeof(server_bytes),
&server_keyblock);
if (ret) {
- DEBUG(1, ("Server Keyblock encoding failed: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
-
+ printf("Server Keyblock encoding failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx));
+
talloc_free(mem_ctx);
return False;
}
@@ -75,10 +78,10 @@ static BOOL torture_pac_self_check(void)
krbtgt_bytes, sizeof(krbtgt_bytes),
&krbtgt_keyblock);
if (ret) {
- DEBUG(1, ("KRBTGT Keyblock encoding failed: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
-
+ printf("KRBTGT Keyblock encoding failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx));
+
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
talloc_free(mem_ctx);
@@ -105,9 +108,9 @@ static BOOL torture_pac_self_check(void)
&tmp_blob);
if (ret) {
- DEBUG(1, ("PAC encoding failed: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
+ printf("PAC encoding failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
@@ -126,18 +129,64 @@ static BOOL torture_pac_self_check(void)
&krbtgt_keyblock,
&server_keyblock);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ DEBUG(1, ("PAC decoding failed: %s\n",
+ nt_errstr(nt_status)));
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ /* Now check that we can read it back */
+ nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
+ tmp_blob,
+ smb_krb5_context,
+ &krbtgt_keyblock,
+ &server_keyblock);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ printf("PAC decoding (for logon info) failed: %s\n",
+ nt_errstr(nt_status));
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
- if (ret) {
- DEBUG(1, ("PAC decoding failed: %s\n",
- nt_errstr(nt_status)));
+ validation.sam3 = &logon_info->info3;
+ nt_status = make_server_info_netlogon_validation(mem_ctx,
+ "",
+ 3, &validation,
+ &server_info_out);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ printf("PAC decoding (make server info) failed: %s\n",
+ nt_errstr(nt_status));
+
talloc_free(mem_ctx);
return False;
}
-
+
+ if (!dom_sid_equal(server_info->account_sid,
+ server_info_out->account_sid)) {
+ printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
+ dom_sid_string(mem_ctx, server_info->account_sid),
+ dom_sid_string(mem_ctx, server_info_out->account_sid));
+ talloc_free(mem_ctx);
+ return False;
+ }
+
talloc_free(mem_ctx);
return True;
}
@@ -196,6 +245,11 @@ static BOOL torture_pac_saved_check(void)
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check");
DATA_BLOB tmp_blob, validate_blob;
struct PAC_DATA *pac_data;
+ struct PAC_LOGON_INFO *logon_info;
+ union netr_Validation validation;
+
+ struct auth_serversupplied_info *server_info_out;
+
krb5_keyblock server_keyblock;
krb5_keyblock krbtgt_keyblock;
uint8_t server_bytes[16];
@@ -255,9 +309,9 @@ static BOOL torture_pac_saved_check(void)
}
tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
-
+
/*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
-
+
dump_data(10,tmp_blob.data,tmp_blob.length);
/* Decode and verify the signaure on the PAC */
@@ -278,6 +332,52 @@ static BOOL torture_pac_saved_check(void)
return False;
}
+ /* Parse the PAC again, for the logon info this time */
+ nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
+ tmp_blob,
+ smb_krb5_context,
+ &krbtgt_keyblock,
+ &server_keyblock);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ printf("PAC decoding (for logon info) failed: %s\n",
+ nt_errstr(nt_status));
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ validation.sam3 = &logon_info->info3;
+ nt_status = make_server_info_netlogon_validation(mem_ctx,
+ "",
+ 3, &validation,
+ &server_info_out);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+
+ printf("PAC decoding (make server info) failed: %s\n",
+ nt_errstr(nt_status));
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"),
+ server_info_out->account_sid)) {
+ printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
+ "S-1-5-21-3048156945-3961193616-3706469200-1005",
+ dom_sid_string(mem_ctx, server_info_out->account_sid));
+ talloc_free(mem_ctx);
+ return False;
+ }
+
ret = kerberos_encode_pac(mem_ctx,
pac_data,
smb_krb5_context->krb5_context,