summaryrefslogtreecommitdiff
path: root/source4/torture
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-10-24 07:11:40 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:11 -0500
commita0647a89a82e892292c421f5c968de2f28d42366 (patch)
tree0a8bcddc8318b50900c4f84719762f609bb38268 /source4/torture
parentca40d0a6fea0dbf2a9962ed125f420bea3ca0269 (diff)
downloadsamba-a0647a89a82e892292c421f5c968de2f28d42366.tar.gz
samba-a0647a89a82e892292c421f5c968de2f28d42366.tar.bz2
samba-a0647a89a82e892292c421f5c968de2f28d42366.zip
r11272: In trying to track down why Win2k3 is again rejecting our PAC, ensure
we can round-trip all the way back to a server_info structure, not just a filled in PAC_DATA. (I was worried about generated fields being incorrect, or some other logical flaw). Andrew Bartlett (This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
Diffstat (limited to 'source4/torture')
-rw-r--r--source4/torture/auth/pac.c81
1 files changed, 80 insertions, 1 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index 6f50ae776b..df9e45614e 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -272,7 +272,7 @@ static BOOL torture_pac_saved_check(void)
NTSTATUS nt_status;
TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check");
DATA_BLOB tmp_blob, validate_blob;
- struct PAC_DATA *pac_data;
+ struct PAC_DATA *pac_data, pac_data2;
struct PAC_LOGON_INFO *logon_info;
union netr_Validation validation;
const char *pac_file, *pac_kdc_key, *pac_member_key;
@@ -526,6 +526,85 @@ static BOOL torture_pac_saved_check(void)
return False;
}
+ ret = kerberos_create_pac(mem_ctx,
+ server_info_out,
+ smb_krb5_context->krb5_context,
+ &krbtgt_keyblock,
+ &server_keyblock,
+ client_principal, authtime,
+ &validate_blob);
+
+ if (ret != 0) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
+
+ DEBUG(0, ("(saved test) regnerated PAC create failed\n"));
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ dump_data(10,validate_blob.data,validate_blob.length);
+
+ /* compare both the length and the data bytes after a
+ * pull/push cycle. This ensures we use the exact same
+ * pointer, padding etc algorithms as win2k3.
+ */
+ if (tmp_blob.length != validate_blob.length) {
+ nt_status = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0,("can't parse the PAC\n"));
+ return False;
+ }
+
+ NDR_PRINT_DEBUG(PAC_DATA, pac_data);
+
+ NDR_PRINT_DEBUG(PAC_DATA, &pac_data2);
+
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
+
+ DEBUG(0, ("(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]\n",
+ (unsigned)tmp_blob.length, (unsigned)validate_blob.length));
+ talloc_free(mem_ctx);
+ return False;
+ }
+
+ if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
+ nt_status = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0,("can't parse the PAC\n"));
+ return False;
+ }
+
+ NDR_PRINT_DEBUG(PAC_DATA, pac_data);
+
+ NDR_PRINT_DEBUG(PAC_DATA, &pac_data2);
+
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
+
+ DEBUG(0, ("(saved test) PAC regenerate failed: length[%u] matches, but data does not\n",
+ (unsigned)tmp_blob.length));
+ DEBUG(0, ("tmp_data:\n"));
+ dump_data(0, tmp_blob.data, tmp_blob.length);
+ DEBUG(0, ("validate_blob:\n"));
+ dump_data(0, validate_blob.data, validate_blob.length);
+
+ talloc_free(mem_ctx);
+ return False;
+ }
+
/* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */
nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
tmp_blob,