summaryrefslogtreecommitdiff
path: root/source4/torture
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-07-09 01:58:38 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:19:25 -0500
commitc0a78453a77fb0aa42d676635778a75204b6869c (patch)
treeb8e6aee36941ffafe9858dbfbcebd93ab33e0f56 /source4/torture
parent37cf22a39eec62a62d5ad30d9419ce4e159dff31 (diff)
downloadsamba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.gz
samba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.bz2
samba-c0a78453a77fb0aa42d676635778a75204b6869c.zip
r8250: More PAC work. We now sucessfully verify the KDC signature from my DC
(I have included the krbtgt key from my test network). It turns out the krbtgt signature is over the 16 (or whatever, enc-type dependent) bytes of the signature, not the entire structure. Also do not even try to use Kerberos or GSSAPI on an IP address, it will only fail. Andrew Bartlett (This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
Diffstat (limited to 'source4/torture')
-rw-r--r--source4/torture/auth/pac.c39
1 files changed, 35 insertions, 4 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index ecf67a9014..ade68fcd77 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -26,6 +26,7 @@
#include "auth/auth.h"
#include "auth/kerberos/kerberos.h"
#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "librpc/gen_ndr/ndr_samr.h"
#ifdef HAVE_KRB5
@@ -105,15 +106,14 @@ static BOOL torture_pac_self_check(void)
&server_keyblock,
&tmp_blob);
- krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
- &krbtgt_keyblock);
-
if (ret) {
DEBUG(1, ("PAC encoding failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
talloc_free(mem_ctx);
return False;
@@ -125,7 +125,11 @@ static BOOL torture_pac_self_check(void)
nt_status = kerberos_decode_pac(mem_ctx, &pac_info,
tmp_blob,
smb_krb5_context,
+ &krbtgt_keyblock,
&server_keyblock);
+
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
if (ret) {
@@ -196,7 +200,9 @@ static BOOL torture_pac_saved_check(void)
struct PAC_LOGON_INFO *pac_info;
struct PAC_DATA pac_data;
krb5_keyblock server_keyblock;
+ krb5_keyblock krbtgt_keyblock;
uint8_t server_bytes[16];
+ struct samr_Password *krbtgt_bytes;
krb5_error_code ret;
@@ -209,6 +215,13 @@ static BOOL torture_pac_saved_check(void)
return False;
}
+ krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, "B286757148AF7FD252C53603A150B7E7");
+ if (!krbtgt_bytes) {
+ DEBUG(0, ("Could not interpret krbtgt key"));
+ talloc_free(mem_ctx);
+ return False;
+ }
+
/* The machine trust account in use when the above PAC
was generated. It used arcfour-hmac-md5, so this is easy */
E_md4hash("iqvwmii8CuEkyY", server_bytes);
@@ -226,6 +239,21 @@ static BOOL torture_pac_saved_check(void)
return False;
}
+ ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
+ ENCTYPE_ARCFOUR_HMAC,
+ krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash),
+ &krbtgt_keyblock);
+ if (ret) {
+ DEBUG(1, ("Server Keyblock encoding failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx)));
+
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ talloc_free(mem_ctx);
+ return False;
+ }
+
tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
/*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
@@ -236,10 +264,13 @@ static BOOL torture_pac_saved_check(void)
nt_status = kerberos_decode_pac(mem_ctx, &pac_info,
tmp_blob,
smb_krb5_context,
+ &krbtgt_keyblock,
&server_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
- if (ret) {
+ if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("PAC decoding failed: %s\n",
nt_errstr(nt_status)));