From c46b658eecdb33c11b00c3059210fb0846373c9b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 6 Aug 2005 23:07:21 +0000 Subject: r9166: This checks more of auth subsystem in the PAC test. Andrew Bartlett (This used to be commit 1fa87223eb66825ef2dd93966652fa84de6b0b2f) --- source4/torture/auth/pac.c | 134 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 117 insertions(+), 17 deletions(-) (limited to 'source4/torture/auth/pac.c') diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 74a31af890..43a9fd44b5 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -34,6 +34,8 @@ static BOOL torture_pac_self_check(void) TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check"); DATA_BLOB tmp_blob; struct PAC_DATA *pac_data; + struct PAC_LOGON_INFO *logon_info; + union netr_Validation validation; /* Generate a nice, arbitary keyblock */ uint8_t server_bytes[16]; @@ -46,6 +48,7 @@ static BOOL torture_pac_self_check(void) struct smb_krb5_context *smb_krb5_context; struct auth_serversupplied_info *server_info; + struct auth_serversupplied_info *server_info_out; ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context); @@ -62,10 +65,10 @@ static BOOL torture_pac_self_check(void) server_bytes, sizeof(server_bytes), &server_keyblock); if (ret) { - DEBUG(1, ("Server Keyblock encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); - + printf("Server Keyblock encoding failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx)); + talloc_free(mem_ctx); return False; } @@ -75,10 +78,10 @@ static BOOL torture_pac_self_check(void) krbtgt_bytes, sizeof(krbtgt_bytes), &krbtgt_keyblock); if (ret) { - DEBUG(1, ("KRBTGT Keyblock encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); - + printf("KRBTGT Keyblock encoding failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx)); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); talloc_free(mem_ctx); @@ -105,9 +108,9 @@ static BOOL torture_pac_self_check(void) &tmp_blob); if (ret) { - DEBUG(1, ("PAC encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); + printf("PAC encoding failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx)); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); @@ -126,18 +129,64 @@ static BOOL torture_pac_self_check(void) &krbtgt_keyblock, &server_keyblock); + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + DEBUG(1, ("PAC decoding failed: %s\n", + nt_errstr(nt_status))); + + talloc_free(mem_ctx); + return False; + } + + /* Now check that we can read it back */ + nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, + tmp_blob, + smb_krb5_context, + &krbtgt_keyblock, + &server_keyblock); + + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + printf("PAC decoding (for logon info) failed: %s\n", + nt_errstr(nt_status)); + + talloc_free(mem_ctx); + return False; + } + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - if (ret) { - DEBUG(1, ("PAC decoding failed: %s\n", - nt_errstr(nt_status))); + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(mem_ctx, + "", + 3, &validation, + &server_info_out); + if (!NT_STATUS_IS_OK(nt_status)) { + printf("PAC decoding (make server info) failed: %s\n", + nt_errstr(nt_status)); + talloc_free(mem_ctx); return False; } - + + if (!dom_sid_equal(server_info->account_sid, + server_info_out->account_sid)) { + printf("PAC Decode resulted in *different* domain SID: %s != %s\n", + dom_sid_string(mem_ctx, server_info->account_sid), + dom_sid_string(mem_ctx, server_info_out->account_sid)); + talloc_free(mem_ctx); + return False; + } + talloc_free(mem_ctx); return True; } @@ -196,6 +245,11 @@ static BOOL torture_pac_saved_check(void) TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check"); DATA_BLOB tmp_blob, validate_blob; struct PAC_DATA *pac_data; + struct PAC_LOGON_INFO *logon_info; + union netr_Validation validation; + + struct auth_serversupplied_info *server_info_out; + krb5_keyblock server_keyblock; krb5_keyblock krbtgt_keyblock; uint8_t server_bytes[16]; @@ -255,9 +309,9 @@ static BOOL torture_pac_saved_check(void) } tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac)); - + /*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/ - + dump_data(10,tmp_blob.data,tmp_blob.length); /* Decode and verify the signaure on the PAC */ @@ -278,6 +332,52 @@ static BOOL torture_pac_saved_check(void) return False; } + /* Parse the PAC again, for the logon info this time */ + nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, + tmp_blob, + smb_krb5_context, + &krbtgt_keyblock, + &server_keyblock); + + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + printf("PAC decoding (for logon info) failed: %s\n", + nt_errstr(nt_status)); + + talloc_free(mem_ctx); + return False; + } + + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(mem_ctx, + "", + 3, &validation, + &server_info_out); + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + + printf("PAC decoding (make server info) failed: %s\n", + nt_errstr(nt_status)); + + talloc_free(mem_ctx); + return False; + } + + if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), + server_info_out->account_sid)) { + printf("PAC Decode resulted in *different* domain SID: %s != %s\n", + "S-1-5-21-3048156945-3961193616-3706469200-1005", + dom_sid_string(mem_ctx, server_info_out->account_sid)); + talloc_free(mem_ctx); + return False; + } + ret = kerberos_encode_pac(mem_ctx, pac_data, smb_krb5_context->krb5_context, -- cgit