From 8db8279730c6d4ef6b03b9f96381dee890a8da57 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 5 Aug 2005 00:41:53 +0000 Subject: r9084: 'resign' the sample PAC for the validation of the signature algorithms. If we ever get problems with the kerberos code, it should show up as a different signature in this PAC. This involved returning more data from the pac functions, so changed some callers and split up some functions. Andrew Bartlett (This used to be commit d514a7491208afa0533bf9e99601147eb69e08c9) --- source4/torture/auth/pac.c | 56 ++++++++++++++++++---------------------------- 1 file changed, 22 insertions(+), 34 deletions(-) (limited to 'source4/torture/auth') diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 59bf008970..74a31af890 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -28,14 +28,12 @@ #include "librpc/gen_ndr/ndr_krb5pac.h" #include "librpc/gen_ndr/ndr_samr.h" -#ifdef HAVE_KRB5 - static BOOL torture_pac_self_check(void) { NTSTATUS nt_status; TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check"); DATA_BLOB tmp_blob; - struct PAC_LOGON_INFO *pac_info; + struct PAC_DATA *pac_data; /* Generate a nice, arbitary keyblock */ uint8_t server_bytes[16]; @@ -100,7 +98,7 @@ static BOOL torture_pac_self_check(void) } /* OK, go ahead and make a PAC */ - ret = kerberos_encode_pac(mem_ctx, server_info, + ret = kerberos_create_pac(mem_ctx, server_info, smb_krb5_context->krb5_context, &krbtgt_keyblock, &server_keyblock, @@ -122,7 +120,7 @@ static BOOL torture_pac_self_check(void) dump_data(10,tmp_blob.data,tmp_blob.length); /* Now check that we can read it back */ - nt_status = kerberos_decode_pac(mem_ctx, &pac_info, + nt_status = kerberos_decode_pac(mem_ctx, &pac_data, tmp_blob, smb_krb5_context, &krbtgt_keyblock, @@ -197,8 +195,7 @@ static BOOL torture_pac_saved_check(void) NTSTATUS nt_status; TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check"); DATA_BLOB tmp_blob, validate_blob; - struct PAC_LOGON_INFO *pac_info; - struct PAC_DATA pac_data; + struct PAC_DATA *pac_data; krb5_keyblock server_keyblock; krb5_keyblock krbtgt_keyblock; uint8_t server_bytes[16]; @@ -264,35 +261,37 @@ static BOOL torture_pac_saved_check(void) dump_data(10,tmp_blob.data,tmp_blob.length); /* Decode and verify the signaure on the PAC */ - nt_status = kerberos_decode_pac(mem_ctx, &pac_info, + nt_status = kerberos_decode_pac(mem_ctx, &pac_data, tmp_blob, smb_krb5_context, &krbtgt_keyblock, &server_keyblock); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &server_keyblock); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("PAC decoding failed: %s\n", nt_errstr(nt_status))); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); talloc_free(mem_ctx); return False; } - nt_status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data, - (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0,("can't parse the PAC\n")); - talloc_free(mem_ctx); - return False; - } + ret = kerberos_encode_pac(mem_ctx, + pac_data, + smb_krb5_context->krb5_context, + &krbtgt_keyblock, + &server_keyblock, + &validate_blob); - nt_status = ndr_push_struct_blob(&validate_blob, mem_ctx, &pac_data, - (ndr_push_flags_fn_t)ndr_push_PAC_DATA); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("PAC push failed: %s\n", nt_errstr(nt_status))); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + + if (ret != 0) { + DEBUG(0, ("PAC push failed\n")); talloc_free(mem_ctx); return False; } @@ -328,14 +327,3 @@ BOOL torture_pac(void) ret &= torture_pac_saved_check(); return ret; } - -#else - -BOOL torture_pac(void) -{ - printf("Cannot do PAC test without Krb5\n"); - return False; -} - -#endif - -- cgit