diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-10-24 07:11:40 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:11 -0500 |
commit | a0647a89a82e892292c421f5c968de2f28d42366 (patch) | |
tree | 0a8bcddc8318b50900c4f84719762f609bb38268 /source4/torture/auth | |
parent | ca40d0a6fea0dbf2a9962ed125f420bea3ca0269 (diff) | |
download | samba-a0647a89a82e892292c421f5c968de2f28d42366.tar.gz samba-a0647a89a82e892292c421f5c968de2f28d42366.tar.xz samba-a0647a89a82e892292c421f5c968de2f28d42366.zip |
r11272: In trying to track down why Win2k3 is again rejecting our PAC, ensure
we can round-trip all the way back to a server_info structure, not
just a filled in PAC_DATA. (I was worried about generated fields being
incorrect, or some other logical flaw).
Andrew Bartlett
(This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
Diffstat (limited to 'source4/torture/auth')
-rw-r--r-- | source4/torture/auth/pac.c | 81 |
1 files changed, 80 insertions, 1 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 6f50ae776bc..df9e45614e6 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -272,7 +272,7 @@ static BOOL torture_pac_saved_check(void) NTSTATUS nt_status; TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check"); DATA_BLOB tmp_blob, validate_blob; - struct PAC_DATA *pac_data; + struct PAC_DATA *pac_data, pac_data2; struct PAC_LOGON_INFO *logon_info; union netr_Validation validation; const char *pac_file, *pac_kdc_key, *pac_member_key; @@ -526,6 +526,85 @@ static BOOL torture_pac_saved_check(void) return False; } + ret = kerberos_create_pac(mem_ctx, + server_info_out, + smb_krb5_context->krb5_context, + &krbtgt_keyblock, + &server_keyblock, + client_principal, authtime, + &validate_blob); + + if (ret != 0) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + + DEBUG(0, ("(saved test) regnerated PAC create failed\n")); + talloc_free(mem_ctx); + return False; + } + + dump_data(10,validate_blob.data,validate_blob.length); + + /* compare both the length and the data bytes after a + * pull/push cycle. This ensures we use the exact same + * pointer, padding etc algorithms as win2k3. + */ + if (tmp_blob.length != validate_blob.length) { + nt_status = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2, + (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("can't parse the PAC\n")); + return False; + } + + NDR_PRINT_DEBUG(PAC_DATA, pac_data); + + NDR_PRINT_DEBUG(PAC_DATA, &pac_data2); + + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + + DEBUG(0, ("(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]\n", + (unsigned)tmp_blob.length, (unsigned)validate_blob.length)); + talloc_free(mem_ctx); + return False; + } + + if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) { + nt_status = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2, + (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("can't parse the PAC\n")); + return False; + } + + NDR_PRINT_DEBUG(PAC_DATA, pac_data); + + NDR_PRINT_DEBUG(PAC_DATA, &pac_data2); + + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + + DEBUG(0, ("(saved test) PAC regenerate failed: length[%u] matches, but data does not\n", + (unsigned)tmp_blob.length)); + DEBUG(0, ("tmp_data:\n")); + dump_data(0, tmp_blob.data, tmp_blob.length); + DEBUG(0, ("validate_blob:\n")); + dump_data(0, validate_blob.data, validate_blob.length); + + talloc_free(mem_ctx); + return False; + } + /* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */ nt_status = kerberos_decode_pac(mem_ctx, &pac_data, tmp_blob, |