r9167: Further PAC parionia: ensure the checksum fails if we modify it.

author Andrew Bartlett <abartlet@samba.org>

Sat, 6 Aug 2005 23:25:00 +0000 (23:25 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 18:31:27 +0000 (13:31 -0500)
author Andrew Bartlett <abartlet@samba.org>
Sat, 6 Aug 2005 23:25:00 +0000 (23:25 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:31:27 +0000 (13:31 -0500)
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c

index 43a9fd44b59270575dd3da74dee5f2d0fee8a45a..c6bec47238dac7847093a0eebed4876c77815f36 100644 (file)
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -308,7 +308,7 @@ static BOOL torture_pac_saved_check(void)
                 return False;
         }
  
-       tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
+       tmp_blob = data_blob(saved_pac, sizeof(saved_pac));
         
         /*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
         
@@ -371,6 +371,11 @@ static BOOL torture_pac_saved_check(void)
  
         if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), 
                            server_info_out->account_sid)) {
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &server_keyblock);
+
                 printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
                        "S-1-5-21-3048156945-3961193616-3706469200-1005", 
                        dom_sid_string(mem_ctx, server_info_out->account_sid));
@@ -385,12 +390,12 @@ static BOOL torture_pac_saved_check(void)
                                   &server_keyblock,
                                   &validate_blob);
  
-       krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
-                                   &krbtgt_keyblock);
-       krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
-                                   &server_keyblock);
-
         if (ret != 0) {
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &server_keyblock);
+
                 DEBUG(0, ("PAC push failed\n"));
                 talloc_free(mem_ctx);
                 return False;
@@ -403,6 +408,11 @@ static BOOL torture_pac_saved_check(void)
          * pointer, padding etc algorithms as win2k3.
          */
         if (tmp_blob.length != validate_blob.length) {
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &server_keyblock);
+
                 DEBUG(0, ("PAC push failed: orignial buffer length[%u] != created buffer length[%u]\n",
                                 (unsigned)tmp_blob.length, (unsigned)validate_blob.length));
                 talloc_free(mem_ctx);
@@ -410,12 +420,41 @@ static BOOL torture_pac_saved_check(void)
         }
  
         if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &server_keyblock);
+
                 DEBUG(0, ("PAC push failed: length[%u] matches, but data does not\n",
                           (unsigned)tmp_blob.length));
                 talloc_free(mem_ctx);
                 return False;
         }
  
+       /* Finally...  Bugger up the signature, and check we fail the checksum */
+       
+       tmp_blob.data[tmp_blob.length - 2] = 0xff;
+       nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
+                                       tmp_blob,
+                                       smb_krb5_context,
+                                       &krbtgt_keyblock,
+                                       &server_keyblock);
+       if (NT_STATUS_IS_OK(nt_status)) {
+               DEBUG(1, ("PAC decoding DID NOT fail on broken checksum\n"));
+
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &krbtgt_keyblock);
+               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                           &server_keyblock);
+               talloc_free(mem_ctx);
+               return False;
+       }
+
+       krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                   &krbtgt_keyblock);
+       krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+                                   &server_keyblock);
+
         talloc_free(mem_ctx);
         return True;
  }
author	Andrew Bartlett <abartlet@samba.org>
	Sat, 6 Aug 2005 23:25:00 +0000 (23:25 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 18:31:27 +0000 (13:31 -0500)