source4/torture/auth/pac.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Validate the krb5 pac generation routines
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "system/kerberos.h"
  26 #include "auth/auth.h"
  27 #include "auth/kerberos/kerberos.h"
  28 #include "librpc/gen_ndr/ndr_krb5pac.h"
  29 #include "librpc/gen_ndr/ndr_samr.h"
  30
  31 static BOOL torture_pac_self_check(void)
  32 {
  33         NTSTATUS nt_status;
  34         TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check");
  35         DATA_BLOB tmp_blob;
  36         struct PAC_DATA *pac_data;
  37         struct PAC_LOGON_INFO *logon_info;
  38         union netr_Validation validation;
  39
  40         /* Generate a nice, arbitary keyblock */
  41         uint8_t server_bytes[16];
  42         uint8_t krbtgt_bytes[16];
  43         krb5_keyblock server_keyblock;
  44         krb5_keyblock krbtgt_keyblock;
  45
  46         krb5_error_code ret;
  47
  48         struct smb_krb5_context *smb_krb5_context;
  49
  50         struct auth_serversupplied_info *server_info;
  51         struct auth_serversupplied_info *server_info_out;
  52
  53         ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
  54
  55         if (ret) {
  56                 talloc_free(mem_ctx);
  57                 return False;
  58         }
  59
  60         generate_random_buffer(server_bytes, 16);
  61         generate_random_buffer(krbtgt_bytes, 16);
  62
  63         ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
  64                                  ENCTYPE_ARCFOUR_HMAC,
  65                                  server_bytes, sizeof(server_bytes),
  66                                  &server_keyblock);
  67         if (ret) {
  68                 printf("Server Keyblock encoding failed: %s\n",
  69                        smb_get_krb5_error_message(smb_krb5_context->krb5_context,
  70                                                   ret, mem_ctx));
  71
  72                 talloc_free(mem_ctx);
  73                 return False;
  74         }
  75
  76         ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
  77                                  ENCTYPE_ARCFOUR_HMAC,
  78                                  krbtgt_bytes, sizeof(krbtgt_bytes),
  79                                  &krbtgt_keyblock);
  80         if (ret) {
  81                 printf("KRBTGT Keyblock encoding failed: %s\n",
  82                        smb_get_krb5_error_message(smb_krb5_context->krb5_context,
  83                                                   ret, mem_ctx));
  84
  85                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
  86                                             &server_keyblock);
  87                 talloc_free(mem_ctx);
  88                 return False;
  89         }
  90
  91         /* We need an input, and this one requires no underlying database */
  92         nt_status = auth_anonymous_server_info(mem_ctx, &server_info);
  93
  94         if (!NT_STATUS_IS_OK(nt_status)) {
  95                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
  96                                             &server_keyblock);
  97                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
  98                                             &krbtgt_keyblock);
  99                 talloc_free(mem_ctx);
 100                 return False;
 101         }
 102
 103         /* OK, go ahead and make a PAC */
 104         ret = kerberos_create_pac(mem_ctx, server_info,
 105                                   smb_krb5_context->krb5_context,
 106                                   &krbtgt_keyblock,
 107                                   &server_keyblock,
 108                                   &tmp_blob);
 109
 110         if (ret) {
 111                 printf("PAC encoding failed: %s\n",
 112                        smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 113                                                   ret, mem_ctx));
 114
 115                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 116                                             &krbtgt_keyblock);
 117                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 118                                             &server_keyblock);
 119                 talloc_free(mem_ctx);
 120                 return False;
 121         }
 122
 123         dump_data(10,tmp_blob.data,tmp_blob.length);
 124
 125         /* Now check that we can read it back */
 126         nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
 127                                         tmp_blob,
 128                                         smb_krb5_context,
 129                                         &krbtgt_keyblock,
 130                                         &server_keyblock);
 131
 132         if (!NT_STATUS_IS_OK(nt_status)) {
 133                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 134                                             &krbtgt_keyblock);
 135                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 136                                             &server_keyblock);
 137                 DEBUG(1, ("PAC decoding failed: %s\n",
 138                           nt_errstr(nt_status)));
 139
 140                 talloc_free(mem_ctx);
 141                 return False;
 142         }
 143
 144         /* Now check that we can read it back */
 145         nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
 146                                             tmp_blob,
 147                                             smb_krb5_context,
 148                                             &krbtgt_keyblock,
 149                                             &server_keyblock);
 150
 151         if (!NT_STATUS_IS_OK(nt_status)) {
 152                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 153                                             &krbtgt_keyblock);
 154                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 155                                             &server_keyblock);
 156                 printf("PAC decoding (for logon info) failed: %s\n",
 157                        nt_errstr(nt_status));
 158
 159                 talloc_free(mem_ctx);
 160                 return False;
 161         }
 162
 163         krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 164                                     &krbtgt_keyblock);
 165         krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 166                                     &server_keyblock);
 167
 168         validation.sam3 = &logon_info->info3;
 169         nt_status = make_server_info_netlogon_validation(mem_ctx,
 170                                                          "",
 171                                                          3, &validation,
 172                                                          &server_info_out);
 173         if (!NT_STATUS_IS_OK(nt_status)) {
 174                 printf("PAC decoding (make server info) failed: %s\n",
 175                        nt_errstr(nt_status));
 176
 177                 talloc_free(mem_ctx);
 178                 return False;
 179         }
 180
 181         if (!dom_sid_equal(server_info->account_sid,
 182                            server_info_out->account_sid)) {
 183                 printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
 184                        dom_sid_string(mem_ctx, server_info->account_sid),
 185                        dom_sid_string(mem_ctx, server_info_out->account_sid));
 186                 talloc_free(mem_ctx);
 187                 return False;
 188         }
 189
 190         talloc_free(mem_ctx);
 191         return True;
 192 }
 193
 194
 195 /* This is the PAC generated on my test network, by my test Win2k3 server.
 196    -- abartlet 2005-07-04
 197  */
 198
 199 static const char saved_pac[] = {
 200         0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00,
 201         0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
 202         0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
 203         0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
 204         0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc,
 205         0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb,
 206         0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff,
 207         0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59,
 208         0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00,
 209         0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
 210         0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
 211         0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00,
 212         0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00,
 213         0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 214         0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00,
 215         0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 216         0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 217         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 218         0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 219         0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00,
 220         0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00,
 221         0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 222         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 223         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 224         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 225         0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
 226         0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00,
 227         0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00,
 228         0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00,
 229         0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00,
 230         0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
 231         0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc,
 232         0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
 233         0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 234         0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00,
 235         0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00,
 236         0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a,
 237         0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe,
 238         0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00
 239 };
 240
 241 /* Check with a known 'well formed' PAC, from my test server */
 242 static BOOL torture_pac_saved_check(void)
 243 {
 244         NTSTATUS nt_status;
 245         TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check");
 246         DATA_BLOB tmp_blob, validate_blob;
 247         struct PAC_DATA *pac_data;
 248         struct PAC_LOGON_INFO *logon_info;
 249         union netr_Validation validation;
 250
 251         struct auth_serversupplied_info *server_info_out;
 252
 253         krb5_keyblock server_keyblock;
 254         krb5_keyblock krbtgt_keyblock;
 255         uint8_t server_bytes[16];
 256         struct samr_Password *krbtgt_bytes;
 257
 258         krb5_error_code ret;
 259
 260         struct smb_krb5_context *smb_krb5_context;
 261
 262         ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
 263
 264         if (ret) {
 265                 talloc_free(mem_ctx);
 266                 return False;
 267         }
 268
 269         /* The krbtgt key in use when the above PAC was generated.
 270          * This is an arcfour-hmac-md5 key, extracted with our 'net
 271          * samdump' tool. */
 272         krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, "B286757148AF7FD252C53603A150B7E7");
 273         if (!krbtgt_bytes) {
 274                 DEBUG(0, ("Could not interpret krbtgt key"));
 275                 talloc_free(mem_ctx);
 276                 return False;
 277         }
 278
 279         /* The machine trust account in use when the above PAC
 280            was generated.  It used arcfour-hmac-md5, so this is easy */
 281         E_md4hash("iqvwmii8CuEkyY", server_bytes);
 282
 283         ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 284                                  ENCTYPE_ARCFOUR_HMAC,
 285                                  server_bytes, sizeof(server_bytes),
 286                                  &server_keyblock);
 287         if (ret) {
 288                 DEBUG(1, ("Server Keyblock encoding failed: %s\n",
 289                           smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 290                                                      ret, mem_ctx)));
 291
 292                 talloc_free(mem_ctx);
 293                 return False;
 294         }
 295
 296         ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 297                                  ENCTYPE_ARCFOUR_HMAC,
 298                                  krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash),
 299                                  &krbtgt_keyblock);
 300         if (ret) {
 301                 DEBUG(1, ("Server Keyblock encoding failed: %s\n",
 302                           smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 303                                                      ret, mem_ctx)));
 304
 305                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 306                                             &server_keyblock);
 307                 talloc_free(mem_ctx);
 308                 return False;
 309         }
 310
 311         tmp_blob = data_blob(saved_pac, sizeof(saved_pac));
 312
 313         /*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/
 314
 315         dump_data(10,tmp_blob.data,tmp_blob.length);
 316
 317         /* Decode and verify the signaure on the PAC */
 318         nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
 319                                         tmp_blob,
 320                                         smb_krb5_context,
 321                                         &krbtgt_keyblock,
 322                                         &server_keyblock);
 323         if (!NT_STATUS_IS_OK(nt_status)) {
 324                 DEBUG(1, ("PAC decoding failed: %s\n",
 325                           nt_errstr(nt_status)));
 326
 327                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 328                                             &krbtgt_keyblock);
 329                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 330                                             &server_keyblock);
 331                 talloc_free(mem_ctx);
 332                 return False;
 333         }
 334
 335         /* Parse the PAC again, for the logon info this time */
 336         nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
 337                                             tmp_blob,
 338                                             smb_krb5_context,
 339                                             &krbtgt_keyblock,
 340                                             &server_keyblock);
 341
 342         if (!NT_STATUS_IS_OK(nt_status)) {
 343                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 344                                             &krbtgt_keyblock);
 345                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 346                                             &server_keyblock);
 347                 printf("PAC decoding (for logon info) failed: %s\n",
 348                           nt_errstr(nt_status));
 349
 350                 talloc_free(mem_ctx);
 351                 return False;
 352         }
 353
 354         validation.sam3 = &logon_info->info3;
 355         nt_status = make_server_info_netlogon_validation(mem_ctx,
 356                                                          "",
 357                                                          3, &validation,
 358                                                          &server_info_out);
 359         if (!NT_STATUS_IS_OK(nt_status)) {
 360                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 361                                             &krbtgt_keyblock);
 362                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 363                                     &server_keyblock);
 364
 365                 printf("PAC decoding (make server info) failed: %s\n",
 366                        nt_errstr(nt_status));
 367
 368                 talloc_free(mem_ctx);
 369                 return False;
 370         }
 371
 372         if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"),
 373                            server_info_out->account_sid)) {
 374                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 375                                             &krbtgt_keyblock);
 376                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 377                                             &server_keyblock);
 378
 379                 printf("PAC Decode resulted in *different* domain SID: %s != %s\n",
 380                        "S-1-5-21-3048156945-3961193616-3706469200-1005",
 381                        dom_sid_string(mem_ctx, server_info_out->account_sid));
 382                 talloc_free(mem_ctx);
 383                 return False;
 384         }
 385
 386         ret = kerberos_encode_pac(mem_ctx,
 387                                   pac_data,
 388                                   smb_krb5_context->krb5_context,
 389                                   &krbtgt_keyblock,
 390                                   &server_keyblock,
 391                                   &validate_blob);
 392
 393         if (ret != 0) {
 394                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 395                                             &krbtgt_keyblock);
 396                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 397                                             &server_keyblock);
 398
 399                 DEBUG(0, ("PAC push failed\n"));
 400                 talloc_free(mem_ctx);
 401                 return False;
 402         }
 403
 404         dump_data(10,validate_blob.data,validate_blob.length);
 405
 406         /* compare both the length and the data bytes after a
 407          * pull/push cycle.  This ensures we use the exact same
 408          * pointer, padding etc algorithms as win2k3.
 409          */
 410         if (tmp_blob.length != validate_blob.length) {
 411                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 412                                             &krbtgt_keyblock);
 413                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 414                                             &server_keyblock);
 415
 416                 DEBUG(0, ("PAC push failed: original buffer length[%u] != created buffer length[%u]\n",
 417                                 (unsigned)tmp_blob.length, (unsigned)validate_blob.length));
 418                 talloc_free(mem_ctx);
 419                 return False;
 420         }
 421
 422         if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
 423                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 424                                             &krbtgt_keyblock);
 425                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 426                                             &server_keyblock);
 427
 428                 DEBUG(0, ("PAC push failed: length[%u] matches, but data does not\n",
 429                           (unsigned)tmp_blob.length));
 430                 talloc_free(mem_ctx);
 431                 return False;
 432         }
 433
 434         /* Finally...  Bugger up the signature, and check we fail the checksum */
 435         tmp_blob.data[tmp_blob.length - 2]++;
 436
 437         nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
 438                                         tmp_blob,
 439                                         smb_krb5_context,
 440                                         &krbtgt_keyblock,
 441                                         &server_keyblock);
 442         if (NT_STATUS_IS_OK(nt_status)) {
 443                 DEBUG(1, ("PAC decoding DID NOT fail on broken checksum\n"));
 444
 445                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 446                                             &krbtgt_keyblock);
 447                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 448                                             &server_keyblock);
 449                 talloc_free(mem_ctx);
 450                 return False;
 451         }
 452
 453         krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 454                                     &krbtgt_keyblock);
 455         krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
 456                                     &server_keyblock);
 457
 458         talloc_free(mem_ctx);
 459         return True;
 460 }
 461
 462 BOOL torture_pac(void)
 463 {
 464         BOOL ret = True;
 465         ret &= torture_pac_self_check();
 466         ret &= torture_pac_saved_check();
 467         return ret;
 468 }