X-Git-Url: http://git.samba.org/samba.git/?a=blobdiff_plain;f=source4%2Ftorture%2Fauth%2Fpac.c;h=30bb53587d6117b5d5006a2a59a4e2e56b7ec70b;hb=0479a2f1cbae51fcd8dbdc3c148c808421fb4d25;hp=221454280eaeb08f4d1c20697a61045609f95f8a;hpb=b0044d19502fbed933fe04ef5230e3dae5997c55;p=kai%2Fsamba-autobuild%2F.git diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 221454280ea..30bb53587d6 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -7,7 +7,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -17,8 +17,7 @@ You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" @@ -26,12 +25,13 @@ #include "auth/auth.h" #include "auth/kerberos/kerberos.h" #include "librpc/gen_ndr/ndr_krb5pac.h" -#include "librpc/gen_ndr/ndr_samr.h" +#include "samba3/samba3.h" +#include "libcli/security/security.h" +#include "torture/torture.h" -static BOOL torture_pac_self_check(void) +static bool torture_pac_self_check(struct torture_context *tctx) { NTSTATUS nt_status; - TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check"); DATA_BLOB tmp_blob; struct PAC_DATA *pac_data; struct PAC_LOGON_INFO *logon_info; @@ -53,12 +53,12 @@ static BOOL torture_pac_self_check(void) krb5_principal client_principal; time_t logon_time = time(NULL); - ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context); + TALLOC_CTX *mem_ctx = tctx; - if (ret) { - talloc_free(mem_ctx); - return False; - } + torture_assert(tctx, 0 == smb_krb5_init_context(mem_ctx, + NULL, + &smb_krb5_context), + "smb_krb5_init_context"); generate_random_buffer(server_bytes, 16); generate_random_buffer(krbtgt_bytes, 16); @@ -67,28 +67,24 @@ static BOOL torture_pac_self_check(void) ENCTYPE_ARCFOUR_HMAC, server_bytes, sizeof(server_bytes), &server_keyblock); - if (ret) { - printf("(self test) Server Keyblock encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx)); - - talloc_free(mem_ctx); - return False; - } + torture_assert(tctx, !ret, talloc_asprintf(tctx, + "(self test) Server Keyblock encoding failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); ret = krb5_keyblock_init(smb_krb5_context->krb5_context, ENCTYPE_ARCFOUR_HMAC, krbtgt_bytes, sizeof(krbtgt_bytes), &krbtgt_keyblock); if (ret) { - printf("(self test) KRBTGT Keyblock encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx)); + char *err = smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - talloc_free(mem_ctx); - return False; + + torture_fail(tctx, talloc_asprintf(tctx, + "(self test) KRBTGT Keyblock encoding failed: %s", err)); } /* We need an input, and this one requires no underlying database */ @@ -99,19 +95,19 @@ static BOOL torture_pac_self_check(void) &server_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "auth_anonymous_server_info"); } - ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context, - server_info->account_name, &client_principal); + ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, + server_info->account_name, + KRB5_PRINCIPAL_PARSE_NO_REALM, + &client_principal); if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "krb5_parse_name_flags(norealm)"); } /* OK, go ahead and make a PAC */ @@ -124,18 +120,17 @@ static BOOL torture_pac_self_check(void) &tmp_blob); if (ret) { - printf("(self test) PAC encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx)); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - talloc_free(mem_ctx); - return False; + + torture_fail(tctx, talloc_asprintf(tctx, + "(self test) PAC encoding failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); } dump_data(10,tmp_blob.data,tmp_blob.length); @@ -147,7 +142,7 @@ static BOOL torture_pac_self_check(void) &krbtgt_keyblock, &server_keyblock, client_principal, - logon_time); + logon_time, NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -156,11 +151,10 @@ static BOOL torture_pac_self_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - DEBUG(1, ("(self test) PAC decoding failed: %s\n", - nt_errstr(nt_status))); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, talloc_asprintf(tctx, + "(self test) PAC decoding failed: %s", + nt_errstr(nt_status))); } /* Now check that we can read it back */ @@ -170,7 +164,8 @@ static BOOL torture_pac_self_check(void) &krbtgt_keyblock, &server_keyblock, client_principal, - logon_time); + logon_time, + NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -179,11 +174,11 @@ static BOOL torture_pac_self_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - printf("(self test) PAC decoding (for logon info) failed: %s\n", - nt_errstr(nt_status)); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(self test) PAC decoding (for logon info) failed: %s", + nt_errstr(nt_status))); } krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -199,30 +194,27 @@ static BOOL torture_pac_self_check(void) 3, &validation, &server_info_out); if (!NT_STATUS_IS_OK(nt_status)) { - printf("(self test) PAC decoding (make server info) failed: %s\n", - nt_errstr(nt_status)); - - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(self test) PAC decoding (make server info) failed: %s", + nt_errstr(nt_status))); } if (!dom_sid_equal(server_info->account_sid, server_info_out->account_sid)) { - printf("(self test) PAC Decode resulted in *different* domain SID: %s != %s\n", - dom_sid_string(mem_ctx, server_info->account_sid), - dom_sid_string(mem_ctx, server_info_out->account_sid)); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(self test) PAC Decode resulted in *different* domain SID: %s != %s", + dom_sid_string(mem_ctx, server_info->account_sid), + dom_sid_string(mem_ctx, server_info_out->account_sid))); } - - talloc_free(mem_ctx); - return True; + return true; } /* This is the PAC generated on my test network, by my test Win2k3 server. -- abartlet 2005-07-04 - */ +*/ static const uint8_t saved_pac[] = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, @@ -267,10 +259,9 @@ static const uint8_t saved_pac[] = { }; /* Check with a known 'well formed' PAC, from my test server */ -static BOOL torture_pac_saved_check(void) +static bool torture_pac_saved_check(struct torture_context *tctx) { NTSTATUS nt_status; - TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check"); DATA_BLOB tmp_blob, validate_blob; struct PAC_DATA *pac_data, pac_data2; struct PAC_LOGON_INFO *logon_info; @@ -286,110 +277,90 @@ static BOOL torture_pac_saved_check(void) struct smb_krb5_context *smb_krb5_context; const char *principal_string; + char *broken_principal_string; krb5_principal client_principal; const char *authtime_string; time_t authtime; + TALLOC_CTX *mem_ctx = tctx; - ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context); + torture_assert(tctx, 0 == smb_krb5_init_context(mem_ctx, NULL, + &smb_krb5_context), + "smb_krb5_init_context"); - if (ret) { - talloc_free(mem_ctx); - return False; - } + pac_kdc_key = torture_setting_string(tctx, "pac_kdc_key", + "B286757148AF7FD252C53603A150B7E7"); - pac_kdc_key = lp_parm_string(-1,"torture","pac_kdc_key"); - if (pac_kdc_key == NULL) { - pac_kdc_key = "B286757148AF7FD252C53603A150B7E7"; - } + pac_member_key = torture_setting_string(tctx, "pac_member_key", + "D217FAEAE5E6B5F95CCC94077AB8A5FC"); - pac_member_key = lp_parm_string(-1,"torture","pac_member_key"); - if (pac_member_key == NULL) { - pac_member_key = "D217FAEAE5E6B5F95CCC94077AB8A5FC"; - } - - printf("Using pac_kdc_key '%s'\n", pac_kdc_key); - printf("Using pac_member_key '%s'\n", pac_member_key); + torture_comment(tctx, "Using pac_kdc_key '%s'\n", pac_kdc_key); + torture_comment(tctx, "Using pac_member_key '%s'\n", pac_member_key); /* The krbtgt key in use when the above PAC was generated. * This is an arcfour-hmac-md5 key, extracted with our 'net * samdump' tool. */ krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key); if (!krbtgt_bytes) { - DEBUG(0, ("(saved test) Could not interpret krbtgt key")); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "(saved test) Could not interpret krbtgt key"); } krbsrv_bytes = smbpasswd_gethexpwd(mem_ctx, pac_member_key); if (!krbsrv_bytes) { - DEBUG(0, ("(saved test) Could not interpret krbsrv key")); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "(saved test) Could not interpret krbsrv key"); } ret = krb5_keyblock_init(smb_krb5_context->krb5_context, ENCTYPE_ARCFOUR_HMAC, krbsrv_bytes->hash, sizeof(krbsrv_bytes->hash), &server_keyblock); - if (ret) { - DEBUG(1, ("(saved test) Server Keyblock encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); - - talloc_free(mem_ctx); - return False; - } + torture_assert(tctx, !ret, + talloc_asprintf(tctx, + "(saved test) Server Keyblock encoding failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); ret = krb5_keyblock_init(smb_krb5_context->krb5_context, ENCTYPE_ARCFOUR_HMAC, krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash), &krbtgt_keyblock); if (ret) { - DEBUG(1, ("(saved test) Server Keyblock encoding failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx))); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) Server Keyblock encoding failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); } - pac_file = lp_parm_string(-1,"torture","pac_file"); + pac_file = torture_setting_string(tctx, "pac_file", NULL); if (pac_file) { tmp_blob.data = (uint8_t *)file_load(pac_file, &tmp_blob.length, mem_ctx); - printf("(saved test) Loaded pac of size %d from %s\n", tmp_blob.length, pac_file); + torture_comment(tctx, "(saved test) Loaded pac of size %ld from %s\n", (long)tmp_blob.length, pac_file); } else { tmp_blob = data_blob_talloc(mem_ctx, saved_pac, sizeof(saved_pac)); } dump_data(10,tmp_blob.data,tmp_blob.length); - principal_string = lp_parm_string(-1,"torture","pac_client_principal"); - if (!principal_string) { - principal_string = "w2003final$@WIN2K3.THINKER.LOCAL"; - } + principal_string = torture_setting_string(tctx, "pac_client_principal", + "w2003final$@WIN2K3.THINKER.LOCAL"); - authtime_string = lp_parm_string(-1,"torture","pac_authtime"); - if (!authtime_string) { - authtime = 1120440609; - } else { - authtime = strtoull(authtime_string, NULL, 0); - } + authtime_string = torture_setting_string(tctx, "pac_authtime", "1120440609"); + authtime = strtoull(authtime_string, NULL, 0); ret = krb5_parse_name(smb_krb5_context->krb5_context, principal_string, &client_principal); if (ret) { - DEBUG(1, ("(saved test) parsing of client principal [%s] failed: %s\n", - principal_string, - smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) parsing of client principal [%s] failed: %s", + principal_string, + smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); } /* Decode and verify the signaure on the PAC */ @@ -398,19 +369,17 @@ static BOOL torture_pac_saved_check(void) smb_krb5_context->krb5_context, &krbtgt_keyblock, &server_keyblock, - client_principal, authtime); + client_principal, authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("(saved test) PAC decoding failed: %s\n", - nt_errstr(nt_status))); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, talloc_asprintf(tctx, + "(saved test) PAC decoding failed: %s", + nt_errstr(nt_status))); } /* Parse the PAC again, for the logon info this time */ @@ -419,7 +388,7 @@ static BOOL torture_pac_saved_check(void) smb_krb5_context->krb5_context, &krbtgt_keyblock, &server_keyblock, - client_principal, authtime); + client_principal, authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -428,11 +397,10 @@ static BOOL torture_pac_saved_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - printf("(saved test) PAC decoding (for logon info) failed: %s\n", - nt_errstr(nt_status)); - - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) PAC decoding (for logon info) failed: %s", + nt_errstr(nt_status))); } validation.sam3 = &logon_info->info3; @@ -444,18 +412,18 @@ static BOOL torture_pac_saved_check(void) krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &server_keyblock); + &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - printf("(saved test) PAC decoding (make server info) failed: %s\n", - nt_errstr(nt_status)); - - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) PAC decoding (make server info) failed: %s", + nt_errstr(nt_status))); } if (!pac_file && - !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), + !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, + "S-1-5-21-3048156945-3961193616-3706469200-1005"), server_info_out->account_sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); @@ -463,11 +431,11 @@ static BOOL torture_pac_saved_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - printf("(saved test) PAC Decode resulted in *different* domain SID: %s != %s\n", - "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, server_info_out->account_sid)); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) PAC Decode resulted in *different* domain SID: %s != %s", + "S-1-5-21-3048156945-3961193616-3706469200-1005", + dom_sid_string(mem_ctx, server_info_out->account_sid))); } ret = kerberos_encode_pac(mem_ctx, @@ -484,12 +452,10 @@ static BOOL torture_pac_saved_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - DEBUG(0, ("(saved test) PAC push failed\n")); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "(saved test) PAC push failed"); } - dump_data(10,validate_blob.data,validate_blob.length); + dump_data(10, validate_blob.data, validate_blob.length); /* compare both the length and the data bytes after a * pull/push cycle. This ensures we use the exact same @@ -502,10 +468,10 @@ static BOOL torture_pac_saved_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - DEBUG(0, ("(saved test) PAC push failed: original buffer length[%u] != created buffer length[%u]\n", - (unsigned)tmp_blob.length, (unsigned)validate_blob.length)); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) PAC push failed: original buffer length[%u] != created buffer length[%u]", + (unsigned)tmp_blob.length, (unsigned)validate_blob.length)); } if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) { @@ -515,15 +481,12 @@ static BOOL torture_pac_saved_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - DEBUG(0, ("(saved test) PAC push failed: length[%u] matches, but data does not\n", - (unsigned)tmp_blob.length)); DEBUG(0, ("tmp_data:\n")); dump_data(0, tmp_blob.data, tmp_blob.length); DEBUG(0, ("validate_blob:\n")); dump_data(0, validate_blob.data, validate_blob.length); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC push failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length)); } ret = kerberos_create_pac(mem_ctx, @@ -541,9 +504,7 @@ static BOOL torture_pac_saved_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - DEBUG(0, ("(saved test) regnerated PAC create failed\n")); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "(saved test) regnerated PAC create failed"); } dump_data(10,validate_blob.data,validate_blob.length); @@ -554,11 +515,8 @@ static BOOL torture_pac_saved_check(void) */ if (tmp_blob.length != validate_blob.length) { nt_status = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2, - (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0,("can't parse the PAC\n")); - return False; - } + (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); + torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC"); NDR_PRINT_DEBUG(PAC_DATA, pac_data); @@ -570,19 +528,15 @@ static BOOL torture_pac_saved_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - DEBUG(0, ("(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]\n", - (unsigned)tmp_blob.length, (unsigned)validate_blob.length)); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, talloc_asprintf(tctx, + "(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]", + (unsigned)tmp_blob.length, (unsigned)validate_blob.length)); } if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) { nt_status = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2, - (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0,("can't parse the PAC\n")); - return False; - } + (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); + torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC"); NDR_PRINT_DEBUG(PAC_DATA, pac_data); @@ -594,15 +548,13 @@ static BOOL torture_pac_saved_check(void) &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - DEBUG(0, ("(saved test) PAC regenerate failed: length[%u] matches, but data does not\n", - (unsigned)tmp_blob.length)); DEBUG(0, ("tmp_data:\n")); dump_data(0, tmp_blob.data, tmp_blob.length); DEBUG(0, ("validate_blob:\n")); dump_data(0, validate_blob.data, validate_blob.length); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, talloc_asprintf(tctx, + "(saved test) PAC regenerate failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length)); } /* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */ @@ -612,34 +564,34 @@ static BOOL torture_pac_saved_check(void) &krbtgt_keyblock, &server_keyblock, client_principal, - authtime + 1); + authtime + 1, NULL); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("(saved test) PAC decoding DID NOT fail on broken auth time (time + 1)\n")); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken auth time (time + 1)"); } /* Break the client principal */ krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + broken_principal_string = talloc_strdup(mem_ctx, principal_string); + broken_principal_string[0]++; + ret = krb5_parse_name(smb_krb5_context->krb5_context, - "not the right principal", &client_principal); + broken_principal_string, &client_principal); if (ret) { - DEBUG(1, ("(saved test) parsing of bogus client principal failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, talloc_asprintf(tctx, + "(saved test) parsing of broken client principal failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); } nt_status = kerberos_decode_pac(mem_ctx, &pac_data, @@ -648,16 +600,13 @@ static BOOL torture_pac_saved_check(void) &krbtgt_keyblock, &server_keyblock, client_principal, - authtime); + authtime, NULL); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("(saved test) PAC decoding DID NOT fail on modified principal\n")); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on modified principal"); } /* Finally... Bugger up the signature, and check we fail the checksum */ @@ -669,31 +618,31 @@ static BOOL torture_pac_saved_check(void) &krbtgt_keyblock, &server_keyblock, client_principal, - authtime); + authtime, NULL); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("(saved test) PAC decoding DID NOT fail on broken checksum\n")); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - talloc_free(mem_ctx); - return False; + torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken checksum"); } krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - - talloc_free(mem_ctx); - return True; + return true; } -BOOL torture_pac(void) +_PUBLIC_ struct torture_suite *torture_pac(TALLOC_CTX *mem_ctx) { - BOOL ret = True; - ret &= torture_pac_self_check(); - ret &= torture_pac_saved_check(); - return ret; + struct torture_suite *suite = torture_suite_create(mem_ctx, "PAC"); + + torture_suite_add_simple_test(suite, "self check", + torture_pac_self_check); + + torture_suite_add_simple_test(suite, "saved check", + torture_pac_saved_check); + + return suite; }