git.samba.org / jelmer / samba4-debian.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
r26233: Pass loadparm context when creating krb5 contexts.
[jelmer/samba4-debian.git] / source / torture / auth / pac.c
diff --git a/source/torture/auth/pac.c b/source/torture/auth/pac.c
index 41dbc085999094948e4d0f934e5a26f0a7529e15..262cc70480f6f13547661c7c5dbbd3cfcce88eaa 100644 (file)
--- a/source/torture/auth/pac.c
+++ b/source/torture/auth/pac.c
@@ -7,7 +7,7 @@
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
+   the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
@@ -17,8 +17,7 @@
 
    
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "includes.h"
@@ -26,12 +25,13 @@
 #include "auth/auth.h"
 #include "auth/kerberos/kerberos.h"
 #include "librpc/gen_ndr/ndr_krb5pac.h"
-#include "librpc/gen_ndr/ndr_samr.h"
+#include "samba3/samba3.h"
+#include "libcli/security/security.h"
+#include "torture/torture.h"
 
-static BOOL torture_pac_self_check(void) 
+static bool torture_pac_self_check(struct torture_context *tctx)
 {
        NTSTATUS nt_status;
-       TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC self check");
        DATA_BLOB tmp_blob;
        struct PAC_DATA *pac_data;
        struct PAC_LOGON_INFO *logon_info;
@@ -53,12 +53,13 @@ static BOOL torture_pac_self_check(void)
        krb5_principal client_principal;
        time_t logon_time = time(NULL);
 
-       ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
+       TALLOC_CTX *mem_ctx = tctx;
 
-       if (ret) {
-               talloc_free(mem_ctx);
-               return False;
-       }
+       torture_assert(tctx, 0 == smb_krb5_init_context(mem_ctx, 
+                                                       NULL,
+                                                       global_loadparm,
+                                                       &smb_krb5_context), 
+                      "smb_krb5_init_context");
 
        generate_random_buffer(server_bytes, 16);
        generate_random_buffer(krbtgt_bytes, 16);
@@ -67,28 +68,24 @@ static BOOL torture_pac_self_check(void)
                                 ENCTYPE_ARCFOUR_HMAC,
                                 server_bytes, sizeof(server_bytes),
                                 &server_keyblock);
-       if (ret) {
-               printf("(self test) Server Keyblock encoding failed: %s\n", 
-                      smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                 ret, mem_ctx));
-               
-               talloc_free(mem_ctx);
-               return False;
-       }
+       torture_assert(tctx, !ret, talloc_asprintf(tctx, 
+                                                  "(self test) Server Keyblock encoding failed: %s", 
+                                                  smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                                             ret, mem_ctx)));
 
        ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
                                 ENCTYPE_ARCFOUR_HMAC,
                                 krbtgt_bytes, sizeof(krbtgt_bytes),
                                 &krbtgt_keyblock);
        if (ret) {
-               printf("(self test) KRBTGT Keyblock encoding failed: %s\n", 
-                      smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                 ret, mem_ctx));
+               char *err = smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                      ret, mem_ctx);
        
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
-               talloc_free(mem_ctx);
-               return False;
+
+               torture_fail(tctx, talloc_asprintf(tctx, 
+                                                  "(self test) KRBTGT Keyblock encoding failed: %s", err));
        }
 
        /* We need an input, and this one requires no underlying database */
@@ -99,19 +96,19 @@ static BOOL torture_pac_self_check(void)
                                            &server_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "auth_anonymous_server_info");
        }
 
-       ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context, 
-                                     server_info->account_name, &client_principal);
+       ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, 
+                                   server_info->account_name, 
+                                   KRB5_PRINCIPAL_PARSE_NO_REALM, 
+                                   &client_principal);
        if (ret) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "krb5_parse_name_flags(norealm)");
        }
 
        /* OK, go ahead and make a PAC */
@@ -124,18 +121,17 @@ static BOOL torture_pac_self_check(void)
                                  &tmp_blob);
        
        if (ret) {
-               printf("(self test) PAC encoding failed: %s\n", 
-                      smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                 ret, mem_ctx));
-
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, 
                                    client_principal);
-               talloc_free(mem_ctx);
-               return False;
+
+               torture_fail(tctx, talloc_asprintf(tctx,
+                                                  "(self test) PAC encoding failed: %s", 
+                                                  smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                                             ret, mem_ctx)));
        }
 
        dump_data(10,tmp_blob.data,tmp_blob.length);
@@ -147,7 +143,7 @@ static BOOL torture_pac_self_check(void)
                                        &krbtgt_keyblock,
                                        &server_keyblock,
                                        client_principal, 
-                                       logon_time);
+                                       logon_time, NULL);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -156,11 +152,10 @@ static BOOL torture_pac_self_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, 
                                    client_principal);
-               DEBUG(1, ("(self test) PAC decoding failed: %s\n", 
-                         nt_errstr(nt_status)));
 
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, talloc_asprintf(tctx,
+                                                  "(self test) PAC decoding failed: %s", 
+                                                  nt_errstr(nt_status)));
        }
 
        /* Now check that we can read it back */
@@ -170,7 +165,8 @@ static BOOL torture_pac_self_check(void)
                                            &krbtgt_keyblock,
                                            &server_keyblock,
                                            client_principal, 
-                                           logon_time);
+                                           logon_time, 
+                                           NULL);
        
        if (!NT_STATUS_IS_OK(nt_status)) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -179,11 +175,11 @@ static BOOL torture_pac_self_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, 
                                    client_principal);
-               printf("(self test) PAC decoding (for logon info) failed: %s\n", 
-                      nt_errstr(nt_status));
                
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx,  
+                            talloc_asprintf(tctx, 
+                                            "(self test) PAC decoding (for logon info) failed: %s", 
+                                            nt_errstr(nt_status)));
        }
        
        krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -199,30 +195,27 @@ static BOOL torture_pac_self_check(void)
                                                         3, &validation,
                                                         &server_info_out); 
        if (!NT_STATUS_IS_OK(nt_status)) {
-               printf("(self test) PAC decoding (make server info) failed: %s\n", 
-                      nt_errstr(nt_status));
-               
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, 
+                            talloc_asprintf(tctx, 
+                                            "(self test) PAC decoding (make server info) failed: %s", 
+                                            nt_errstr(nt_status)));
        }
        
        if (!dom_sid_equal(server_info->account_sid, 
                           server_info_out->account_sid)) {
-               printf("(self test) PAC Decode resulted in *different* domain SID: %s != %s\n",
-                      dom_sid_string(mem_ctx, server_info->account_sid)
-                      dom_sid_string(mem_ctx, server_info_out->account_sid));
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx,  
+                            talloc_asprintf(tctx
+                                            "(self test) PAC Decode resulted in *different* domain SID: %s != %s",
+                                            dom_sid_string(mem_ctx, server_info->account_sid), 
+                                            dom_sid_string(mem_ctx, server_info_out->account_sid)));
        }
-       
-       talloc_free(mem_ctx);
-       return True;
+       return true;
 }
 
 
 /* This is the PAC generated on my test network, by my test Win2k3 server.
    -- abartlet 2005-07-04
- */
+*/
 
 static const uint8_t saved_pac[] = {
        0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, 
@@ -267,10 +260,10 @@ static const uint8_t saved_pac[] = {
 };
 
 /* Check with a known 'well formed' PAC, from my test server */
-static BOOL torture_pac_saved_check(void) 
+static bool torture_pac_saved_check(struct torture_context *tctx)
 {
        NTSTATUS nt_status;
-       TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "PAC saved check");
+       enum ndr_err_code ndr_err;
        DATA_BLOB tmp_blob, validate_blob;
        struct PAC_DATA *pac_data, pac_data2;
        struct PAC_LOGON_INFO *logon_info;
@@ -286,110 +279,91 @@ static BOOL torture_pac_saved_check(void)
        struct smb_krb5_context *smb_krb5_context;
 
        const char *principal_string;
+       char *broken_principal_string;
        krb5_principal client_principal;
        const char *authtime_string;
        time_t authtime;
+       TALLOC_CTX *mem_ctx = tctx;
 
-       ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
+       torture_assert(tctx, 0 == smb_krb5_init_context(mem_ctx, NULL,
+                                                       global_loadparm,
+                                                       &smb_krb5_context),
+                      "smb_krb5_init_context");
 
-       if (ret) {
-               talloc_free(mem_ctx);
-               return False;
-       }
+       pac_kdc_key = torture_setting_string(tctx, "pac_kdc_key", 
+                                            "B286757148AF7FD252C53603A150B7E7");
 
-       pac_kdc_key = lp_parm_string(-1,"torture","pac_kdc_key");
-       if (pac_kdc_key == NULL) {
-               pac_kdc_key = "B286757148AF7FD252C53603A150B7E7";
-       }
+       pac_member_key = torture_setting_string(tctx, "pac_member_key", 
+                                               "D217FAEAE5E6B5F95CCC94077AB8A5FC");
 
-       pac_member_key = lp_parm_string(-1,"torture","pac_member_key");
-       if (pac_member_key == NULL) {
-               pac_member_key = "D217FAEAE5E6B5F95CCC94077AB8A5FC";
-       }
-
-       printf("Using pac_kdc_key '%s'\n", pac_kdc_key);
-       printf("Using pac_member_key '%s'\n", pac_member_key);
+       torture_comment(tctx, "Using pac_kdc_key '%s'\n", pac_kdc_key);
+       torture_comment(tctx, "Using pac_member_key '%s'\n", pac_member_key);
 
        /* The krbtgt key in use when the above PAC was generated.
         * This is an arcfour-hmac-md5 key, extracted with our 'net
         * samdump' tool. */
        krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key);
        if (!krbtgt_bytes) {
-               DEBUG(0, ("(saved test) Could not interpret krbtgt key"));
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "(saved test) Could not interpret krbtgt key");
        }
 
        krbsrv_bytes = smbpasswd_gethexpwd(mem_ctx, pac_member_key);
        if (!krbsrv_bytes) {
-               DEBUG(0, ("(saved test) Could not interpret krbsrv key"));
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "(saved test) Could not interpret krbsrv key");
        }
 
        ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
                                 ENCTYPE_ARCFOUR_HMAC,
                                 krbsrv_bytes->hash, sizeof(krbsrv_bytes->hash),
                                 &server_keyblock);
-       if (ret) {
-               DEBUG(1, ("(saved test) Server Keyblock encoding failed: %s\n", 
-                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                    ret, mem_ctx)));
-
-               talloc_free(mem_ctx);
-               return False;
-       }
+       torture_assert(tctx, !ret,
+                      talloc_asprintf(tctx,
+                                      "(saved test) Server Keyblock encoding failed: %s", 
+                                      smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                                 ret, mem_ctx)));
 
        ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
                                 ENCTYPE_ARCFOUR_HMAC,
                                 krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash),
                                 &krbtgt_keyblock);
        if (ret) {
-               DEBUG(1, ("(saved test) Server Keyblock encoding failed: %s\n", 
-                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                    ret, mem_ctx)));
-
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, 
+                            talloc_asprintf(tctx, 
+                                            "(saved test) Server Keyblock encoding failed: %s", 
+                                            smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                                       ret, mem_ctx)));
        }
 
-       pac_file = lp_parm_string(-1,"torture","pac_file");
+       pac_file = torture_setting_string(tctx, "pac_file", NULL);
        if (pac_file) {
                tmp_blob.data = (uint8_t *)file_load(pac_file, &tmp_blob.length, mem_ctx);
-               printf("(saved test) Loaded pac of size %d from %s\n", tmp_blob.length, pac_file);
+               torture_comment(tctx, "(saved test) Loaded pac of size %ld from %s\n", (long)tmp_blob.length, pac_file);
        } else {
-               tmp_blob = data_blob(saved_pac, sizeof(saved_pac));
+               tmp_blob = data_blob_talloc(mem_ctx, saved_pac, sizeof(saved_pac));
        }
        
        dump_data(10,tmp_blob.data,tmp_blob.length);
 
-       principal_string = lp_parm_string(-1,"torture","pac_client_principal");
-       if (!principal_string) {
-               principal_string = "w2003final$@WIN2K3.THINKER.LOCAL";
-       }
+       principal_string = torture_setting_string(tctx, "pac_client_principal", 
+                                                 "w2003final$@WIN2K3.THINKER.LOCAL");
 
-       authtime_string = lp_parm_string(-1,"torture","pac_authtime");
-       if (!authtime_string) {
-               authtime = 1120440609;
-       } else {
-               authtime = strtoull(authtime_string, NULL, 0);
-       }
+       authtime_string = torture_setting_string(tctx, "pac_authtime", "1120440609");
+       authtime = strtoull(authtime_string, NULL, 0);
 
        ret = krb5_parse_name(smb_krb5_context->krb5_context, principal_string, 
                              &client_principal);
        if (ret) {
-               DEBUG(1, ("(saved test) parsing of client principal [%s] failed: %s\n", 
-                         principal_string, 
-                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
-
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx,  
+                            talloc_asprintf(tctx, 
+                                            "(saved test) parsing of client principal [%s] failed: %s", 
+                                            principal_string, 
+                                            smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
        }
 
        /* Decode and verify the signaure on the PAC */
@@ -398,19 +372,17 @@ static BOOL torture_pac_saved_check(void)
                                        smb_krb5_context->krb5_context,
                                        &krbtgt_keyblock,
                                        &server_keyblock, 
-                                       client_principal, authtime);
+                                       client_principal, authtime, NULL);
        if (!NT_STATUS_IS_OK(nt_status)) {
-               DEBUG(1, ("(saved test) PAC decoding failed: %s\n", 
-                         nt_errstr(nt_status)));
-
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
                
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, talloc_asprintf(tctx, 
+                                                  "(saved test) PAC decoding failed: %s", 
+                                                  nt_errstr(nt_status)));
        }
 
        /* Parse the PAC again, for the logon info this time */
@@ -419,7 +391,7 @@ static BOOL torture_pac_saved_check(void)
                                            smb_krb5_context->krb5_context,
                                            &krbtgt_keyblock,
                                            &server_keyblock,
-                                           client_principal, authtime);
+                                           client_principal, authtime, NULL);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -428,11 +400,10 @@ static BOOL torture_pac_saved_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
        
-               printf("(saved test) PAC decoding (for logon info) failed: %s\n", 
-                         nt_errstr(nt_status));
-
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx,  
+                            talloc_asprintf(tctx, 
+                                            "(saved test) PAC decoding (for logon info) failed: %s", 
+                                            nt_errstr(nt_status)));
        }
 
        validation.sam3 = &logon_info->info3;
@@ -444,18 +415,18 @@ static BOOL torture_pac_saved_check(void)
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
-                                   &server_keyblock);
+                                           &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
-               printf("(saved test) PAC decoding (make server info) failed: %s\n", 
-                      nt_errstr(nt_status));
-               
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx,  
+                            talloc_asprintf(tctx, 
+                                            "(saved test) PAC decoding (make server info) failed: %s", 
+                                            nt_errstr(nt_status)));
        }
 
        if (!pac_file &&
-           !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), 
+           !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 
+                                               "S-1-5-21-3048156945-3961193616-3706469200-1005"), 
                           server_info_out->account_sid)) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
@@ -463,11 +434,11 @@ static BOOL torture_pac_saved_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
-               printf("(saved test) PAC Decode resulted in *different* domain SID: %s != %s\n",
-                      "S-1-5-21-3048156945-3961193616-3706469200-1005"
-                      dom_sid_string(mem_ctx, server_info_out->account_sid));
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx,  
+                            talloc_asprintf(tctx
+                                            "(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
+                                            "S-1-5-21-3048156945-3961193616-3706469200-1005", 
+                                            dom_sid_string(mem_ctx, server_info_out->account_sid)));
        }
 
        ret = kerberos_encode_pac(mem_ctx, 
@@ -484,12 +455,10 @@ static BOOL torture_pac_saved_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
-               DEBUG(0, ("(saved test) PAC push failed\n"));
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "(saved test) PAC push failed");
        }
 
-       dump_data(10,validate_blob.data,validate_blob.length);
+       dump_data(10, validate_blob.data, validate_blob.length);
 
        /* compare both the length and the data bytes after a
         * pull/push cycle.  This ensures we use the exact same
@@ -502,10 +471,10 @@ static BOOL torture_pac_saved_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
-               DEBUG(0, ("(saved test) PAC push failed: original buffer length[%u] != created buffer length[%u]\n",
-                               (unsigned)tmp_blob.length, (unsigned)validate_blob.length));
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, 
+                            talloc_asprintf(tctx, 
+                                            "(saved test) PAC push failed: original buffer length[%u] != created buffer length[%u]",
+                                            (unsigned)tmp_blob.length, (unsigned)validate_blob.length));
        }
 
        if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
@@ -515,15 +484,12 @@ static BOOL torture_pac_saved_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
-               DEBUG(0, ("(saved test) PAC push failed: length[%u] matches, but data does not\n",
-                         (unsigned)tmp_blob.length));
                DEBUG(0, ("tmp_data:\n"));
                dump_data(0, tmp_blob.data, tmp_blob.length);
                DEBUG(0, ("validate_blob:\n"));
                dump_data(0, validate_blob.data, validate_blob.length);
 
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC push failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length));
        }
 
        ret = kerberos_create_pac(mem_ctx, 
@@ -541,9 +507,7 @@ static BOOL torture_pac_saved_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
-               DEBUG(0, ("(saved test) regnerated PAC create failed\n"));
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "(saved test) regnerated PAC create failed");
        }
 
        dump_data(10,validate_blob.data,validate_blob.length);
@@ -553,12 +517,10 @@ static BOOL torture_pac_saved_check(void)
         * pointer, padding etc algorithms as win2k3.
         */
        if (tmp_blob.length != validate_blob.length) {
-               nt_status = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2,
-                                             (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       DEBUG(0,("can't parse the PAC\n"));
-                       return False;
-               }
+               ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2,
+                                              (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
+               nt_status = ndr_map_error2ntstatus(ndr_err);
+               torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC");
                
                NDR_PRINT_DEBUG(PAC_DATA, pac_data);
 
@@ -570,19 +532,16 @@ static BOOL torture_pac_saved_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
-               DEBUG(0, ("(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]\n",
-                               (unsigned)tmp_blob.length, (unsigned)validate_blob.length));
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, talloc_asprintf(tctx, 
+                                                  "(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]",
+                                                  (unsigned)tmp_blob.length, (unsigned)validate_blob.length));
        }
 
        if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
-               nt_status = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2,
-                                             (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       DEBUG(0,("can't parse the PAC\n"));
-                       return False;
-               }
+               ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2,
+                                              (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
+               nt_status = ndr_map_error2ntstatus(ndr_err);
+               torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC");
                
                NDR_PRINT_DEBUG(PAC_DATA, pac_data);
 
@@ -594,15 +553,13 @@ static BOOL torture_pac_saved_check(void)
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
-               DEBUG(0, ("(saved test) PAC regenerate failed: length[%u] matches, but data does not\n",
-                         (unsigned)tmp_blob.length));
                DEBUG(0, ("tmp_data:\n"));
                dump_data(0, tmp_blob.data, tmp_blob.length);
                DEBUG(0, ("validate_blob:\n"));
                dump_data(0, validate_blob.data, validate_blob.length);
 
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, talloc_asprintf(tctx, 
+                                                  "(saved test) PAC regenerate failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length));
        }
 
        /* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */
@@ -612,34 +569,34 @@ static BOOL torture_pac_saved_check(void)
                                        &krbtgt_keyblock,
                                        &server_keyblock,
                                        client_principal, 
-                                       authtime + 1);
+                                       authtime + 1, NULL);
        if (NT_STATUS_IS_OK(nt_status)) {
-               DEBUG(1, ("(saved test) PAC decoding DID NOT fail on broken auth time (time + 1)\n"));
 
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
                krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken auth time (time + 1)");
        }
 
        /* Break the client principal */
        krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
 
+       broken_principal_string = talloc_strdup(mem_ctx, principal_string);
+       broken_principal_string[0]++;
+
        ret = krb5_parse_name(smb_krb5_context->krb5_context,
-                            "not the right principal", &client_principal);
+                             broken_principal_string, &client_principal);
        if (ret) {
-               DEBUG(1, ("(saved test) parsing of bogus client principal failed: %s\n", 
-                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
 
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, talloc_asprintf(tctx, 
+                                                  "(saved test) parsing of broken client principal failed: %s", 
+                                                  smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
        }
 
        nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
@@ -648,16 +605,13 @@ static BOOL torture_pac_saved_check(void)
                                        &krbtgt_keyblock,
                                        &server_keyblock,
                                        client_principal, 
-                                       authtime);
+                                       authtime, NULL);
        if (NT_STATUS_IS_OK(nt_status)) {
-               DEBUG(1, ("(saved test) PAC decoding DID NOT fail on modified principal\n"));
-
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on modified principal");
        }
 
        /* Finally...  Bugger up the signature, and check we fail the checksum */
@@ -669,31 +623,31 @@ static BOOL torture_pac_saved_check(void)
                                        &krbtgt_keyblock,
                                        &server_keyblock,
                                        client_principal, 
-                                       authtime);
+                                       authtime, NULL);
        if (NT_STATUS_IS_OK(nt_status)) {
-               DEBUG(1, ("(saved test) PAC decoding DID NOT fail on broken checksum\n"));
-
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
-               talloc_free(mem_ctx);
-               return False;
+               torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken checksum");
        }
 
        krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                    &krbtgt_keyblock);
        krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                    &server_keyblock);
-
-       talloc_free(mem_ctx);
-       return True;
+       return true;
 }
 
-BOOL torture_pac(void) 
+_PUBLIC_ struct torture_suite *torture_pac(TALLOC_CTX *mem_ctx)
 {
-       BOOL ret = True;
-       ret &= torture_pac_self_check();
-       ret &= torture_pac_saved_check();
-       return ret;
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "PAC");
+
+       torture_suite_add_simple_test(suite, "self check", 
+                                     torture_pac_self_check);
+
+       torture_suite_add_simple_test(suite, "saved check",
+                                     torture_pac_saved_check);
+
+       return suite;
 }
Samba 4 Debian packaging