Changeset 745 for trunk/server/source4/torture/auth
- Timestamp:
- Nov 27, 2012, 4:43:17 PM (13 years ago)
- Location:
- trunk/server
- Files:
-
- 3 edited
-
. (modified) (1 prop)
-
source4/torture/auth/ntlmssp.c (modified) (8 diffs)
-
source4/torture/auth/pac.c (modified) (27 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/server
- Property svn:mergeinfo changed
/vendor/current merged: 581,587,591,594,597,600,615,618,740
- Property svn:mergeinfo changed
-
trunk/server/source4/torture/auth/ntlmssp.c
r414 r745 20 20 #include "includes.h" 21 21 #include "auth/gensec/gensec.h" 22 #include "auth/gensec/gensec_proto.h"23 22 #include "auth/ntlmssp/ntlmssp.h" 24 23 #include "lib/cmdline/popt_common.h" … … 29 28 { 30 29 struct gensec_security *gensec_security; 31 struct gensec_ntlmssp_state *gensec_ntlmssp_state; 30 struct gensec_ntlmssp_context *gensec_ntlmssp; 31 struct ntlmssp_state *ntlmssp_state; 32 32 DATA_BLOB data; 33 33 DATA_BLOB sig, expected_sig; … … 36 36 torture_assert_ntstatus_ok(tctx, 37 37 gensec_client_start(mem_ctx, &gensec_security, 38 tctx->ev, lp _gensec_settings(tctx, tctx->lp_ctx)),38 tctx->ev, lpcfg_gensec_settings(tctx, tctx->lp_ctx)), 39 39 "gensec client start"); 40 40 … … 48 48 "Failed to start GENSEC for NTLMSSP"); 49 49 50 gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; 50 gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data, 51 struct gensec_ntlmssp_context); 52 ntlmssp_state = gensec_ntlmssp->ntlmssp_state; 51 53 52 gensec_ntlmssp_state->session_key = strhex_to_data_blob(tctx, "0102030405060708090a0b0c0d0e0f00");54 ntlmssp_state->session_key = strhex_to_data_blob(tctx, "0102030405060708090a0b0c0d0e0f00"); 53 55 dump_data_pw("NTLMSSP session key: \n", 54 gensec_ntlmssp_state->session_key.data,55 gensec_ntlmssp_state->session_key.length);56 ntlmssp_state->session_key.data, 57 ntlmssp_state->session_key.length); 56 58 57 gensec_ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_NTLM2;59 ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_NTLM2; 58 60 59 61 torture_assert_ntstatus_ok(tctx, 60 ntlmssp_sign_init( gensec_ntlmssp_state),62 ntlmssp_sign_init(ntlmssp_state), 61 63 "Failed to sign_init"); 62 64 … … 80 82 NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)"); 81 83 82 gensec_ntlmssp_state->session_key = data_blob(NULL, 0);84 ntlmssp_state->session_key = data_blob(NULL, 0); 83 85 84 86 torture_assert_ntstatus_equal(tctx, … … 91 93 torture_assert_ntstatus_ok(tctx, 92 94 gensec_client_start(mem_ctx, &gensec_security, 93 tctx->ev, lp _gensec_settings(tctx, tctx->lp_ctx)),95 tctx->ev, lpcfg_gensec_settings(tctx, tctx->lp_ctx)), 94 96 "Failed to start GENSEC for NTLMSSP"); 95 97 … … 103 105 "GENSEC start mech by oid"); 104 106 105 gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; 107 gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data, 108 struct gensec_ntlmssp_context); 109 ntlmssp_state = gensec_ntlmssp->ntlmssp_state; 106 110 107 gensec_ntlmssp_state->session_key = strhex_to_data_blob(tctx, "0102030405e538b0");111 ntlmssp_state->session_key = strhex_to_data_blob(tctx, "0102030405e538b0"); 108 112 dump_data_pw("NTLMSSP session key: \n", 109 gensec_ntlmssp_state->session_key.data,110 gensec_ntlmssp_state->session_key.length);113 ntlmssp_state->session_key.data, 114 ntlmssp_state->session_key.length); 111 115 112 gensec_ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_KEY_EXCH;116 ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_KEY_EXCH; 113 117 114 118 torture_assert_ntstatus_ok(tctx, 115 ntlmssp_sign_init( gensec_ntlmssp_state),119 ntlmssp_sign_init(ntlmssp_state), 116 120 "Failed to sign_init"); 117 121 … … 148 152 struct torture_suite *torture_ntlmssp(TALLOC_CTX *mem_ctx) 149 153 { 150 struct torture_suite *suite = torture_suite_create(mem_ctx, 151 "NTLMSSP"); 154 struct torture_suite *suite = torture_suite_create(mem_ctx, "ntlmssp"); 152 155 153 156 torture_suite_add_simple_test(suite, "NTLMSSP self check", -
trunk/server/source4/torture/auth/pac.c
r414 r745 25 25 #include "auth/auth.h" 26 26 #include "auth/kerberos/kerberos.h" 27 #include "librpc/gen_ndr/ndr_krb5pac.h"28 27 #include "samba3/samba3.h" 29 28 #include "libcli/security/security.h" … … 31 30 #include "auth/auth_sam_reply.h" 32 31 #include "param/param.h" 32 #include "librpc/gen_ndr/ndr_krb5pac.h" 33 33 34 34 static bool torture_pac_self_check(struct torture_context *tctx) … … 50 50 struct smb_krb5_context *smb_krb5_context; 51 51 52 struct auth_ serversupplied_info *server_info;53 struct auth_ serversupplied_info *server_info_out;52 struct auth_user_info_dc *user_info_dc; 53 struct auth_user_info_dc *user_info_dc_out; 54 54 55 55 krb5_principal client_principal; … … 92 92 93 93 /* We need an input, and this one requires no underlying database */ 94 nt_status = auth_anonymous_ server_info(mem_ctx, lp_netbios_name(tctx->lp_ctx), &server_info);94 nt_status = auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(tctx->lp_ctx), &user_info_dc); 95 95 96 96 if (!NT_STATUS_IS_OK(nt_status)) { … … 99 99 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 100 100 &krbtgt_keyblock); 101 torture_fail(tctx, "auth_anonymous_ server_info");101 torture_fail(tctx, "auth_anonymous_user_info_dc"); 102 102 } 103 103 104 104 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, 105 server_info->account_name,105 user_info_dc->info->account_name, 106 106 KRB5_PRINCIPAL_PARSE_NO_REALM, 107 107 &client_principal); … … 116 116 /* OK, go ahead and make a PAC */ 117 117 ret = kerberos_create_pac(mem_ctx, 118 lp_iconv_convenience(tctx->lp_ctx), 119 server_info, 118 user_info_dc, 120 119 smb_krb5_context->krb5_context, 121 120 &krbtgt_keyblock, … … 143 142 /* Now check that we can read it back (using full decode and validate) */ 144 143 nt_status = kerberos_decode_pac(mem_ctx, 145 lp_iconv_convenience(tctx->lp_ctx),146 144 &pac_data, 147 145 tmp_blob, … … 166 164 167 165 /* Now check we can read it back (using Heimdal's pac parsing) */ 168 nt_status = kerberos_pac_blob_to_server_info(mem_ctx, 169 lp_iconv_convenience(tctx->lp_ctx), 166 nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, 170 167 tmp_blob, 171 168 smb_krb5_context->krb5_context, 172 &server_info_out); 173 174 if (!dom_sid_equal(server_info->account_sid, 175 server_info_out->account_sid)) { 169 &user_info_dc_out, NULL, NULL); 170 171 /* The user's SID is the first element in the list */ 172 if (!dom_sid_equal(user_info_dc->sids, 173 user_info_dc_out->sids)) { 176 174 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 177 175 &krbtgt_keyblock); … … 184 182 talloc_asprintf(tctx, 185 183 "(self test) PAC Decode resulted in *different* domain SID: %s != %s", 186 dom_sid_string(mem_ctx, server_info->account_sid),187 dom_sid_string(mem_ctx, server_info_out->account_sid)));188 } 189 talloc_free( server_info_out);184 dom_sid_string(mem_ctx, user_info_dc->sids), 185 dom_sid_string(mem_ctx, user_info_dc_out->sids))); 186 } 187 talloc_free(user_info_dc_out); 190 188 191 189 /* Now check that we can read it back (yet again) */ 192 190 nt_status = kerberos_pac_logon_info(mem_ctx, 193 lp_iconv_convenience(tctx->lp_ctx),194 191 &logon_info, 195 192 tmp_blob, … … 224 221 /* And make a server info from the samba-parsed PAC */ 225 222 validation.sam3 = &logon_info->info3; 226 nt_status = make_ server_info_netlogon_validation(mem_ctx,223 nt_status = make_user_info_dc_netlogon_validation(mem_ctx, 227 224 "", 228 225 3, &validation, 229 & server_info_out);226 &user_info_dc_out); 230 227 if (!NT_STATUS_IS_OK(nt_status)) { 231 228 torture_fail(tctx, … … 235 232 } 236 233 237 if (!dom_sid_equal( server_info->account_sid,238 server_info_out->account_sid)) {234 if (!dom_sid_equal(user_info_dc->sids, 235 user_info_dc_out->sids)) { 239 236 torture_fail(tctx, 240 237 talloc_asprintf(tctx, 241 238 "(self test) PAC Decode resulted in *different* domain SID: %s != %s", 242 dom_sid_string(mem_ctx, server_info->account_sid),243 dom_sid_string(mem_ctx, server_info_out->account_sid)));239 dom_sid_string(mem_ctx, user_info_dc->sids), 240 dom_sid_string(mem_ctx, user_info_dc_out->sids))); 244 241 } 245 242 return true; … … 303 300 union netr_Validation validation; 304 301 const char *pac_file, *pac_kdc_key, *pac_member_key; 305 struct auth_ serversupplied_info *server_info_out;302 struct auth_user_info_dc *user_info_dc_out; 306 303 307 304 krb5_keyblock server_keyblock; … … 411 408 /* Decode and verify the signaure on the PAC */ 412 409 nt_status = kerberos_decode_pac(mem_ctx, 413 lp_iconv_convenience(tctx->lp_ctx),414 410 &pac_data, 415 411 tmp_blob, … … 431 427 432 428 /* Now check we can read it back (using Heimdal's pac parsing) */ 433 nt_status = kerberos_pac_blob_to_server_info(mem_ctx, 434 lp_iconv_convenience(tctx->lp_ctx), 429 nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, 435 430 tmp_blob, 436 431 smb_krb5_context->krb5_context, 437 &server_info_out); 432 &user_info_dc_out, 433 NULL, NULL); 438 434 439 435 if (!NT_STATUS_IS_OK(nt_status)) { … … 452 448 !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 453 449 "S-1-5-21-3048156945-3961193616-3706469200-1005"), 454 server_info_out->account_sid)) {450 user_info_dc_out->sids)) { 455 451 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 456 452 krbtgt_keyblock_p); … … 463 459 "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s", 464 460 "S-1-5-21-3048156945-3961193616-3706469200-1005", 465 dom_sid_string(mem_ctx, server_info_out->account_sid)));466 } 467 468 talloc_free( server_info_out);461 dom_sid_string(mem_ctx, user_info_dc_out->sids))); 462 } 463 464 talloc_free(user_info_dc_out); 469 465 470 466 /* Parse the PAC again, for the logon info this time (using Samba4's parsing) */ 471 467 nt_status = kerberos_pac_logon_info(mem_ctx, 472 lp_iconv_convenience(tctx->lp_ctx),473 468 &logon_info, 474 469 tmp_blob, … … 492 487 493 488 validation.sam3 = &logon_info->info3; 494 nt_status = make_ server_info_netlogon_validation(mem_ctx,489 nt_status = make_user_info_dc_netlogon_validation(mem_ctx, 495 490 "", 496 491 3, &validation, 497 & server_info_out);492 &user_info_dc_out); 498 493 if (!NT_STATUS_IS_OK(nt_status)) { 499 494 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, … … 512 507 !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 513 508 "S-1-5-21-3048156945-3961193616-3706469200-1005"), 514 server_info_out->account_sid)) {509 user_info_dc_out->sids)) { 515 510 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 516 511 krbtgt_keyblock_p); … … 523 518 "(saved test) PAC Decode resulted in *different* domain SID: %s != %s", 524 519 "S-1-5-21-3048156945-3961193616-3706469200-1005", 525 dom_sid_string(mem_ctx, server_info_out->account_sid)));520 dom_sid_string(mem_ctx, user_info_dc_out->sids))); 526 521 } 527 522 … … 535 530 536 531 ret = kerberos_encode_pac(mem_ctx, 537 lp_iconv_convenience(tctx->lp_ctx),538 532 pac_data, 539 533 smb_krb5_context->krb5_context, … … 587 581 588 582 ret = kerberos_create_pac(mem_ctx, 589 lp_iconv_convenience(tctx->lp_ctx), 590 server_info_out, 583 user_info_dc_out, 591 584 smb_krb5_context->krb5_context, 592 585 krbtgt_keyblock_p, … … 613 606 if (tmp_blob.length != validate_blob.length) { 614 607 ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx, 615 lp_iconv_convenience(tctx->lp_ctx),&pac_data2,608 &pac_data2, 616 609 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); 617 610 nt_status = ndr_map_error2ntstatus(ndr_err); … … 635 628 if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) { 636 629 ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx, 637 lp_iconv_convenience(tctx->lp_ctx),&pac_data2,630 &pac_data2, 638 631 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); 639 632 nt_status = ndr_map_error2ntstatus(ndr_err); … … 661 654 /* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */ 662 655 nt_status = kerberos_decode_pac(mem_ctx, 663 lp_iconv_convenience(tctx->lp_ctx),664 656 &pac_data, 665 657 tmp_blob, … … 699 691 700 692 nt_status = kerberos_decode_pac(mem_ctx, 701 lp_iconv_convenience(tctx->lp_ctx),702 693 &pac_data, 703 694 tmp_blob, … … 719 710 720 711 nt_status = kerberos_decode_pac(mem_ctx, 721 lp_iconv_convenience(tctx->lp_ctx),722 712 &pac_data, 723 713 tmp_blob, … … 744 734 struct torture_suite *torture_pac(TALLOC_CTX *mem_ctx) 745 735 { 746 struct torture_suite *suite = torture_suite_create(mem_ctx, " PAC");736 struct torture_suite *suite = torture_suite_create(mem_ctx, "pac"); 747 737 748 738 torture_suite_add_simple_test(suite, "self check",
Note:
See TracChangeset
for help on using the changeset viewer.
