s4:torture:auth: Fix PAC checksum test

This test was supposed to corrupt the KDC signature and ensure that PAC
verification failed, but it corrupted a harmless padding byte instead. However,
PAC verification still failed as expected because the principal remained
corrupted from the previous test.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index 0c96e82559cca95d3a741fd5a7bd432b960e326b..7d20e9ae48965a14ae4c0ec4f2b984340337c158 100644 (file)
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -313,6 +313,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
        const char *principal_string;
        char *broken_principal_string;
        krb5_principal client_principal;
+       krb5_principal broken_principal;
        const char *authtime_string;
        time_t authtime;
        TALLOC_CTX *mem_ctx = tctx;
@@ -671,19 +672,18 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
        }
 
        /* Break the client principal */
-       krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
-
        broken_principal_string = talloc_strdup(mem_ctx, principal_string);
        broken_principal_string[0]++;
 
        ret = krb5_parse_name(smb_krb5_context->krb5_context,
-                             broken_principal_string, &client_principal);
+                             broken_principal_string, &broken_principal);
        if (ret) {
 
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            krbtgt_keyblock_p);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
+               krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
                torture_fail(tctx, talloc_asprintf(tctx, 
                                                   "(saved test) parsing of broken client principal failed: %s", 
                                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
@@ -694,18 +694,27 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
                                        smb_krb5_context->krb5_context,
                                        krbtgt_keyblock_p,
                                        &server_keyblock,
-                                       client_principal, 
+                                       broken_principal,
                                        authtime, &pac_data);
        if (NT_STATUS_IS_OK(nt_status)) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            krbtgt_keyblock_p);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
+               krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
+               krb5_free_principal(smb_krb5_context->krb5_context, broken_principal);
                torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on modified principal");
        }
 
-       /* Finally...  Bugger up the signature, and check we fail the checksum */
-       tmp_blob.data[tmp_blob.length - 2]++;
+       krb5_free_principal(smb_krb5_context->krb5_context, broken_principal);
+
+       /*
+        * Finally...  Bugger up the KDC signature, and check we fail the checksum.
+        *
+        * Corrupt the byte eighth from the end to account for any padding.
+        */
+       torture_assert_int_greater(tctx, tmp_blob.length, 8, "PAC data blob is smaller than expected");
+       tmp_blob.data[tmp_blob.length - 9]++;
 
        nt_status = kerberos_decode_pac(mem_ctx, 
                                        tmp_blob,
@@ -720,6 +729,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
                                            krbtgt_keyblock_p);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &server_keyblock);
+               krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
                torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken checksum");
        }
 
@@ -727,6 +737,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
                                    krbtgt_keyblock_p);
        krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                    &server_keyblock);
+       krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
        return true;
 }