diff options
| author | Garming Sam <garming@catalyst.net.nz> | 2016-05-09 16:14:51 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2016-07-05 10:52:32 +0200 |
| commit | 978bc8681e74ffa17f96fd5d4355094c4a26691c (patch) | |
| tree | 701d5325b968df1b009d781dce30f1c583494ec4 /source4/torture/krb5 | |
| parent | 965361aa929ab6798e03e71d3800027a32896c7d (diff) | |
| download | samba-978bc8681e74ffa17f96fd5d4355094c4a26691c.tar.gz | |
kerberos: Return enc data on PREAUTH_FAILED
Without the enc data, Windows clients will perform two AS-REQ causing the password
lockout count to increase by two instead of one.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 5 10:52:32 CEST 2016 on sn-devel-144
Diffstat (limited to 'source4/torture/krb5')
| -rw-r--r-- | source4/torture/krb5/kdc-heimdal.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/source4/torture/krb5/kdc-heimdal.c b/source4/torture/krb5/kdc-heimdal.c index fffe773e21b..52014f75706 100644 --- a/source4/torture/krb5/kdc-heimdal.c +++ b/source4/torture/krb5/kdc-heimdal.c @@ -189,6 +189,10 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex "Got wrong error.error_code"); free_KRB_ERROR(&error); } else if (test_context->packet_count == 1) { + METHOD_DATA m; + size_t len; + int i, ret = 0; + bool found = false; torture_assert_int_equal(test_context->tctx, decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0, "decode_AS_REP failed"); @@ -196,6 +200,20 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno"); torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_FAILED - KRB5KDC_ERR_NONE, "Got wrong error.error_code"); + torture_assert(test_context->tctx, error.e_data != NULL, "No e-data returned"); + ret = decode_METHOD_DATA(error.e_data->data, error.e_data->length, &m, &len); + torture_assert_int_equal(test_context->tctx, ret, 0, + "Got invalid method data"); + + torture_assert(test_context->tctx, m.len > 0, "No PA_DATA given"); + for (i = 0; i < m.len; i++) { + if (m.val[i].padata_type == KRB5_PADATA_ENC_TIMESTAMP) { + found = true; + break; + } + } + torture_assert(test_context->tctx, found, "Encrypted timestamp not found"); + free_KRB_ERROR(&error); } torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets"); |