diff options
| author | Christof Schmitt <christof.schmitt@us.ibm.com> | 2012-07-05 13:17:00 -0700 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2012-07-06 20:45:51 +1000 |
| commit | 7285ed586f129d45843f98c359003d9ac88cf5cb (patch) | |
| tree | 4ca176f1284f9f43930be940b0173bae209fc0ab | |
| parent | a49eb60e041a55122ce04ed6f576c2ba09c11fe3 (diff) | |
| download | samba-7285ed586f129d45843f98c359003d9ac88cf5cb.tar.gz samba-7285ed586f129d45843f98c359003d9ac88cf5cb.tar.bz2 samba-7285ed586f129d45843f98c359003d9ac88cf5cb.zip | |
auth: Common function for retrieving PAC_LOGIN_INFO from PAC
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | auth/kerberos/kerberos_pac.c | 37 | ||||
| -rw-r--r-- | auth/kerberos/pac_utils.h | 10 | ||||
| -rw-r--r-- | source3/auth/auth_generic.c | 28 | ||||
| -rw-r--r-- | source3/libads/authdata.c | 29 | ||||
| -rw-r--r-- | source3/utils/ntlm_auth.c | 28 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos.h | 8 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 37 |
7 files changed, 54 insertions, 123 deletions
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index eacf39d321..80f31d869f 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -402,4 +402,41 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, + DATA_BLOB blob, + krb5_context context, + const krb5_keyblock *krbtgt_keyblock, + const krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_LOGON_INFO **logon_info) +{ + NTSTATUS nt_status; + struct PAC_DATA *pac_data; + int i; + nt_status = kerberos_decode_pac(mem_ctx, + blob, + context, + krbtgt_keyblock, + service_keyblock, + client_principal, + tgs_authtime, + &pac_data); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + *logon_info = NULL; + for (i=0; i < pac_data->num_buffers; i++) { + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { + continue; + } + *logon_info = pac_data->buffers[i].info->logon_info.info; + } + if (!*logon_info) { + return NT_STATUS_INVALID_PARAMETER; + } + return NT_STATUS_OK; +} + #endif diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h index d654bec208..b9b66649ee 100644 --- a/auth/kerberos/pac_utils.h +++ b/auth/kerberos/pac_utils.h @@ -26,6 +26,7 @@ struct PAC_SIGNATURE_DATA; struct PAC_DATA; +struct PAC_LOGON_INFO; krb5_error_code check_pac_checksum(DATA_BLOB pac_data, struct PAC_SIGNATURE_DATA *sig, @@ -41,6 +42,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, time_t tgs_authtime, struct PAC_DATA **pac_data_out); +NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, + DATA_BLOB blob, + krb5_context context, + const krb5_keyblock *krbtgt_keyblock, + const krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_LOGON_INFO **logon_info); + NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, gss_ctx_id_t gssapi_context, gss_name_t gss_client_name, diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 82b376feb6..80f5fa7d3e 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -42,9 +42,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, struct auth_session_info **session_info) { TALLOC_CTX *tmp_ctx; - struct PAC_DATA *pac_data = NULL; struct PAC_LOGON_INFO *logon_info = NULL; - unsigned int i; bool is_mapped; bool is_guest; char *ntuser; @@ -62,36 +60,14 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, if (pac_blob) { #ifdef HAVE_KRB5 - status = kerberos_decode_pac(tmp_ctx, - *pac_blob, - NULL, NULL, NULL, NULL, 0, &pac_data); + status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, + NULL, NULL, 0, &logon_info); #else status = NT_STATUS_ACCESS_DENIED; #endif if (!NT_STATUS_IS_OK(status)) { goto done; } - - /* get logon name and logon info */ - for (i = 0; i < pac_data->num_buffers; i++) { - struct PAC_BUFFER *data_buf = &pac_data->buffers[i]; - - switch (data_buf->type) { - case PAC_TYPE_LOGON_INFO: - if (!data_buf->info) { - break; - } - logon_info = data_buf->info->logon_info.info; - break; - default: - break; - } - } - if (!logon_info) { - DEBUG(1, ("Invalid PAC data, missing logon info!\n")); - status = NT_STATUS_NOT_FOUND; - goto done; - } } rc = get_remote_hostname(remote_address, diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 60897bf5fb..2c667a66bc 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -51,9 +51,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, struct auth_session_info **session_info) { TALLOC_CTX *tmp_ctx; - struct PAC_DATA *pac_data = NULL; struct PAC_LOGON_INFO *logon_info = NULL; - unsigned int i; NTSTATUS status = NT_STATUS_INTERNAL_ERROR; tmp_ctx = talloc_new(mem_ctx); @@ -62,34 +60,13 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, } if (pac_blob) { - status = kerberos_decode_pac(tmp_ctx, - *pac_blob, - NULL, NULL, NULL, NULL, 0, &pac_data); + status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, + NULL, NULL, 0, &logon_info); if (!NT_STATUS_IS_OK(status)) { goto done; } - - /* get logon name and logon info */ - for (i = 0; i < pac_data->num_buffers; i++) { - struct PAC_BUFFER *data_buf = &pac_data->buffers[i]; - - switch (data_buf->type) { - case PAC_TYPE_LOGON_INFO: - if (!data_buf->info) { - break; - } - logon_info = data_buf->info->logon_info.info; - break; - default: - break; - } - } - if (!logon_info) { - DEBUG(1, ("Invalid PAC data, missing logon info!\n")); - status = NT_STATUS_NOT_FOUND; - goto done; - } } + talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO"); auth_ctx->private_data = talloc_steal(auth_ctx, logon_info); diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index a832b5bc60..afb51e9356 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -716,9 +716,7 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c struct auth_session_info **session_info) { TALLOC_CTX *tmp_ctx; - struct PAC_DATA *pac_data = NULL; struct PAC_LOGON_INFO *logon_info = NULL; - unsigned int i; char *unixuser; NTSTATUS status; char *domain = NULL; @@ -733,36 +731,14 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c if (pac_blob) { #ifdef HAVE_KRB5 - status = kerberos_decode_pac(tmp_ctx, - *pac_blob, - NULL, NULL, NULL, NULL, 0, &pac_data); + status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, + NULL, NULL, 0, &logon_info); #else status = NT_STATUS_ACCESS_DENIED; #endif if (!NT_STATUS_IS_OK(status)) { goto done; } - - /* get logon name and logon info */ - for (i = 0; i < pac_data->num_buffers; i++) { - struct PAC_BUFFER *data_buf = &pac_data->buffers[i]; - - switch (data_buf->type) { - case PAC_TYPE_LOGON_INFO: - if (!data_buf->info) { - break; - } - logon_info = data_buf->info->logon_info.info; - break; - default: - break; - } - } - if (!logon_info) { - DEBUG(1, ("Invalid PAC data, missing logon info!\n")); - status = NT_STATUS_NOT_FOUND; - goto done; - } } DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 707426d496..51b80556bf 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -83,14 +83,6 @@ const krb5_data *krb5_princ_component(krb5_context context, krb5_principal princ #endif /* Samba wrapper function for krb5 functionality. */ -NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, - DATA_BLOB blob, - krb5_context context, - const krb5_keyblock *krbtgt_keyblock, - const krb5_keyblock *service_keyblock, - krb5_const_principal client_principal, - time_t tgs_authtime, - struct PAC_LOGON_INFO **logon_info); krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx, struct PAC_DATA *pac_data, krb5_context context, diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 85b62632ba..76c1d99d91 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -33,43 +33,6 @@ #include "auth/kerberos/kerberos_util.h" #include "auth/kerberos/pac_utils.h" -_PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, - DATA_BLOB blob, - krb5_context context, - const krb5_keyblock *krbtgt_keyblock, - const krb5_keyblock *service_keyblock, - krb5_const_principal client_principal, - time_t tgs_authtime, - struct PAC_LOGON_INFO **logon_info) -{ - NTSTATUS nt_status; - struct PAC_DATA *pac_data; - int i; - nt_status = kerberos_decode_pac(mem_ctx, - blob, - context, - krbtgt_keyblock, - service_keyblock, - client_principal, - tgs_authtime, - &pac_data); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - *logon_info = NULL; - for (i=0; i < pac_data->num_buffers; i++) { - if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { - continue; - } - *logon_info = pac_data->buffers[i].info->logon_info.info; - } - if (!*logon_info) { - return NT_STATUS_INVALID_PARAMETER; - } - return NT_STATUS_OK; -} - krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx, struct PAC_DATA *pac_data, krb5_context context, |