From 697a6e9504d9f3eefd97c7c822e90feddd9b9a3b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 30 Jan 2012 08:00:28 +1100 Subject: auth: provide private pointer and do not return original PAC signatures There is no need to return the PAC signatures via the special-purpose torture element. Instead, use a private pointer on the auth_context in conjunction with the private PAC processing method. Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Sun Jan 29 23:52:50 CET 2012 on sn-devel-104 --- auth/common_auth.h | 3 ++ librpc/idl/auth.idl | 2 -- source4/torture/rpc/remote_pac.c | 74 ++++++++++++++++++++++------------------ 3 files changed, 43 insertions(+), 36 deletions(-) diff --git a/auth/common_auth.h b/auth/common_auth.h index 40f7da4fe7..3991c409ac 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -102,6 +102,9 @@ struct auth4_context { /* SAM database for this local machine - to fill in local groups, or to authenticate local NTLM users */ struct ldb_context *sam_ctx; + /* Private data for the callbacks on this auth context */ + void *private_data; + NTSTATUS (*check_password)(struct auth4_context *auth_ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl index 3b4853b657..2451d2bab7 100644 --- a/librpc/idl/auth.idl +++ b/librpc/idl/auth.idl @@ -57,8 +57,6 @@ interface auth /* Number SIDs from the DC netlogon validation info */ uint32 num_dc_sids; [size_is(num_dc_sids)] dom_sid dc_sids[*]; - PAC_SIGNATURE_DATA *pac_srv_sig; - PAC_SIGNATURE_DATA *pac_kdc_sig; } auth_user_info_torture; typedef [public] struct { diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 625dfe7f9d..0e70cab770 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -42,6 +42,11 @@ #define TEST_MACHINE_NAME_S2U4SELF_BDC "tests2u4selfbdc" #define TEST_MACHINE_NAME_S2U4SELF_WKSTA "tests2u4selfwk" +struct pac_data { + struct PAC_SIGNATURE_DATA *pac_srv_sig; + struct PAC_SIGNATURE_DATA *pac_kdc_sig; +}; + /* A helper function which avoids touching the local databases to * generate the session info, as we just want to verify the PAC * details, not the full local token */ @@ -56,20 +61,21 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, { NTSTATUS nt_status; struct auth_user_info_dc *user_info_dc; - struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; - struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; TALLOC_CTX *tmp_ctx; - + struct pac_data *pac_data; + tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); - pac_srv_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_srv_sig) { + auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data); + + pac_data->pac_srv_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_data->pac_srv_sig) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } - pac_kdc_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_kdc_sig) { + pac_data->pac_kdc_sig = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_data->pac_kdc_sig) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } @@ -78,13 +84,16 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, *pac_blob, smb_krb5_context->krb5_context, &user_info_dc, - pac_srv_sig, - pac_kdc_sig); + pac_data->pac_srv_sig, + pac_data->pac_kdc_sig); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } + talloc_steal(pac_data, pac_data->pac_srv_sig); + talloc_steal(pac_data, pac_data->pac_kdc_sig); + if (user_info_dc->info->authenticated) { session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; } @@ -100,13 +109,6 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, return nt_status; } - if ((*session_info)->torture) { - (*session_info)->torture->pac_srv_sig - = talloc_steal((*session_info)->torture, pac_srv_sig); - (*session_info)->torture->pac_kdc_sig - = talloc_steal((*session_info)->torture, pac_kdc_sig); - } - talloc_free(tmp_ctx); return nt_status; } @@ -144,6 +146,7 @@ static bool test_PACVerify(struct torture_context *tctx, struct auth4_context *auth_context; struct auth_session_info *session_info; + struct pac_data *pac_data; struct dcerpc_binding_handle *b = p->binding_handle; TALLOC_CTX *tmp_ctx = talloc_new(tctx); @@ -206,22 +209,25 @@ static bool test_PACVerify(struct torture_context *tctx, status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info); torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); - torture_assert(tctx, session_info->torture != NULL, "gensec_session_info failed to fill in torture sub struct"); - torture_assert(tctx, session_info->torture->pac_srv_sig != NULL, "pac_srv_sig not present"); - torture_assert(tctx, session_info->torture->pac_kdc_sig != NULL, "pac_kdc_sig not present"); - pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length; - pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type; - pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length; + pac_data = talloc_get_type(auth_context->private_data, struct pac_data); + + torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context"); + torture_assert(tctx, pac_data->pac_srv_sig != NULL, "pac_srv_sig not present"); + torture_assert(tctx, pac_data->pac_kdc_sig != NULL, "pac_kdc_sig not present"); + + pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length; + pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type; + pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], - session_info->torture->pac_srv_sig->signature.data, + pac_data->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], - session_info->torture->pac_kdc_sig->signature.data, + pac_data->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, @@ -312,22 +318,22 @@ static bool test_PACVerify(struct torture_context *tctx, &r.out.return_authenticator->cred), "Credential chaining failed"); - pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length; - pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type; + pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length; + pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type; /* Break the SignatureType */ pac_wrapped_struct.SignatureType++; - pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length; + pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], - session_info->torture->pac_srv_sig->signature.data, + pac_data->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], - session_info->torture->pac_kdc_sig->signature.data, + pac_data->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, @@ -360,19 +366,19 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); - pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length; - pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type; - pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length; + pac_wrapped_struct.ChecksumLength = pac_data->pac_srv_sig->signature.length; + pac_wrapped_struct.SignatureType = pac_data->pac_kdc_sig->type; + pac_wrapped_struct.SignatureLength = pac_data->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], - session_info->torture->pac_srv_sig->signature.data, + pac_data->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], - session_info->torture->pac_kdc_sig->signature.data, + pac_data->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); /* Break the signature length */ -- cgit