From a2ce53c1f5301ffcf990dbab837c328ea22739b6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 8 Feb 2011 16:53:13 +1100
Subject: s4-auth Rework auth subsystem to remove struct
 auth_serversupplied_info

This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
---
 source4/auth/gensec/gensec_gssapi.c | 39 ++++++++++++++++++++++++++++---------
 1 file changed, 30 insertions(+), 9 deletions(-)

(limited to 'source4/auth/gensec/gensec_gssapi.c')

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 132ea7d8ae..ed0597ca98 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1257,11 +1257,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 	TALLOC_CTX *mem_ctx;
 	struct gensec_gssapi_state *gensec_gssapi_state
 		= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
-	struct auth_serversupplied_info *server_info = NULL;
+	struct auth_user_info_dc *user_info_dc = NULL;
 	struct auth_session_info *session_info = NULL;
 	OM_uint32 maj_stat, min_stat;
 	gss_buffer_desc pac;
 	DATA_BLOB pac_blob;
+	struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
+	struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
 	
 	if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
 	    || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
@@ -1292,10 +1294,23 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 	 * kind... 
 	 */
 	if (pac_blob.length) {
-		nt_status = kerberos_pac_blob_to_server_info(mem_ctx, 
-							     pac_blob, 
-							     gensec_gssapi_state->smb_krb5_context->krb5_context,
-							     &server_info);
+		pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+		if (!pac_srv_sig) {
+			talloc_free(mem_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+		pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+		if (!pac_kdc_sig) {
+			talloc_free(mem_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
+							      pac_blob,
+							      gensec_gssapi_state->smb_krb5_context->krb5_context,
+							      &user_info_dc,
+							      pac_srv_sig,
+							      pac_kdc_sig);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(mem_ctx);
 			return nt_status;
@@ -1330,11 +1345,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		    !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
 			DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
 				  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-			nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, 
+			nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
 											     gensec_security->auth_context, 
 											     principal_string,
 											     NULL,
-											     &server_info);
+											     &user_info_dc);
 			
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				talloc_free(mem_ctx);
@@ -1348,9 +1363,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		}
 	}
 
-	/* references the server_info into the session_info */
+	/* references the user_info_dc into the session_info */
 	nt_status = gensec_generate_session_info(mem_ctx, gensec_security,
-						 server_info, &session_info);
+						 user_info_dc, &session_info);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
 		return nt_status;
@@ -1362,6 +1377,12 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		return nt_status;
 	}
 
+	/* Allow torture tests to check the PAC signatures */
+	if (session_info->torture) {
+		session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig);
+		session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig);
+	}
+
 	if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
 		DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
 	} else {
-- 
cgit