From a2ce53c1f5301ffcf990dbab837c328ea22739b6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 8 Feb 2011 16:53:13 +1100 Subject: s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett --- source4/auth/gensec/gensec.c | 8 ++++---- source4/auth/gensec/gensec.h | 2 +- source4/auth/gensec/gensec_gssapi.c | 39 ++++++++++++++++++++++++++++--------- source4/auth/gensec/gensec_krb5.c | 14 ++++++------- 4 files changed, 42 insertions(+), 21 deletions(-) (limited to 'source4/auth/gensec') diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index c732c6e8de..b9385debc3 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -1315,17 +1315,17 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security) NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, struct auth_session_info **session_info) { NTSTATUS nt_status; uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; - if (server_info->authenticated) { + if (user_info_dc->info->authenticated) { flags |= AUTH_SESSION_INFO_AUTHENTICATED; } if (gensec_security->auth_context) { nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context, - server_info, + user_info_dc, flags, session_info); } else { @@ -1333,7 +1333,7 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, - server_info, flags, + user_info_dc, flags, session_info); } return nt_status; diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index 62d8a45491..ad581e2fa5 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -180,7 +180,7 @@ struct gensec_critical_sizes { struct gensec_security; struct socket_context; struct auth_context; -struct auth_serversupplied_info; +struct auth_user_info_dc; NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 132ea7d8ae..ed0597ca98 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1257,11 +1257,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi TALLOC_CTX *mem_ctx; struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; OM_uint32 maj_stat, min_stat; gss_buffer_desc pac; DATA_BLOB pac_blob; + struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; + struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length) || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, @@ -1292,10 +1294,23 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi * kind... */ if (pac_blob.length) { - nt_status = kerberos_pac_blob_to_server_info(mem_ctx, - pac_blob, - gensec_gssapi_state->smb_krb5_context->krb5_context, - &server_info); + pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_srv_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_kdc_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, + pac_blob, + gensec_gssapi_state->smb_krb5_context->krb5_context, + &user_info_dc, + pac_srv_sig, + pac_kdc_sig); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1330,11 +1345,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n", gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, + nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, gensec_security->auth_context, principal_string, NULL, - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); @@ -1348,9 +1363,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } } - /* references the server_info into the session_info */ + /* references the user_info_dc into the session_info */ nt_status = gensec_generate_session_info(mem_ctx, gensec_security, - server_info, &session_info); + user_info_dc, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1362,6 +1377,12 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return nt_status; } + /* Allow torture tests to check the PAC signatures */ + if (session_info->torture) { + session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig); + session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig); + } + if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) { DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n")); } else { diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index fc96e3851c..4f452a07ee 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -603,7 +603,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; struct PAC_LOGON_INFO *logon_info; @@ -663,10 +663,10 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s", principal_string, smb_get_krb5_error_message(context, ret, mem_ctx))); - nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, + nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, gensec_security->auth_context, principal_string, - NULL, &server_info); + NULL, &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); krb5_free_principal(context, client_principal); @@ -709,10 +709,10 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security } validation.sam3 = &logon_info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, + nt_status = make_user_info_dc_netlogon_validation(mem_ctx, NULL, 3, &validation, - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); krb5_free_principal(context, client_principal); @@ -724,8 +724,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security free(principal_string); krb5_free_principal(context, client_principal); - /* references the server_info into the session_info */ - nt_status = gensec_generate_session_info(mem_ctx, gensec_security, server_info, &session_info); + /* references the user_info_dc into the session_info */ + nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); -- cgit