auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers

This adds a generic way to get to the raw (verified) PAC
and will be used in multiple places in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

4 files changed, 97 insertions, 6 deletions

diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 0ab0e9a4594..650c851bf13 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -30,6 +30,8 @@
 #ifdef HAVE_KRB5
 
 #include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "librpc/gen_ndr/auth.h"
+#include "auth/common_auth.h"
 #include "auth/kerberos/pac_utils.h"
 
 krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
@@ -466,4 +468,87 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS auth4_context_fetch_PAC_DATA_CTR(
+				struct auth4_context *auth_ctx,
+				TALLOC_CTX *mem_ctx,
+				struct smb_krb5_context *smb_krb5_context,
+				DATA_BLOB *pac_blob,
+				const char *princ_name,
+				const struct tsocket_address *remote_address,
+				uint32_t session_info_flags,
+				struct auth_session_info **session_info)
+{
+	struct PAC_DATA_CTR *pac_data_ctr = NULL;
+	NTSTATUS status;
+
+	if (pac_blob == NULL) {
+		return NT_STATUS_NO_IMPERSONATION_TOKEN;
+	}
+
+	pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR);
+	if (pac_data_ctr == NULL) {
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
+	}
+
+	status = kerberos_decode_pac(pac_data_ctr,
+				     *pac_blob,
+				     NULL,
+				     NULL,
+				     NULL,
+				     NULL,
+				     0,
+				     &pac_data_ctr->pac_data);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto fail;
+	}
+
+	pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
+						  pac_blob->data,
+						  pac_blob->length);
+	if (pac_data_ctr->pac_blob.length != pac_blob->length) {
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
+	}
+
+	*session_info = talloc_zero(mem_ctx, struct auth_session_info);
+	if (*session_info == NULL) {
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
+	}
+
+	TALLOC_FREE(auth_ctx->private_data);
+	auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr);
+
+	return NT_STATUS_OK;
+
+fail:
+	TALLOC_FREE(pac_data_ctr);
+
+	return status;
+}
+
+struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx)
+{
+	struct auth4_context *auth_ctx = NULL;
+
+	auth_ctx = talloc_zero(mem_ctx, struct auth4_context);
+	if (auth_ctx == NULL) {
+		return NULL;
+	}
+	auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR;
+
+	return auth_ctx;
+}
+
+struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
+						    TALLOC_CTX *mem_ctx)
+{
+	struct PAC_DATA_CTR *p = NULL;
+	SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR);
+	p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR);
+	auth_ctx->private_data = NULL;
+	return talloc_move(mem_ctx, &p);
+}
+
 #endif
diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
index d09e7b643d4..36fd60c3349 100644
--- a/auth/kerberos/pac_utils.h
+++ b/auth/kerberos/pac_utils.h
@@ -53,6 +53,16 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
 				 time_t tgs_authtime,
 				 struct PAC_LOGON_INFO **logon_info);
 
+struct PAC_DATA;
+struct PAC_DATA_CTR {
+	DATA_BLOB pac_blob;
+	struct PAC_DATA *pac_data;
+};
+
+struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx);
+struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
+						    TALLOC_CTX *mem_ctx);
+
 NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 				gss_ctx_id_t gssapi_context,
 				gss_name_t gss_client_name,
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 433bce9e0ec..3d7b5bc074b 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -32,12 +32,7 @@
 
 #include "system/kerberos.h"
 
-struct PAC_DATA;
-
-struct PAC_DATA_CTR {
-	DATA_BLOB pac_blob;
-	struct PAC_DATA *pac_data;
-};
+struct PAC_DATA_CTR;
 
 #define DEFAULT_KRB5_PORT 88
 
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 95a6ed74b78..702ec096d28 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -40,6 +40,7 @@
 #include "libsmb/libsmb.h"
 #include "lib/param/loadparm.h"
 #include "utils/net_dns.h"
+#include "auth/kerberos/pac_utils.h"
 
 #ifdef HAVE_JANSSON
 #include <jansson.h>