summaryrefslogtreecommitdiff
path: root/auth
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2019-12-19 15:34:36 +0100
committerStefan Metzmacher <metze@samba.org>2020-02-10 16:32:36 +0000
commitf8e7c3d3821c0d6389f98cc2c2044e7b8fcdbb7d (patch)
treebfc758f94de416528eb969676206f48f5092a702 /auth
parent0b3db29bd5f44daa0abb64ba4a7bb5e5cad2a6ac (diff)
downloadsamba-f8e7c3d3821c0d6389f98cc2c2044e7b8fcdbb7d.tar.gz
auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers
This adds a generic way to get to the raw (verified) PAC and will be used in multiple places in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'auth')
-rw-r--r--auth/kerberos/kerberos_pac.c85
-rw-r--r--auth/kerberos/pac_utils.h10
2 files changed, 95 insertions, 0 deletions
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 0ab0e9a4594..650c851bf13 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -30,6 +30,8 @@
#ifdef HAVE_KRB5
#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "librpc/gen_ndr/auth.h"
+#include "auth/common_auth.h"
#include "auth/kerberos/pac_utils.h"
krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
@@ -466,4 +468,87 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+static NTSTATUS auth4_context_fetch_PAC_DATA_CTR(
+ struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *princ_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ NTSTATUS status;
+
+ if (pac_blob == NULL) {
+ return NT_STATUS_NO_IMPERSONATION_TOKEN;
+ }
+
+ pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR);
+ if (pac_data_ctr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ status = kerberos_decode_pac(pac_data_ctr,
+ *pac_blob,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ &pac_data_ctr->pac_data);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
+ pac_blob->data,
+ pac_blob->length);
+ if (pac_data_ctr->pac_blob.length != pac_blob->length) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ *session_info = talloc_zero(mem_ctx, struct auth_session_info);
+ if (*session_info == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ TALLOC_FREE(auth_ctx->private_data);
+ auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr);
+
+ return NT_STATUS_OK;
+
+fail:
+ TALLOC_FREE(pac_data_ctr);
+
+ return status;
+}
+
+struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx)
+{
+ struct auth4_context *auth_ctx = NULL;
+
+ auth_ctx = talloc_zero(mem_ctx, struct auth4_context);
+ if (auth_ctx == NULL) {
+ return NULL;
+ }
+ auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR;
+
+ return auth_ctx;
+}
+
+struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx)
+{
+ struct PAC_DATA_CTR *p = NULL;
+ SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR);
+ p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR);
+ auth_ctx->private_data = NULL;
+ return talloc_move(mem_ctx, &p);
+}
+
#endif
diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
index d09e7b643d4..36fd60c3349 100644
--- a/auth/kerberos/pac_utils.h
+++ b/auth/kerberos/pac_utils.h
@@ -53,6 +53,16 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
time_t tgs_authtime,
struct PAC_LOGON_INFO **logon_info);
+struct PAC_DATA;
+struct PAC_DATA_CTR {
+ DATA_BLOB pac_blob;
+ struct PAC_DATA *pac_data;
+};
+
+struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx);
+struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx);
+
NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
gss_ctx_id_t gssapi_context,
gss_name_t gss_client_name,