s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims

Having the lifetime of the encoded claims be tied in a predictable
fashion to a caller‐controlled memory context is less prone to error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source4/auth/session.c

@@ -612,9 +612,13 @@ NTSTATUS claims_data_from_claims_set(TALLOC_CTX *claims_data_ctx,
  * From a ‘claims_data’ structure, return an encoded claims blob that can be put
  * into a PAC.
  */
-NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data,
+NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx,
+					struct claims_data *claims_data,
 					DATA_BLOB *encoded_claims_set_out)
 {
+	uint8_t *data = NULL;
+	size_t len;
+
 	if (encoded_claims_set_out == NULL) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
@@ -643,7 +647,15 @@ NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data,
 		claims_data->flags |= CLAIMS_DATA_ENCODED_CLAIMS_PRESENT;
 	}
 
-	*encoded_claims_set_out = claims_data->encoded_claims_set;
+	if (claims_data->encoded_claims_set.data != NULL) {
+		data = talloc_reference(mem_ctx, claims_data->encoded_claims_set.data);
+		if (data == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+	len = claims_data->encoded_claims_set.length;
+
+	*encoded_claims_set_out = data_blob_const(data, len);
 	return NT_STATUS_OK;
 }
 

source4/auth/session.h

@@ -136,7 +136,8 @@ NTSTATUS claims_data_from_claims_set(TALLOC_CTX *claims_data_ctx,
  * From a ‘claims_data’ structure, return an encoded claims blob that can be put
  * into a PAC.
  */
-NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data,
+NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx,
+					struct claims_data *claims_data,
 					DATA_BLOB *encoded_claims_set_out);
 
 /*