auth: Common function for retrieving PAC_LOGIN_INFO from PAC

Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

auth/kerberos/kerberos_pac.c

@@ -402,4 +402,41 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
+				 DATA_BLOB blob,
+				 krb5_context context,
+				 const krb5_keyblock *krbtgt_keyblock,
+				 const krb5_keyblock *service_keyblock,
+				 krb5_const_principal client_principal,
+				 time_t tgs_authtime,
+				 struct PAC_LOGON_INFO **logon_info)
+{
+	NTSTATUS nt_status;
+	struct PAC_DATA *pac_data;
+	int i;
+	nt_status = kerberos_decode_pac(mem_ctx,
+					blob,
+					context,
+					krbtgt_keyblock,
+					service_keyblock,
+					client_principal,
+					tgs_authtime,
+					&pac_data);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+
+	*logon_info = NULL;
+	for (i=0; i < pac_data->num_buffers; i++) {
+		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+			continue;
+		}
+		*logon_info = pac_data->buffers[i].info->logon_info.info;
+	}
+	if (!*logon_info) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	return NT_STATUS_OK;
+}
+
 #endif

auth/kerberos/pac_utils.h

@@ -26,6 +26,7 @@
 
 struct PAC_SIGNATURE_DATA;
 struct PAC_DATA;
+struct PAC_LOGON_INFO;
 
 krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
 				   struct PAC_SIGNATURE_DATA *sig,
@@ -41,6 +42,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 			     time_t tgs_authtime,
 			     struct PAC_DATA **pac_data_out);
 
+NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
+				 DATA_BLOB blob,
+				 krb5_context context,
+				 const krb5_keyblock *krbtgt_keyblock,
+				 const krb5_keyblock *service_keyblock,
+				 krb5_const_principal client_principal,
+				 time_t tgs_authtime,
+				 struct PAC_LOGON_INFO **logon_info);
+
 NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 				gss_ctx_id_t gssapi_context,
 				gss_name_t gss_client_name,

source3/auth/auth_generic.c

@@ -42,9 +42,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 						struct auth_session_info **session_info)
 {
 	TALLOC_CTX *tmp_ctx;
-	struct PAC_DATA *pac_data = NULL;
 	struct PAC_LOGON_INFO *logon_info = NULL;
-	unsigned int i;
 	bool is_mapped;
 	bool is_guest;
 	char *ntuser;
@@ -62,36 +60,14 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	if (pac_blob) {
 #ifdef HAVE_KRB5
-		status = kerberos_decode_pac(tmp_ctx,
-				     *pac_blob,
-				     NULL, NULL, NULL, NULL, 0, &pac_data);
+		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+						 NULL, NULL, 0, &logon_info);
 #else
 		status = NT_STATUS_ACCESS_DENIED;
 #endif
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
-
-		/* get logon name and logon info */
-		for (i = 0; i < pac_data->num_buffers; i++) {
-			struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
-			switch (data_buf->type) {
-			case PAC_TYPE_LOGON_INFO:
-				if (!data_buf->info) {
-					break;
-				}
-				logon_info = data_buf->info->logon_info.info;
-				break;
-			default:
-				break;
-			}
-		}
-		if (!logon_info) {
-			DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
-			status = NT_STATUS_NOT_FOUND;
-			goto done;
-		}
 	}
 
 	rc = get_remote_hostname(remote_address,

source3/libads/authdata.c

@@ -51,9 +51,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
 				   struct auth_session_info **session_info)
 {
 	TALLOC_CTX *tmp_ctx;
-	struct PAC_DATA *pac_data = NULL;
 	struct PAC_LOGON_INFO *logon_info = NULL;
-	unsigned int i;
 	NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
 
 	tmp_ctx = talloc_new(mem_ctx);
@@ -62,34 +60,13 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
 	}
 
 	if (pac_blob) {
-		status = kerberos_decode_pac(tmp_ctx,
-				     *pac_blob,
-				     NULL, NULL, NULL, NULL, 0, &pac_data);
+		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+						 NULL, NULL, 0, &logon_info);
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
-
-		/* get logon name and logon info */
-		for (i = 0; i < pac_data->num_buffers; i++) {
-			struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
-			switch (data_buf->type) {
-			case PAC_TYPE_LOGON_INFO:
-				if (!data_buf->info) {
-					break;
-				}
-				logon_info = data_buf->info->logon_info.info;
-				break;
-			default:
-				break;
-			}
-		}
-		if (!logon_info) {
-			DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
-			status = NT_STATUS_NOT_FOUND;
-			goto done;
-		}
 	}
+
 	talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
 
 	auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);

source3/utils/ntlm_auth.c

@@ -716,9 +716,7 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
 						    struct auth_session_info **session_info)
 {
 	TALLOC_CTX *tmp_ctx;
-	struct PAC_DATA *pac_data = NULL;
 	struct PAC_LOGON_INFO *logon_info = NULL;
-	unsigned int i;
 	char *unixuser;
 	NTSTATUS status;
 	char *domain = NULL;
@@ -733,36 +731,14 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
 
 	if (pac_blob) {
 #ifdef HAVE_KRB5
-		status = kerberos_decode_pac(tmp_ctx,
-				     *pac_blob,
-				     NULL, NULL, NULL, NULL, 0, &pac_data);
+		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+						 NULL, NULL, 0, &logon_info);
 #else
 		status = NT_STATUS_ACCESS_DENIED;
 #endif
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
-
-		/* get logon name and logon info */
-		for (i = 0; i < pac_data->num_buffers; i++) {
-			struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
-			switch (data_buf->type) {
-			case PAC_TYPE_LOGON_INFO:
-				if (!data_buf->info) {
-					break;
-				}
-				logon_info = data_buf->info->logon_info.info;
-				break;
-			default:
-				break;
-			}
-		}
-		if (!logon_info) {
-			DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
-			status = NT_STATUS_NOT_FOUND;
-			goto done;
-		}
 	}
 
 	DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));

source4/auth/kerberos/kerberos.h

@@ -83,14 +83,6 @@ const krb5_data *krb5_princ_component(krb5_context context, krb5_principal princ
 #endif
 
 /* Samba wrapper function for krb5 functionality. */
-NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
-				 DATA_BLOB blob,
-				 krb5_context context,
-				 const krb5_keyblock *krbtgt_keyblock,
-				 const krb5_keyblock *service_keyblock,
-				 krb5_const_principal client_principal,
-				 time_t tgs_authtime,
-				 struct PAC_LOGON_INFO **logon_info);
  krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
 				    struct PAC_DATA *pac_data,
 				    krb5_context context,

source4/auth/kerberos/kerberos_pac.c

@@ -33,43 +33,6 @@
 #include "auth/kerberos/kerberos_util.h"
 #include "auth/kerberos/pac_utils.h"
 
-_PUBLIC_  NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
-					   DATA_BLOB blob,
-					   krb5_context context,
-					   const krb5_keyblock *krbtgt_keyblock,
-					   const krb5_keyblock *service_keyblock,
-					   krb5_const_principal client_principal,
-					   time_t tgs_authtime,
-					   struct PAC_LOGON_INFO **logon_info)
-{
-	NTSTATUS nt_status;
-	struct PAC_DATA *pac_data;
-	int i;
-	nt_status = kerberos_decode_pac(mem_ctx,
-					blob,
-					context,
-					krbtgt_keyblock,
-					service_keyblock,
-					client_principal,
-					tgs_authtime,
-					&pac_data);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
-
-	*logon_info = NULL;
-	for (i=0; i < pac_data->num_buffers; i++) {
-		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
-			continue;
-		}
-		*logon_info = pac_data->buffers[i].info->logon_info.info;
-	}
-	if (!*logon_info) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	return NT_STATUS_OK;
-}
-
  krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
 				    struct PAC_DATA *pac_data,
 				    krb5_context context,