auth-krb: Nove oid packet check to gensec_util.

This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>

auth/gensec/gensec.h

@@ -350,5 +350,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 					  const struct tsocket_address *remote_address,
 					  struct auth_session_info **session_info);
 
+NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
+					const DATA_BLOB *blob);
 
 #endif /* __GENSEC_H__ */

auth/gensec/gensec_util.c

@@ -23,6 +23,7 @@
 #include "includes.h"
 #include "auth/gensec/gensec.h"
 #include "auth/common_auth.h"
+#include "../lib/util/asn1.h"
 
 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 					  struct gensec_security *gensec_security,
@@ -180,3 +181,46 @@ NTSTATUS gensec_packet_full_request(struct gensec_security *gensec_security,
 	}
 	return NT_STATUS_OK;
 }
+
+/*
+  magic check a GSS-API wrapper packet for an Kerberos OID
+*/
+static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
+{
+	bool ret;
+	struct asn1_data *data = asn1_init(NULL);
+
+	if (!data) return false;
+
+	asn1_load(data, *blob);
+	asn1_start_tag(data, ASN1_APPLICATION(0));
+	asn1_check_OID(data, oid);
+
+	ret = !data->has_error;
+
+	asn1_free(data);
+
+	return ret;
+}
+
+/**
+ * Check if the packet is one for the KRB5 mechansim
+ *
+ * NOTE: This is a helper that can be employed by multiple mechanisms, do
+ * not make assumptions about the private_data
+ *
+ * @param gensec_security GENSEC state, unused
+ * @param in The request, as a DATA_BLOB
+ * @return Error, INVALID_PARAMETER if it's not a packet for us
+ *                or NT_STATUS_OK if the packet is ok.
+ */
+
+NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
+					const DATA_BLOB *blob)
+{
+	if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
+		return NT_STATUS_OK;
+	} else {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+}

auth/gensec/wscript_build

@@ -3,7 +3,7 @@ bld.SAMBA_LIBRARY('gensec',
 	source='gensec.c gensec_start.c gensec_util.c',
 	pc_files='gensec.pc',
 	autoproto='gensec_toplevel_proto.h',
-	public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util',
+	public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util asn1util',
 	public_headers='gensec.h',
 	deps='com_err',
 	vnum='0.0.1'

auth/kerberos/gssapi_parse.c

@@ -95,23 +95,3 @@ bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, D
 }
 
 
-/*
-  check a GSS-API wrapper packet givin an expected OID
-*/
-bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
-{
-	bool ret;
-	struct asn1_data *data = asn1_init(NULL);
-
-	if (!data) return false;
-
-	asn1_load(data, *blob);
-	asn1_start_tag(data, ASN1_APPLICATION(0));
-	asn1_check_OID(data, oid);
-
-	ret = !data->has_error;
-
-	asn1_free(data);
-
-	return ret;
-}

libcli/auth/krb5_wrap.h

@@ -96,4 +96,3 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
 DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2]);
 
 bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2]);
-bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid);

source3/librpc/crypto/gse.c

@@ -802,26 +802,6 @@ static NTSTATUS gensec_gse_server_start(struct gensec_security *gensec_security)
 	return NT_STATUS_OK;
 }
 
-/**
- * Check if the packet is one for this mechansim
- *
- * @param gensec_security GENSEC state
- * @param in The request, as a DATA_BLOB
- * @return Error, INVALID_PARAMETER if it's not a packet for us
- *                or NT_STATUS_OK if the packet is ok.
- */
-
-static NTSTATUS gensec_gse_magic(struct gensec_security *gensec_security,
-				 const DATA_BLOB *in)
-{
-	if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
-		return NT_STATUS_OK;
-	} else {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-}
-
-
 /**
  * Next state function for the GSE GENSEC mechanism
  *
@@ -1163,7 +1143,7 @@ const struct gensec_security_ops gensec_gse_krb5_security_ops = {
 	.oid            = gensec_gse_krb5_oids,
 	.client_start   = gensec_gse_client_start,
 	.server_start   = gensec_gse_server_start,
-	.magic  	= gensec_gse_magic,
+	.magic  	= gensec_magic_check_krb5_oid,
 	.update 	= gensec_gse_update,
 	.session_key	= gensec_gse_session_key,
 	.session_info	= gensec_gse_session_info,

source4/auth/gensec/gensec_gssapi.c

@@ -393,26 +393,6 @@ static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_s
 }
 
 
-/**
- * Check if the packet is one for this mechansim
- * 
- * @param gensec_security GENSEC state
- * @param in The request, as a DATA_BLOB
- * @return Error, INVALID_PARAMETER if it's not a packet for us
- *                or NT_STATUS_OK if the packet is ok. 
- */
-
-static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security, 
-				    const DATA_BLOB *in) 
-{
-	if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
-		return NT_STATUS_OK;
-	} else {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-}
-
-
 /**
  * Next state function for the GSSAPI GENSEC mechanism
  * 
@@ -1470,7 +1450,7 @@ static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
 	.oid            = gensec_gssapi_spnego_oids,
 	.client_start   = gensec_gssapi_client_start,
 	.server_start   = gensec_gssapi_server_start,
-	.magic  	= gensec_gssapi_magic,
+	.magic  	= gensec_magic_check_krb5_oid,
 	.update 	= gensec_gssapi_update,
 	.session_key	= gensec_gssapi_session_key,
 	.session_info	= gensec_gssapi_session_info,
@@ -1493,7 +1473,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
 	.oid            = gensec_gssapi_krb5_oids,
 	.client_start   = gensec_gssapi_client_start,
 	.server_start   = gensec_gssapi_server_start,
-	.magic  	= gensec_gssapi_magic,
+	.magic  	= gensec_magic_check_krb5_oid,
 	.update 	= gensec_gssapi_update,
 	.session_key	= gensec_gssapi_session_key,
 	.session_info	= gensec_gssapi_session_info,

source4/auth/gensec/gensec_krb5.c

@@ -392,26 +392,6 @@ static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gen
 	return gensec_krb5_common_client_start(gensec_security, true);
 }
 
-/**
- * Check if the packet is one for this mechansim
- * 
- * @param gensec_security GENSEC state
- * @param in The request, as a DATA_BLOB
- * @return Error, INVALID_PARAMETER if it's not a packet for us
- *                or NT_STATUS_OK if the packet is ok. 
- */
-
-static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security, 
-				  const DATA_BLOB *in) 
-{
-	if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
-		return NT_STATUS_OK;
-	} else {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-}
-
-
 /**
  * Next state function for the Krb5 GENSEC mechanism
  * 
@@ -807,7 +787,7 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
 	.client_start   = gensec_fake_gssapi_krb5_client_start,
 	.server_start   = gensec_fake_gssapi_krb5_server_start,
 	.update 	= gensec_krb5_update,
-	.magic   	= gensec_fake_gssapi_krb5_magic,
+	.magic   	= gensec_magic_check_krb5_oid,
 	.session_key	= gensec_krb5_session_key,
 	.session_info	= gensec_krb5_session_info,
 	.have_feature   = gensec_krb5_have_feature,