sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers

Browse Source 
This adds a generic way to get to the raw (verified) PAC
and will be used in multiple places in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2019-12-19 15:34:36 +01:00
parent 0b3db29bd5
commit f8e7c3d382
4 changed files with 97 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
auth/kerberos/kerberos_pac.c
View File

@ -30,6 +30,8 @@
#ifdef HAVE_KRB5
#include "librpc/gen_ndr/ndr_krb5pac.h"
#include "librpc/gen_ndr/auth.h"
#include "auth/common_auth.h"
#include "auth/kerberos/pac_utils.h"
krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
@ -466,4 +468,87 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
static NTSTATUS auth4_context_fetch_PAC_DATA_CTR(
struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
struct smb_krb5_context *smb_krb5_context,
DATA_BLOB *pac_blob,
const char *princ_name,
const struct tsocket_address *remote_address,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
struct PAC_DATA_CTR *pac_data_ctr = NULL;
NTSTATUS status;
if (pac_blob == NULL) {
return NT_STATUS_NO_IMPERSONATION_TOKEN;
}
pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR);
if (pac_data_ctr == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
status = kerberos_decode_pac(pac_data_ctr,
*pac_blob,
NULL,
NULL,
NULL,
NULL,
0,
&pac_data_ctr->pac_data);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
pac_blob->data,
pac_blob->length);
if (pac_data_ctr->pac_blob.length != pac_blob->length) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
*session_info = talloc_zero(mem_ctx, struct auth_session_info);
if (*session_info == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
TALLOC_FREE(auth_ctx->private_data);
auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr);
return NT_STATUS_OK;
fail:
TALLOC_FREE(pac_data_ctr);
return status;
}
struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx)
{
struct auth4_context *auth_ctx = NULL;
auth_ctx = talloc_zero(mem_ctx, struct auth4_context);
if (auth_ctx == NULL) {
return NULL;
}
auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR;
return auth_ctx;
}
struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx)
{
struct PAC_DATA_CTR *p = NULL;
SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR);
p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR);
auth_ctx->private_data = NULL;
return talloc_move(mem_ctx, &p);
}
#endif

10
auth/kerberos/pac_utils.h
View File

@ -53,6 +53,16 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
time_t tgs_authtime,
struct PAC_LOGON_INFO **logon_info);
struct PAC_DATA;
struct PAC_DATA_CTR {
DATA_BLOB pac_blob;
struct PAC_DATA *pac_data;
};
struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx);
struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx);
NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
gss_ctx_id_t gssapi_context,
gss_name_t gss_client_name,

7
source3/libads/kerberos_proto.h
View File

@ -32,12 +32,7 @@
#include "system/kerberos.h"
struct PAC_DATA;
struct PAC_DATA_CTR {
DATA_BLOB pac_blob;
struct PAC_DATA *pac_data;
};
struct PAC_DATA_CTR;
#define DEFAULT_KRB5_PORT 88

1
source3/utils/net_ads.c
View File

@ -40,6 +40,7 @@
#include "libsmb/libsmb.h"
#include "lib/param/loadparm.h"
#include "utils/net_dns.h"
#include "auth/kerberos/pac_utils.h"
#ifdef HAVE_JANSSON
#include <jansson.h>