From 7285ed586f129d45843f98c359003d9ac88cf5cb Mon Sep 17 00:00:00 2001
From: Christof Schmitt <christof.schmitt@us.ibm.com>
Date: Thu, 5 Jul 2012 13:17:00 -0700
Subject: [PATCH] auth: Common function for retrieving PAC_LOGIN_INFO from PAC

Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 auth/kerberos/kerberos_pac.c         | 37 ++++++++++++++++++++++++++++
 auth/kerberos/pac_utils.h            | 10 ++++++++
 source3/auth/auth_generic.c          | 28 ++-------------------
 source3/libads/authdata.c            | 29 +++-------------------
 source3/utils/ntlm_auth.c            | 28 ++-------------------
 source4/auth/kerberos/kerberos.h     |  8 ------
 source4/auth/kerberos/kerberos_pac.c | 37 ----------------------------
 7 files changed, 54 insertions(+), 123 deletions(-)

diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index eacf39d321e..80f31d869f1 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -402,4 +402,41 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
+				 DATA_BLOB blob,
+				 krb5_context context,
+				 const krb5_keyblock *krbtgt_keyblock,
+				 const krb5_keyblock *service_keyblock,
+				 krb5_const_principal client_principal,
+				 time_t tgs_authtime,
+				 struct PAC_LOGON_INFO **logon_info)
+{
+	NTSTATUS nt_status;
+	struct PAC_DATA *pac_data;
+	int i;
+	nt_status = kerberos_decode_pac(mem_ctx,
+					blob,
+					context,
+					krbtgt_keyblock,
+					service_keyblock,
+					client_principal,
+					tgs_authtime,
+					&pac_data);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+
+	*logon_info = NULL;
+	for (i=0; i < pac_data->num_buffers; i++) {
+		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+			continue;
+		}
+		*logon_info = pac_data->buffers[i].info->logon_info.info;
+	}
+	if (!*logon_info) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	return NT_STATUS_OK;
+}
+
 #endif
diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
index d654bec208b..b9b66649eef 100644
--- a/auth/kerberos/pac_utils.h
+++ b/auth/kerberos/pac_utils.h
@@ -26,6 +26,7 @@
 
 struct PAC_SIGNATURE_DATA;
 struct PAC_DATA;
+struct PAC_LOGON_INFO;
 
 krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
 				   struct PAC_SIGNATURE_DATA *sig,
@@ -41,6 +42,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 			     time_t tgs_authtime,
 			     struct PAC_DATA **pac_data_out);
 
+NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
+				 DATA_BLOB blob,
+				 krb5_context context,
+				 const krb5_keyblock *krbtgt_keyblock,
+				 const krb5_keyblock *service_keyblock,
+				 krb5_const_principal client_principal,
+				 time_t tgs_authtime,
+				 struct PAC_LOGON_INFO **logon_info);
+
 NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 				gss_ctx_id_t gssapi_context,
 				gss_name_t gss_client_name,
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 82b376feb64..80f5fa7d3e3 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -42,9 +42,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 						struct auth_session_info **session_info)
 {
 	TALLOC_CTX *tmp_ctx;
-	struct PAC_DATA *pac_data = NULL;
 	struct PAC_LOGON_INFO *logon_info = NULL;
-	unsigned int i;
 	bool is_mapped;
 	bool is_guest;
 	char *ntuser;
@@ -62,36 +60,14 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	if (pac_blob) {
 #ifdef HAVE_KRB5
-		status = kerberos_decode_pac(tmp_ctx,
-				     *pac_blob,
-				     NULL, NULL, NULL, NULL, 0, &pac_data);
+		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+						 NULL, NULL, 0, &logon_info);
 #else
 		status = NT_STATUS_ACCESS_DENIED;
 #endif
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
-
-		/* get logon name and logon info */
-		for (i = 0; i < pac_data->num_buffers; i++) {
-			struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
-			switch (data_buf->type) {
-			case PAC_TYPE_LOGON_INFO:
-				if (!data_buf->info) {
-					break;
-				}
-				logon_info = data_buf->info->logon_info.info;
-				break;
-			default:
-				break;
-			}
-		}
-		if (!logon_info) {
-			DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
-			status = NT_STATUS_NOT_FOUND;
-			goto done;
-		}
 	}
 
 	rc = get_remote_hostname(remote_address,
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 60897bf5fb5..2c667a66bcd 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -51,9 +51,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
 				   struct auth_session_info **session_info)
 {
 	TALLOC_CTX *tmp_ctx;
-	struct PAC_DATA *pac_data = NULL;
 	struct PAC_LOGON_INFO *logon_info = NULL;
-	unsigned int i;
 	NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
 
 	tmp_ctx = talloc_new(mem_ctx);
@@ -62,34 +60,13 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
 	}
 
 	if (pac_blob) {
-		status = kerberos_decode_pac(tmp_ctx,
-				     *pac_blob,
-				     NULL, NULL, NULL, NULL, 0, &pac_data);
+		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+						 NULL, NULL, 0, &logon_info);
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
-
-		/* get logon name and logon info */
-		for (i = 0; i < pac_data->num_buffers; i++) {
-			struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
-			switch (data_buf->type) {
-			case PAC_TYPE_LOGON_INFO:
-				if (!data_buf->info) {
-					break;
-				}
-				logon_info = data_buf->info->logon_info.info;
-				break;
-			default:
-				break;
-			}
-		}
-		if (!logon_info) {
-			DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
-			status = NT_STATUS_NOT_FOUND;
-			goto done;
-		}
 	}
+
 	talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
 
 	auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index a832b5bc60f..afb51e9356b 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -716,9 +716,7 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
 						    struct auth_session_info **session_info)
 {
 	TALLOC_CTX *tmp_ctx;
-	struct PAC_DATA *pac_data = NULL;
 	struct PAC_LOGON_INFO *logon_info = NULL;
-	unsigned int i;
 	char *unixuser;
 	NTSTATUS status;
 	char *domain = NULL;
@@ -733,36 +731,14 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
 
 	if (pac_blob) {
 #ifdef HAVE_KRB5
-		status = kerberos_decode_pac(tmp_ctx,
-				     *pac_blob,
-				     NULL, NULL, NULL, NULL, 0, &pac_data);
+		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+						 NULL, NULL, 0, &logon_info);
 #else
 		status = NT_STATUS_ACCESS_DENIED;
 #endif
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
-
-		/* get logon name and logon info */
-		for (i = 0; i < pac_data->num_buffers; i++) {
-			struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
-			switch (data_buf->type) {
-			case PAC_TYPE_LOGON_INFO:
-				if (!data_buf->info) {
-					break;
-				}
-				logon_info = data_buf->info->logon_info.info;
-				break;
-			default:
-				break;
-			}
-		}
-		if (!logon_info) {
-			DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
-			status = NT_STATUS_NOT_FOUND;
-			goto done;
-		}
 	}
 
 	DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 707426d4962..51b80556bf8 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -83,14 +83,6 @@ const krb5_data *krb5_princ_component(krb5_context context, krb5_principal princ
 #endif
 
 /* Samba wrapper function for krb5 functionality. */
-NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
-				 DATA_BLOB blob,
-				 krb5_context context,
-				 const krb5_keyblock *krbtgt_keyblock,
-				 const krb5_keyblock *service_keyblock,
-				 krb5_const_principal client_principal,
-				 time_t tgs_authtime,
-				 struct PAC_LOGON_INFO **logon_info);
  krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
 				    struct PAC_DATA *pac_data,
 				    krb5_context context,
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 85b62632bac..76c1d99d916 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -33,43 +33,6 @@
 #include "auth/kerberos/kerberos_util.h"
 #include "auth/kerberos/pac_utils.h"
 
-_PUBLIC_  NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
-					   DATA_BLOB blob,
-					   krb5_context context,
-					   const krb5_keyblock *krbtgt_keyblock,
-					   const krb5_keyblock *service_keyblock,
-					   krb5_const_principal client_principal,
-					   time_t tgs_authtime,
-					   struct PAC_LOGON_INFO **logon_info)
-{
-	NTSTATUS nt_status;
-	struct PAC_DATA *pac_data;
-	int i;
-	nt_status = kerberos_decode_pac(mem_ctx,
-					blob,
-					context,
-					krbtgt_keyblock,
-					service_keyblock,
-					client_principal,
-					tgs_authtime,
-					&pac_data);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
-
-	*logon_info = NULL;
-	for (i=0; i < pac_data->num_buffers; i++) {
-		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
-			continue;
-		}
-		*logon_info = pac_data->buffers[i].info->logon_info.info;
-	}
-	if (!*logon_info) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	return NT_STATUS_OK;
-}
-
  krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
 				    struct PAC_DATA *pac_data,
 				    krb5_context context,
-- 
2.34.1