Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : kerberos authorization data (PAC) utility library
4 : Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
5 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
6 : Copyright (C) Andrew Tridgell 2001
7 : Copyright (C) Luke Howard 2002-2003
8 : Copyright (C) Stefan Metzmacher 2004-2005
9 : Copyright (C) Guenther Deschner 2005,2007,2008
10 :
11 : This program is free software; you can redistribute it and/or modify
12 : it under the terms of the GNU General Public License as published by
13 : the Free Software Foundation; either version 3 of the License, or
14 : (at your option) any later version.
15 :
16 : This program is distributed in the hope that it will be useful,
17 : but WITHOUT ANY WARRANTY; without even the implied warranty of
18 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 : GNU General Public License for more details.
20 :
21 : You should have received a copy of the GNU General Public License
22 : along with this program. If not, see <http://www.gnu.org/licenses/>.
23 : */
24 :
25 : #include "includes.h"
26 :
27 : #undef DBGC_CLASS
28 : #define DBGC_CLASS DBGC_AUTH
29 :
30 : #ifdef HAVE_KRB5
31 :
32 : #include "librpc/gen_ndr/ndr_krb5pac.h"
33 : #include "librpc/gen_ndr/auth.h"
34 : #include "auth/common_auth.h"
35 : #include "auth/kerberos/pac_utils.h"
36 :
37 4961 : krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
38 : struct PAC_SIGNATURE_DATA *sig,
39 : krb5_context context,
40 : const krb5_keyblock *keyblock)
41 : {
42 14 : krb5_error_code ret;
43 14 : krb5_checksum cksum;
44 4961 : krb5_keyusage usage = 0;
45 4961 : krb5_boolean checksum_valid = false;
46 14 : krb5_data input;
47 :
48 4961 : switch (sig->type) {
49 1106 : case CKSUMTYPE_HMAC_MD5:
50 : /* ignores the key type */
51 1106 : break;
52 3797 : case CKSUMTYPE_HMAC_SHA1_96_AES_256:
53 3797 : if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
54 1927 : return EINVAL;
55 : }
56 : /* ok */
57 1870 : break;
58 0 : case CKSUMTYPE_HMAC_SHA1_96_AES_128:
59 0 : if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
60 0 : return EINVAL;
61 : }
62 : /* ok */
63 0 : break;
64 44 : default:
65 44 : DEBUG(2,("check_pac_checksum: Checksum Type %"PRIu32" is not supported\n",
66 : sig->type));
67 44 : return EINVAL;
68 : }
69 :
70 : #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
71 1968 : cksum.cksumtype = (krb5_cksumtype)sig->type;
72 1968 : cksum.checksum.length = sig->signature.length;
73 1968 : cksum.checksum.data = sig->signature.data;
74 : #else /* MIT */
75 1022 : cksum.checksum_type = (krb5_cksumtype)sig->type;
76 1022 : cksum.length = sig->signature.length;
77 1022 : cksum.contents = sig->signature.data;
78 : #endif
79 :
80 : #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */
81 1968 : usage = KRB5_KU_OTHER_CKSUM;
82 : #elif defined(HAVE_KRB5_KEYUSAGE_APP_DATA_CKSUM) /* MIT */
83 1022 : usage = KRB5_KEYUSAGE_APP_DATA_CKSUM;
84 : #else
85 : #error UNKNOWN_KRB5_KEYUSAGE
86 : #endif
87 :
88 2990 : input.data = (char *)pac_data.data;
89 2990 : input.length = pac_data.length;
90 :
91 2990 : ret = krb5_c_verify_checksum(context,
92 : keyblock,
93 : usage,
94 : &input,
95 : &cksum,
96 : &checksum_valid);
97 2990 : if (!checksum_valid) {
98 802 : ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
99 : }
100 2990 : if (ret){
101 802 : DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n",
102 : error_message(ret), ret));
103 802 : return ret;
104 : }
105 :
106 2174 : return ret;
107 : }
108 :
109 : /**
110 : * @brief Decode a blob containing a NDR encoded PAC structure
111 : *
112 : * @param mem_ctx - The memory context
113 : * @param pac_data_blob - The data blob containing the NDR encoded data
114 : * @param context - The Kerberos Context
115 : * @param service_keyblock - The Service Key used to verify the checksum
116 : * @param client_principal - The client principal
117 : * @param tgs_authtime - The ticket timestamp
118 : * @param pac_data_out - [out] The decoded PAC
119 : *
120 : * @return - A NTSTATUS error code
121 : */
122 4804 : NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
123 : DATA_BLOB pac_data_blob,
124 : krb5_context context,
125 : const krb5_keyblock *krbtgt_keyblock,
126 : const krb5_keyblock *service_keyblock,
127 : krb5_const_principal client_principal,
128 : time_t tgs_authtime,
129 : struct PAC_DATA **pac_data_out)
130 : {
131 7 : NTSTATUS status;
132 7 : enum ndr_err_code ndr_err;
133 7 : krb5_error_code ret;
134 7 : DATA_BLOB modified_pac_blob;
135 :
136 7 : NTTIME tgs_authtime_nttime;
137 7 : int i;
138 :
139 4804 : struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
140 4804 : struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
141 4804 : struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL;
142 4804 : struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL;
143 4804 : struct PAC_LOGON_NAME *logon_name = NULL;
144 4804 : struct PAC_LOGON_INFO *logon_info = NULL;
145 4804 : struct PAC_DATA *pac_data = NULL;
146 4804 : struct PAC_DATA_RAW *pac_data_raw = NULL;
147 :
148 4804 : DATA_BLOB *srv_sig_blob = NULL;
149 4804 : DATA_BLOB *kdc_sig_blob = NULL;
150 :
151 7 : bool bool_ret;
152 :
153 4804 : TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
154 4804 : if (!tmp_ctx) {
155 0 : return NT_STATUS_NO_MEMORY;
156 : }
157 :
158 4804 : if (pac_data_out) {
159 3550 : *pac_data_out = NULL;
160 : }
161 :
162 4804 : pac_data = talloc(tmp_ctx, struct PAC_DATA);
163 4804 : pac_data_raw = talloc(tmp_ctx, struct PAC_DATA_RAW);
164 4804 : kdc_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
165 4804 : srv_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
166 4804 : if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
167 0 : talloc_free(tmp_ctx);
168 0 : return NT_STATUS_NO_MEMORY;
169 : }
170 :
171 4804 : ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
172 : (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
173 4804 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
174 0 : status = ndr_map_error2ntstatus(ndr_err);
175 0 : DEBUG(0,("can't parse the PAC: %s\n",
176 : nt_errstr(status)));
177 0 : talloc_free(tmp_ctx);
178 0 : return status;
179 : }
180 :
181 4804 : if (pac_data->num_buffers < 4) {
182 : /* we need logon_info, service_key and kdc_key */
183 0 : DEBUG(0,("less than 4 PAC buffers\n"));
184 0 : talloc_free(tmp_ctx);
185 0 : return NT_STATUS_INVALID_PARAMETER;
186 : }
187 :
188 4804 : ndr_err = ndr_pull_struct_blob(
189 : &pac_data_blob, pac_data_raw, pac_data_raw,
190 : (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
191 4804 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
192 0 : status = ndr_map_error2ntstatus(ndr_err);
193 0 : DEBUG(0,("can't parse the PAC: %s\n",
194 : nt_errstr(status)));
195 0 : talloc_free(tmp_ctx);
196 0 : return status;
197 : }
198 :
199 4804 : if (pac_data_raw->num_buffers < 4) {
200 : /* we need logon_info, service_key and kdc_key */
201 0 : DEBUG(0,("less than 4 PAC buffers\n"));
202 0 : talloc_free(tmp_ctx);
203 0 : return NT_STATUS_INVALID_PARAMETER;
204 : }
205 :
206 4804 : if (pac_data->num_buffers != pac_data_raw->num_buffers) {
207 : /* we need logon_info, service_key and kdc_key */
208 0 : DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
209 : "PAC_DATA_RAW has %d\n", pac_data->num_buffers,
210 : pac_data_raw->num_buffers));
211 0 : talloc_free(tmp_ctx);
212 0 : return NT_STATUS_INVALID_PARAMETER;
213 : }
214 :
215 41084 : for (i=0; i < pac_data->num_buffers; i++) {
216 36280 : struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
217 36280 : struct PAC_BUFFER_RAW *raw_buf = &pac_data_raw->buffers[i];
218 :
219 36280 : if (data_buf->type != raw_buf->type) {
220 0 : DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
221 : "%d while PAC_DATA_RAW has %d\n", i,
222 : data_buf->type, raw_buf->type));
223 0 : talloc_free(tmp_ctx);
224 0 : return NT_STATUS_INVALID_PARAMETER;
225 : }
226 36280 : switch (data_buf->type) {
227 4804 : case PAC_TYPE_LOGON_INFO:
228 4804 : if (!data_buf->info) {
229 0 : break;
230 : }
231 4804 : logon_info = data_buf->info->logon_info.info;
232 4804 : break;
233 4804 : case PAC_TYPE_SRV_CHECKSUM:
234 4804 : if (!data_buf->info) {
235 0 : break;
236 : }
237 4804 : srv_sig_ptr = &data_buf->info->srv_cksum;
238 4804 : srv_sig_blob = &raw_buf->info->remaining;
239 4804 : break;
240 4804 : case PAC_TYPE_KDC_CHECKSUM:
241 4804 : if (!data_buf->info) {
242 0 : break;
243 : }
244 4804 : kdc_sig_ptr = &data_buf->info->kdc_cksum;
245 4804 : kdc_sig_blob = &raw_buf->info->remaining;
246 4804 : break;
247 4804 : case PAC_TYPE_LOGON_NAME:
248 4804 : logon_name = &data_buf->info->logon_name;
249 4804 : break;
250 17064 : default:
251 17064 : break;
252 : }
253 : }
254 :
255 4804 : if (!logon_info) {
256 0 : DEBUG(0,("PAC no logon_info\n"));
257 0 : talloc_free(tmp_ctx);
258 0 : return NT_STATUS_INVALID_PARAMETER;
259 : }
260 :
261 4804 : if (!logon_name) {
262 0 : DEBUG(0,("PAC no logon_name\n"));
263 0 : talloc_free(tmp_ctx);
264 0 : return NT_STATUS_INVALID_PARAMETER;
265 : }
266 :
267 4804 : if (!srv_sig_ptr || !srv_sig_blob) {
268 0 : DEBUG(0,("PAC no srv_key\n"));
269 0 : talloc_free(tmp_ctx);
270 0 : return NT_STATUS_INVALID_PARAMETER;
271 : }
272 :
273 4804 : if (!kdc_sig_ptr || !kdc_sig_blob) {
274 0 : DEBUG(0,("PAC no kdc_key\n"));
275 0 : talloc_free(tmp_ctx);
276 0 : return NT_STATUS_INVALID_PARAMETER;
277 : }
278 :
279 : /* Find and zero out the signatures,
280 : * as required by the signing algorithm */
281 :
282 : /* We find the data blobs above,
283 : * now we parse them to get at the exact portion we should zero */
284 4804 : ndr_err = ndr_pull_struct_blob(
285 : kdc_sig_blob, kdc_sig_wipe, kdc_sig_wipe,
286 : (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
287 4804 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
288 0 : status = ndr_map_error2ntstatus(ndr_err);
289 0 : DEBUG(0,("can't parse the KDC signature: %s\n",
290 : nt_errstr(status)));
291 0 : talloc_free(tmp_ctx);
292 0 : return status;
293 : }
294 :
295 4804 : ndr_err = ndr_pull_struct_blob(
296 : srv_sig_blob, srv_sig_wipe, srv_sig_wipe,
297 : (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
298 4804 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
299 0 : status = ndr_map_error2ntstatus(ndr_err);
300 0 : DEBUG(0,("can't parse the SRV signature: %s\n",
301 : nt_errstr(status)));
302 0 : talloc_free(tmp_ctx);
303 0 : return status;
304 : }
305 :
306 : /* Now zero the decoded structure */
307 4804 : memset(kdc_sig_wipe->signature.data,
308 : '\0', kdc_sig_wipe->signature.length);
309 4804 : memset(srv_sig_wipe->signature.data,
310 : '\0', srv_sig_wipe->signature.length);
311 :
312 : /* and re-encode, back into the same place it came from */
313 4804 : ndr_err = ndr_push_struct_blob(
314 : kdc_sig_blob, pac_data_raw, kdc_sig_wipe,
315 : (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
316 4804 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
317 0 : status = ndr_map_error2ntstatus(ndr_err);
318 0 : DEBUG(0,("can't repack the KDC signature: %s\n",
319 : nt_errstr(status)));
320 0 : talloc_free(tmp_ctx);
321 0 : return status;
322 : }
323 4804 : ndr_err = ndr_push_struct_blob(
324 : srv_sig_blob, pac_data_raw, srv_sig_wipe,
325 : (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
326 4804 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
327 0 : status = ndr_map_error2ntstatus(ndr_err);
328 0 : DEBUG(0,("can't repack the SRV signature: %s\n",
329 : nt_errstr(status)));
330 0 : talloc_free(tmp_ctx);
331 0 : return status;
332 : }
333 :
334 : /* push out the whole structure, but now with zero'ed signatures */
335 4804 : ndr_err = ndr_push_struct_blob(
336 : &modified_pac_blob, pac_data_raw, pac_data_raw,
337 : (ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
338 4804 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
339 0 : status = ndr_map_error2ntstatus(ndr_err);
340 0 : DEBUG(0,("can't repack the RAW PAC: %s\n",
341 : nt_errstr(status)));
342 0 : talloc_free(tmp_ctx);
343 0 : return status;
344 : }
345 :
346 4804 : if (service_keyblock) {
347 : /* verify by service_key */
348 4786 : ret = check_pac_checksum(modified_pac_blob, srv_sig_ptr,
349 : context,
350 : service_keyblock);
351 4786 : if (ret) {
352 2655 : DEBUG(5, ("PAC Decode: Failed to verify the service "
353 : "signature: %s\n", error_message(ret)));
354 2655 : return NT_STATUS_ACCESS_DENIED;
355 : }
356 :
357 2131 : if (krbtgt_keyblock) {
358 : /* verify the service key checksum by krbtgt_key */
359 7 : ret = check_pac_checksum(srv_sig_ptr->signature, kdc_sig_ptr,
360 : context, krbtgt_keyblock);
361 7 : if (ret) {
362 0 : DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
363 : smb_get_krb5_error_message(context, ret, tmp_ctx)));
364 0 : talloc_free(tmp_ctx);
365 0 : return NT_STATUS_ACCESS_DENIED;
366 : }
367 : }
368 : }
369 :
370 2149 : if (tgs_authtime) {
371 : /* Convert to NT time, so as not to lose accuracy in comparison */
372 1261 : unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
373 :
374 1261 : if (tgs_authtime_nttime != logon_name->logon_time) {
375 1 : DEBUG(2, ("PAC Decode: "
376 : "Logon time mismatch between ticket and PAC!\n"));
377 1 : DEBUG(2, ("PAC Decode: PAC: %s\n",
378 : nt_time_string(tmp_ctx, logon_name->logon_time)));
379 1 : DEBUG(2, ("PAC Decode: Ticket: %s\n",
380 : nt_time_string(tmp_ctx, tgs_authtime_nttime)));
381 1 : talloc_free(tmp_ctx);
382 1 : return NT_STATUS_ACCESS_DENIED;
383 : }
384 : }
385 :
386 2148 : if (client_principal) {
387 6 : char *client_principal_string;
388 1260 : ret = krb5_unparse_name_flags(context, client_principal,
389 : KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY,
390 : &client_principal_string);
391 1260 : if (ret) {
392 0 : DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n",
393 : logon_name->account_name, error_message(ret)));
394 0 : talloc_free(tmp_ctx);
395 0 : return NT_STATUS_INVALID_PARAMETER;
396 : }
397 :
398 1260 : bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0;
399 :
400 1260 : if (!bool_ret) {
401 2 : DEBUG(2, ("Name in PAC [%s] does not match principal name "
402 : "in ticket [%s]\n",
403 : logon_name->account_name,
404 : client_principal_string));
405 2 : SAFE_FREE(client_principal_string);
406 2 : talloc_free(tmp_ctx);
407 2 : return NT_STATUS_ACCESS_DENIED;
408 : }
409 1258 : SAFE_FREE(client_principal_string);
410 :
411 : }
412 :
413 2146 : DEBUG(3,("Found account name from PAC: %s [%s]\n",
414 : logon_info->info3.base.account_name.string,
415 : logon_info->info3.base.full_name.string));
416 :
417 2146 : DEBUG(10,("Successfully validated Kerberos PAC\n"));
418 :
419 2146 : if (DEBUGLEVEL >= 10) {
420 0 : const char *s;
421 0 : s = NDR_PRINT_STRUCT_STRING(tmp_ctx, PAC_DATA, pac_data);
422 0 : if (s) {
423 0 : DEBUGADD(10,("%s\n", s));
424 : }
425 : }
426 :
427 2146 : if (pac_data_out) {
428 892 : *pac_data_out = talloc_steal(mem_ctx, pac_data);
429 : }
430 :
431 2146 : return NT_STATUS_OK;
432 : }
433 :
434 20 : NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
435 : DATA_BLOB blob,
436 : krb5_context context,
437 : const krb5_keyblock *krbtgt_keyblock,
438 : const krb5_keyblock *service_keyblock,
439 : krb5_const_principal client_principal,
440 : time_t tgs_authtime,
441 : struct PAC_LOGON_INFO **logon_info)
442 : {
443 2 : NTSTATUS nt_status;
444 2 : struct PAC_DATA *pac_data;
445 2 : int i;
446 20 : nt_status = kerberos_decode_pac(mem_ctx,
447 : blob,
448 : context,
449 : krbtgt_keyblock,
450 : service_keyblock,
451 : client_principal,
452 : tgs_authtime,
453 : &pac_data);
454 20 : if (!NT_STATUS_IS_OK(nt_status)) {
455 0 : return nt_status;
456 : }
457 :
458 20 : *logon_info = NULL;
459 148 : for (i=0; i < pac_data->num_buffers; i++) {
460 128 : if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
461 108 : continue;
462 : }
463 20 : *logon_info = pac_data->buffers[i].info->logon_info.info;
464 : }
465 20 : if (!*logon_info) {
466 0 : return NT_STATUS_INVALID_PARAMETER;
467 : }
468 20 : return NT_STATUS_OK;
469 : }
470 :
471 0 : static NTSTATUS auth4_context_fetch_PAC_DATA_CTR(
472 : struct auth4_context *auth_ctx,
473 : TALLOC_CTX *mem_ctx,
474 : struct smb_krb5_context *smb_krb5_context,
475 : DATA_BLOB *pac_blob,
476 : const char *princ_name,
477 : const struct tsocket_address *remote_address,
478 : uint32_t session_info_flags,
479 : struct auth_session_info **session_info)
480 : {
481 0 : struct PAC_DATA_CTR *pac_data_ctr = NULL;
482 0 : NTSTATUS status;
483 :
484 0 : if (pac_blob == NULL) {
485 0 : return NT_STATUS_NO_IMPERSONATION_TOKEN;
486 : }
487 :
488 0 : pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR);
489 0 : if (pac_data_ctr == NULL) {
490 0 : status = NT_STATUS_NO_MEMORY;
491 0 : goto fail;
492 : }
493 :
494 0 : status = kerberos_decode_pac(pac_data_ctr,
495 : *pac_blob,
496 : NULL,
497 : NULL,
498 : NULL,
499 : NULL,
500 : 0,
501 0 : &pac_data_ctr->pac_data);
502 0 : if (!NT_STATUS_IS_OK(status)) {
503 0 : goto fail;
504 : }
505 :
506 0 : pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
507 : pac_blob->data,
508 : pac_blob->length);
509 0 : if (pac_data_ctr->pac_blob.length != pac_blob->length) {
510 0 : status = NT_STATUS_NO_MEMORY;
511 0 : goto fail;
512 : }
513 :
514 0 : *session_info = talloc_zero(mem_ctx, struct auth_session_info);
515 0 : if (*session_info == NULL) {
516 0 : status = NT_STATUS_NO_MEMORY;
517 0 : goto fail;
518 : }
519 :
520 0 : TALLOC_FREE(auth_ctx->private_data);
521 0 : auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr);
522 :
523 0 : return NT_STATUS_OK;
524 :
525 0 : fail:
526 0 : TALLOC_FREE(pac_data_ctr);
527 :
528 0 : return status;
529 : }
530 :
531 0 : struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx)
532 : {
533 0 : struct auth4_context *auth_ctx = NULL;
534 :
535 0 : auth_ctx = talloc_zero(mem_ctx, struct auth4_context);
536 0 : if (auth_ctx == NULL) {
537 0 : return NULL;
538 : }
539 0 : auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR;
540 :
541 0 : return auth_ctx;
542 : }
543 :
544 0 : struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
545 : TALLOC_CTX *mem_ctx)
546 : {
547 0 : struct PAC_DATA_CTR *p = NULL;
548 0 : SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR);
549 0 : p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR);
550 0 : auth_ctx->private_data = NULL;
551 0 : return talloc_move(mem_ctx, &p);
552 : }
553 :
554 : #endif
|
