From 532b16f3d5b55c91f10ef747b13861be1a969dce Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 20 Oct 2005 10:15:31 +0000
Subject: r11216: Upgrade to gd's PAC extraction code from Samba3.  While I
 still want to make some this the kerberos library's problem, we may as well
 use the best code that is around.

Andrew Bartlett
(This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
---
 source4/auth/gensec/gensec_gssapi.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

(limited to 'source4/auth/gensec/gensec_gssapi.c')

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 97543de445..42141e4df2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -822,6 +822,8 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 	time_t authtime;
 	krb5_principal principal;
 	char *principal_string;
+	DATA_BLOB pac_blob;
+	DATA_BLOB unwrapped_pac;
 	
 	if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
 	    || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
@@ -866,12 +868,19 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 								       KRB5_AUTHDATA_IF_RELEVANT,
 								       &pac);
 	}
+
+	if (maj_stat == 0) {
+		pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length);
+		gss_release_buffer(&min_stat, &pac);
+
+		if (!unwrap_pac(mem_ctx, &pac_blob, &unwrapped_pac)) {
+			/* No pac actually present */
+			maj_stat = 1;
+		}
+	}
 	
 	if (maj_stat == 0) {
 		krb5_error_code ret;
-		DATA_BLOB pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length);
-		pac_blob = unwrap_pac(mem_ctx, &pac_blob);
-		gss_release_buffer(&min_stat, &pac);
 
 		ret = krb5_parse_name(gensec_gssapi_state->smb_krb5_context->krb5_context,
 				      principal_string, &principal);
@@ -881,7 +890,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		}
 		
 		/* decode and verify the pac */
-		nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, pac_blob,
+		nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, unwrapped_pac,
 						    gensec_gssapi_state->smb_krb5_context->krb5_context,
 						    NULL, keyblock, principal, authtime);
 		krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
-- 
cgit