CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_prin...

We'll require a PAC at the main gensec layer already.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 3f9fb1ae3cbc9f4fa09dc57cad81273998d4d74c..6b7db99cbe2dc47b4a96401de9b91b8f1c5d7077 100644 (file)
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -69,14 +69,6 @@ struct auth_operations {
                                TALLOC_CTX *mem_ctx,
                                struct auth_user_info_dc **interim_info,
                                bool *authoritative);
-
-       /* Lookup a 'session info interim' return based only on the principal or DN */
-       NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
-                                                      struct auth4_context *auth_context,
-                                                      const char *principal,
-                                                      struct ldb_dn *user_dn,
-                                                      struct auth_user_info_dc **interim_info);
-       uint32_t flags;
 };
 
 struct auth_method_context {

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index ea9ff70ce802743278db86eb107cfd2242f36324..3dd2ffc92765e4065f03d4f658255317d296cb2f 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -86,48 +86,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
        return NT_STATUS_OK;
 }
 
-/****************************************************************************
-Used in the gensec_gssapi and gensec_krb5 server-side code, where the
-PAC isn't available, and for tokenGroups in the DSDB stack.
-
- Supply either a principal or a DN
-****************************************************************************/
-static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
-                                                 TALLOC_CTX *mem_ctx,
-                                                 const char *principal,
-                                                 struct ldb_dn *user_dn,
-                                                  uint32_t session_info_flags,
-                                                  struct auth_session_info **session_info)
-{
-       NTSTATUS nt_status;
-       struct auth_method_context *method;
-       struct auth_user_info_dc *user_info_dc;
-
-       for (method = auth_ctx->methods; method; method = method->next) {
-               if (!method->ops->get_user_info_dc_principal) {
-                       continue;
-               }
-
-               nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
-               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
-                       continue;
-               }
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       return nt_status;
-               }
-
-               nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx, 
-                                                              user_info_dc,
-                                                              user_info_dc->info->account_name,
-                                                              session_info_flags, session_info);
-               talloc_free(user_info_dc);
-
-               return nt_status;
-       }
-
-       return NT_STATUS_NOT_IMPLEMENTED;
-}
-
 /**
  * Check a user's Plaintext, LM or NTLM password.
  * (sync version)
@@ -627,8 +585,11 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
        TALLOC_CTX *tmp_ctx;
 
        if (!pac_blob) {
-               return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name,
-                                                      NULL, session_info_flags, session_info);
+               /*
+                * This should already be catched at the main
+                * gensec layer, but better check twice
+                */
+               return NT_STATUS_INTERNAL_ERROR;
        }
 
        tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index a521bc94bc4a3ba6bc901eae8a8a9041f01f98a9..dbbf97665db300a6a3a295b1cb35d43b802ef417 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -938,22 +938,11 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
        return NT_STATUS_OK;
 }
 
-/* Wrapper for the auth subsystem pointer */
-static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
-                                                         struct auth4_context *auth_context,
-                                                         const char *principal,
-                                                         struct ldb_dn *user_dn,
-                                                         struct auth_user_info_dc **user_info_dc)
-{
-       return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
-                                                principal, user_dn, user_info_dc);
-}
 static const struct auth_operations sam_ignoredomain_ops = {
        .name                      = "sam_ignoredomain",
        .want_check                = authsam_ignoredomain_want_check,
        .check_password_send       = authsam_check_password_send,
        .check_password_recv       = authsam_check_password_recv,
-       .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
 };
 
 static const struct auth_operations sam_ops = {
@@ -961,7 +950,6 @@ static const struct auth_operations sam_ops = {
        .want_check                = authsam_want_check,
        .check_password_send       = authsam_check_password_send,
        .check_password_recv       = authsam_check_password_recv,
-       .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
 };
 
 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);