summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-12-27 10:25:55 +1100
committerStefan Metzmacher <metze@samba.org>2012-01-06 08:12:49 +0100
commita00032a92d9c0fcd4fa3f551abb901e5240f780f (patch)
treea946857f13846f35f39895a5024468e24af0576d
parent21415568fe335d513545ef5788462551e2f1f1ae (diff)
downloadsamba-a00032a92d9c0fcd4fa3f551abb901e5240f780f.tar.gz
samba-a00032a92d9c0fcd4fa3f551abb901e5240f780f.tar.bz2
samba-a00032a92d9c0fcd4fa3f551abb901e5240f780f.zip
s3-libsmb Make auth_ntlmssp client more generic
As well as renaming, this allows us to start the mech by DCE/RPC auth type or OID. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--source3/include/auth_generic.h (renamed from source3/include/ntlmssp_wrap.h)22
-rw-r--r--source3/librpc/crypto/cli_spnego.c25
-rw-r--r--source3/libsmb/clifsinfo.c27
-rw-r--r--source3/libsmb/ntlmssp_wrap.c43
-rw-r--r--source3/rpc_client/cli_pipe.c19
5 files changed, 81 insertions, 55 deletions
diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/auth_generic.h
index ac2c77da37..faea6106ad 100644
--- a/source3/include/ntlmssp_wrap.h
+++ b/source3/include/auth_generic.h
@@ -2,7 +2,7 @@
NLTMSSP wrappers
Copyright (C) Andrew Tridgell 2001
- Copyright (C) Andrew Bartlett 2001-2003
+ Copyright (C) Andrew Bartlett 2001-2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -18,8 +18,8 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _NTLMSSP_WRAP_
-#define _NTLMSSP_WRAP_
+#ifndef _AUTH_GENERIC_
+#define _AUTH_GENERIC_
struct gensec_security;
@@ -31,14 +31,18 @@ struct auth_generic_state {
struct gensec_security *gensec_security;
};
-NTSTATUS auth_ntlmssp_set_username(struct auth_generic_state *ans,
+NTSTATUS auth_generic_set_username(struct auth_generic_state *ans,
const char *user);
-NTSTATUS auth_ntlmssp_set_domain(struct auth_generic_state *ans,
+NTSTATUS auth_generic_set_domain(struct auth_generic_state *ans,
const char *domain);
-NTSTATUS auth_ntlmssp_set_password(struct auth_generic_state *ans,
+NTSTATUS auth_generic_set_password(struct auth_generic_state *ans,
const char *password);
-NTSTATUS auth_ntlmssp_client_prepare(TALLOC_CTX *mem_ctx,
+NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx,
struct auth_generic_state **_ans);
-NTSTATUS auth_ntlmssp_client_start(struct auth_generic_state *ans);
+NTSTATUS auth_generic_client_start(struct auth_generic_state *ans, const char *oid);
-#endif /* _NTLMSSP_WRAP_ */
+NTSTATUS auth_generic_client_start_by_authtype(struct auth_generic_state *ans,
+ uint8_t auth_type,
+ uint8_t auth_level);
+
+#endif /* _AUTH_GENERIC_ */
diff --git a/source3/librpc/crypto/cli_spnego.c b/source3/librpc/crypto/cli_spnego.c
index 827b135b22..54ea99b8e8 100644
--- a/source3/librpc/crypto/cli_spnego.c
+++ b/source3/librpc/crypto/cli_spnego.c
@@ -2,6 +2,7 @@
* SPNEGO Encapsulation
* Client functions
* Copyright (C) Simo Sorce 2010.
+ * Copyright (C) Andrew Bartlett 2011.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -19,7 +20,7 @@
#include "includes.h"
#include "../libcli/auth/spnego.h"
-#include "include/ntlmssp_wrap.h"
+#include "include/auth_generic.h"
#include "librpc/gen_ndr/ntlmssp.h"
#include "auth/ntlmssp/ntlmssp.h"
#include "librpc/crypto/gse.h"
@@ -92,7 +93,7 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
struct spnego_context **spnego_ctx)
{
struct spnego_context *sp_ctx = NULL;
- struct auth_generic_state *auth_ntlmssp_state;
+ struct auth_generic_state *auth_generic_state;
NTSTATUS status;
status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
@@ -101,28 +102,28 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
}
sp_ctx->mech = SPNEGO_NTLMSSP;
- status = auth_ntlmssp_client_prepare(sp_ctx,
- &auth_ntlmssp_state);
+ status = auth_generic_client_prepare(sp_ctx,
+ &auth_generic_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
return status;
}
- status = auth_ntlmssp_set_username(auth_ntlmssp_state,
+ status = auth_generic_set_username(auth_generic_state,
username);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
return status;
}
- status = auth_ntlmssp_set_domain(auth_ntlmssp_state,
+ status = auth_generic_set_domain(auth_generic_state,
domain);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
return status;
}
- status = auth_ntlmssp_set_password(auth_ntlmssp_state,
+ status = auth_generic_set_password(auth_generic_state,
password);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
@@ -130,21 +131,21 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
}
if (do_sign) {
- gensec_want_feature(auth_ntlmssp_state->gensec_security,
+ gensec_want_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SIGN);
} else if (do_seal) {
- gensec_want_feature(auth_ntlmssp_state->gensec_security,
+ gensec_want_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SEAL);
}
- status = auth_ntlmssp_client_start(auth_ntlmssp_state);
+ status = auth_generic_client_start(auth_generic_state, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
return status;
}
- sp_ctx->mech_ctx.gensec_security = talloc_move(sp_ctx, &auth_ntlmssp_state->gensec_security);
- TALLOC_FREE(auth_ntlmssp_state);
+ sp_ctx->mech_ctx.gensec_security = talloc_move(sp_ctx, &auth_generic_state->gensec_security);
+ TALLOC_FREE(auth_generic_state);
*spnego_ctx = sp_ctx;
return NT_STATUS_OK;
}
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index ff15624c60..5c86c5d288 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -3,6 +3,7 @@
FS info functions
Copyright (C) Stefan (metze) Metzmacher 2003
Copyright (C) Jeremy Allison 2007
+ Copyright (C) Andrew Bartlett 2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -26,7 +27,7 @@
#include "async_smb.h"
#include "../libcli/smb/smb_seal.h"
#include "trans2.h"
-#include "ntlmssp_wrap.h"
+#include "auth_generic.h"
#include "auth/gensec/gensec.h"
#include "../libcli/smb/smbXcli_base.h"
@@ -610,37 +611,37 @@ NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli,
DATA_BLOB blob_out = data_blob_null;
DATA_BLOB param_out = data_blob_null;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- struct auth_generic_state *auth_ntlmssp_state;
+ struct auth_generic_state *auth_generic_state;
struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_NTLM);
if (!es) {
return NT_STATUS_NO_MEMORY;
}
- status = auth_ntlmssp_client_prepare(NULL,
- &auth_ntlmssp_state);
+ status = auth_generic_client_prepare(NULL,
+ &auth_generic_state);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
- gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL);
+ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
- if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_username(auth_ntlmssp_state, user))) {
+ if (!NT_STATUS_IS_OK(status = auth_generic_set_username(auth_generic_state, user))) {
goto fail;
}
- if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_domain(auth_ntlmssp_state, domain))) {
+ if (!NT_STATUS_IS_OK(status = auth_generic_set_domain(auth_generic_state, domain))) {
goto fail;
}
- if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_password(auth_ntlmssp_state, pass))) {
+ if (!NT_STATUS_IS_OK(status = auth_generic_set_password(auth_generic_state, pass))) {
goto fail;
}
- if (!NT_STATUS_IS_OK(status = auth_ntlmssp_client_start(auth_ntlmssp_state))) {
+ if (!NT_STATUS_IS_OK(status = auth_generic_client_start(auth_generic_state, GENSEC_OID_NTLMSSP))) {
goto fail;
}
do {
- status = gensec_update(auth_ntlmssp_state->gensec_security, auth_ntlmssp_state,
+ status = gensec_update(auth_generic_state->gensec_security, auth_generic_state,
NULL, blob_in, &blob_out);
data_blob_free(&blob_in);
data_blob_free(&param_out);
@@ -671,13 +672,13 @@ NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli,
* es is a malloc()ed pointer, so we cannot make
* gensec_security a talloc child */
es->s.gensec_security = talloc_move(NULL,
- &auth_ntlmssp_state->gensec_security);
+ &auth_generic_state->gensec_security);
smb1cli_conn_set_encryption(cli->conn, es);
es = NULL;
}
fail:
- TALLOC_FREE(auth_ntlmssp_state);
+ TALLOC_FREE(auth_generic_state);
common_free_encryption_state(&es);
return status;
}
diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
index e2d1bc636f..36508129ae 100644
--- a/source3/libsmb/ntlmssp_wrap.c
+++ b/source3/libsmb/ntlmssp_wrap.c
@@ -20,27 +20,27 @@
#include "includes.h"
#include "auth/ntlmssp/ntlmssp.h"
-#include "ntlmssp_wrap.h"
+#include "auth_generic.h"
#include "auth/gensec/gensec.h"
#include "auth/credentials/credentials.h"
#include "librpc/rpc/dcerpc.h"
#include "lib/param/param.h"
-NTSTATUS auth_ntlmssp_set_username(struct auth_generic_state *ans,
+NTSTATUS auth_generic_set_username(struct auth_generic_state *ans,
const char *user)
{
cli_credentials_set_username(ans->credentials, user, CRED_SPECIFIED);
return NT_STATUS_OK;
}
-NTSTATUS auth_ntlmssp_set_domain(struct auth_generic_state *ans,
+NTSTATUS auth_generic_set_domain(struct auth_generic_state *ans,
const char *domain)
{
cli_credentials_set_domain(ans->credentials, domain, CRED_SPECIFIED);
return NT_STATUS_OK;
}
-NTSTATUS auth_ntlmssp_set_password(struct auth_generic_state *ans,
+NTSTATUS auth_generic_set_password(struct auth_generic_state *ans,
const char *password)
{
cli_credentials_set_password(ans->credentials, password, CRED_SPECIFIED);
@@ -153,7 +153,7 @@ static const struct gensec_security_ops gensec_ntlmssp3_client_ops = {
.priority = GENSEC_NTLMSSP
};
-NTSTATUS auth_ntlmssp_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **auth_ntlmssp_state)
+NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **auth_generic_state)
{
struct auth_generic_state *ans;
NTSTATUS nt_status;
@@ -163,7 +163,7 @@ NTSTATUS auth_ntlmssp_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
ans = talloc_zero(mem_ctx, struct auth_generic_state);
if (!ans) {
- DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
+ DEBUG(0,("auth_generic_start: talloc failed!\n"));
return NT_STATUS_NO_MEMORY;
}
@@ -207,11 +207,11 @@ NTSTATUS auth_ntlmssp_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
talloc_unlink(ans, lp_ctx);
talloc_unlink(ans, gensec_settings);
- *auth_ntlmssp_state = ans;
+ *auth_generic_state = ans;
return NT_STATUS_OK;
}
-NTSTATUS auth_ntlmssp_client_start(struct auth_generic_state *ans)
+NTSTATUS auth_generic_client_start(struct auth_generic_state *ans, const char *oid)
{
NTSTATUS status;
@@ -226,7 +226,32 @@ NTSTATUS auth_ntlmssp_client_start(struct auth_generic_state *ans)
ans->credentials = NULL;
status = gensec_start_mech_by_oid(ans->gensec_security,
- GENSEC_OID_NTLMSSP);
+ oid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS auth_generic_client_start_by_authtype(struct auth_generic_state *ans,
+ uint8_t auth_type,
+ uint8_t auth_level)
+{
+ NTSTATUS status;
+
+ /* Transfer the credentials to gensec */
+ status = gensec_set_credentials(ans->gensec_security, ans->credentials);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to set GENSEC credentials: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+ talloc_unlink(ans, ans->credentials);
+ ans->credentials = NULL;
+
+ status = gensec_start_mech_by_authtype(ans->gensec_security,
+ auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 8ea500db70..93e1357733 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3,6 +3,7 @@
* RPC Pipe client routines
* Largely rewritten by Jeremy Allison 2005.
* Heavily modified by Simo Sorce 2010.
+ * Copyright Andrew Bartlett 2011.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -26,7 +27,7 @@
#include "../libcli/auth/schannel.h"
#include "../libcli/auth/spnego.h"
#include "../auth/ntlmssp/ntlmssp.h"
-#include "ntlmssp_wrap.h"
+#include "auth_generic.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "librpc/rpc/dcerpc.h"
#include "librpc/crypto/gse.h"
@@ -2284,34 +2285,28 @@ static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
goto fail;
}
- status = auth_ntlmssp_client_prepare(result,
+ status = auth_generic_client_prepare(result,
&ntlmssp_ctx);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- status = auth_ntlmssp_set_username(ntlmssp_ctx, username);
+ status = auth_generic_set_username(ntlmssp_ctx, username);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- status = auth_ntlmssp_set_domain(ntlmssp_ctx, domain);
+ status = auth_generic_set_domain(ntlmssp_ctx, domain);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- status = auth_ntlmssp_set_password(ntlmssp_ctx, password);
+ status = auth_generic_set_password(ntlmssp_ctx, password);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
- gensec_want_feature(ntlmssp_ctx->gensec_security, GENSEC_FEATURE_SIGN);
- } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
- gensec_want_feature(ntlmssp_ctx->gensec_security, GENSEC_FEATURE_SEAL);
- }
-
- status = auth_ntlmssp_client_start(ntlmssp_ctx);
+ status = auth_generic_client_start_by_authtype(ntlmssp_ctx, auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}