diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-01-03 21:54:49 +1100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-01-18 16:23:23 +0100 |
commit | 1818612830576419889ff5702d5e85fa63ddb121 (patch) | |
tree | 2c13df3c5a1470a4c4106b32be5a2f7ebaf905d7 | |
parent | ad14b8c655f1ae02b2d2b854ab6bda4480c5f8ca (diff) | |
download | samba-1818612830576419889ff5702d5e85fa63ddb121.tar.gz samba-1818612830576419889ff5702d5e85fa63ddb121.tar.bz2 samba-1818612830576419889ff5702d5e85fa63ddb121.zip |
s3-librpc Remove special case for spnego dcerpc sign/seal
SPNEGO is implemented only in terms of gensec mechanisms now.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | source3/librpc/rpc/dcerpc_helpers.c | 110 |
1 files changed, 18 insertions, 92 deletions
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index 5a50f2b24a..212c98fb1a 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -543,92 +543,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx, } } -/******************************************************************* - Create and add the spnego-negotiated sign/seal auth data. - ********************************************************************/ - -static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx, - enum dcerpc_AuthLevel auth_level, - DATA_BLOB *rpc_out) -{ - DATA_BLOB auth_blob; - DATA_BLOB rpc_data; - NTSTATUS status; - - if (!spnego_ctx) { - return NT_STATUS_INVALID_PARAMETER; - } - - rpc_data = data_blob_const(rpc_out->data - + DCERPC_RESPONSE_LENGTH, - rpc_out->length - - DCERPC_RESPONSE_LENGTH - - DCERPC_AUTH_TRAILER_LENGTH); - - switch (auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - /* Data portion is encrypted. */ - status = spnego_seal(rpc_out->data, spnego_ctx, - &rpc_data, rpc_out, &auth_blob); - break; - - if (!NT_STATUS_IS_OK(status)) { - return status; - } - break; - - case DCERPC_AUTH_LEVEL_INTEGRITY: - /* Data is signed. */ - status = spnego_sign(rpc_out->data, spnego_ctx, - &rpc_data, rpc_out, &auth_blob); - break; - - if (!NT_STATUS_IS_OK(status)) { - return status; - } - break; - - default: - /* Can't happen. */ - smb_panic("bad auth level"); - /* Notreached. */ - return NT_STATUS_INVALID_PARAMETER; - } - - /* Finally attach the blob. */ - if (!data_blob_append(NULL, rpc_out, - auth_blob.data, auth_blob.length)) { - DEBUG(0, ("Failed to add %u bytes auth blob.\n", - (unsigned int)auth_blob.length)); - return NT_STATUS_NO_MEMORY; - } - data_blob_free(&auth_blob); - - return NT_STATUS_OK; -} - -static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx, - struct spnego_context *sp_ctx, - enum dcerpc_AuthLevel auth_level, - DATA_BLOB *data, DATA_BLOB *full_pkt, - DATA_BLOB *auth_token) -{ - switch (auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - /* Data portion is encrypted. */ - return spnego_unseal(mem_ctx, sp_ctx, - data, full_pkt, auth_token); - - case DCERPC_AUTH_LEVEL_INTEGRITY: - /* Data is signed. */ - return spnego_sigcheck(mem_ctx, sp_ctx, - data, full_pkt, auth_token); - - default: - return NT_STATUS_INVALID_PARAMETER; - } -} - /** * @brief Append an auth footer according to what is the current mechanism * @@ -694,8 +608,14 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, case DCERPC_AUTH_TYPE_SPNEGO: spnego_ctx = talloc_get_type_abort(auth->auth_ctx, struct spnego_context); - status = add_spnego_auth_footer(spnego_ctx, - auth->auth_level, rpc_out); + status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = add_generic_auth_footer(gensec_security, + auth->auth_level, + rpc_out); break; case DCERPC_AUTH_TYPE_KRB5: case DCERPC_AUTH_TYPE_NTLMSSP: @@ -810,10 +730,16 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, case DCERPC_AUTH_TYPE_SPNEGO: spnego_ctx = talloc_get_type_abort(auth->auth_ctx, struct spnego_context); - status = get_spnego_auth_footer(pkt, spnego_ctx, - auth->auth_level, - &data, &full_pkt, - &auth_info.credentials); + status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = get_generic_auth_footer(gensec_security, + auth->auth_level, + &data, &full_pkt, + &auth_info.credentials); + if (!NT_STATUS_IS_OK(status)) { return status; } |