diff options
author | Simo Sorce <idra@samba.org> | 2010-07-24 13:02:57 -0400 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2010-07-28 12:42:15 -0400 |
commit | 7eaa15af2c5b544946bfb2b8c522ba9677527972 (patch) | |
tree | df6035a0a06adf47653b8c001e673677aebf71a5 /source3/librpc/rpc/dcerpc_helpers.c | |
parent | 1abcbd70aed327ae5233423ce74662241fa9d21a (diff) | |
download | samba-7eaa15af2c5b544946bfb2b8c522ba9677527972.tar.gz samba-7eaa15af2c5b544946bfb2b8c522ba9677527972.tar.bz2 samba-7eaa15af2c5b544946bfb2b8c522ba9677527972.zip |
s3-dcerpc: Add sign/seal with gssapi
Diffstat (limited to 'source3/librpc/rpc/dcerpc_helpers.c')
-rw-r--r-- | source3/librpc/rpc/dcerpc_helpers.c | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index be076d8645..4dc3d7f81f 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -26,6 +26,7 @@ #include "../libcli/auth/spnego.h" #include "../libcli/auth/ntlmssp.h" #include "ntlmssp_wrap.h" +#include "librpc/rpc/dcerpc_gssapi.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_PARSE @@ -371,6 +372,55 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas, return NT_STATUS_OK; } +/******************************************************************* + Create and add the gssapi sign/seal auth data. + ********************************************************************/ + +static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx, + enum dcerpc_AuthLevel auth_level, + DATA_BLOB *rpc_out) +{ + DATA_BLOB data; + DATA_BLOB auth_blob; + NTSTATUS status; + + if (!gse_ctx) { + return NT_STATUS_INVALID_PARAMETER; + } + + data.data = rpc_out->data + DCERPC_RESPONSE_LENGTH; + data.length = rpc_out->length - DCERPC_RESPONSE_LENGTH + - DCERPC_AUTH_TRAILER_LENGTH; + + switch (auth_level) { + case DCERPC_AUTH_LEVEL_PRIVACY: + status = gse_seal(talloc_tos(), gse_ctx, &data, &auth_blob); + break; + case DCERPC_AUTH_LEVEL_INTEGRITY: + status = gse_sign(talloc_tos(), gse_ctx, &data, &auth_blob); + break; + default: + status = NT_STATUS_INTERNAL_ERROR; + break; + } + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to process packet: %s\n", + nt_errstr(status))); + return status; + } + + /* Finally attach the blob. */ + if (!data_blob_append(NULL, rpc_out, + auth_blob.data, auth_blob.length)) { + return NT_STATUS_NO_MEMORY; + } + + data_blob_free(&auth_blob); + + return NT_STATUS_OK; +} + /** * @brief Append an auth footer according to what is the current mechanism * @@ -443,6 +493,11 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, auth->auth_level, rpc_out); break; + case DCERPC_AUTH_TYPE_KRB5: + status = add_gssapi_auth_footer(auth->a_u.gssapi_state, + auth->auth_level, + rpc_out); + break; default: status = NT_STATUS_INVALID_PARAMETER; break; @@ -617,6 +672,37 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, } break; + case DCERPC_AUTH_TYPE_KRB5: + + DEBUG(10, ("KRB5 auth\n")); + + switch (auth->auth_level) { + case DCERPC_AUTH_LEVEL_PRIVACY: + status = gse_unseal(pkt, auth->a_u.gssapi_state, + &data, &auth_info.credentials); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + memcpy(pkt_trailer->data, data.data, data.length); + break; + + case DCERPC_AUTH_LEVEL_INTEGRITY: + /* TODO: pass in full_pkt when + * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */ + status = gse_sigcheck(pkt, auth->a_u.gssapi_state, + &data, &auth_info.credentials); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + break; + + default: + DEBUG(0, ("Invalid auth level, " + "failed to process packet auth.\n")); + return NT_STATUS_INVALID_PARAMETER; + } + break; + default: DEBUG(0, ("process_request_pdu: " "unknown auth type %u set.\n", |