diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-01-02 13:06:29 +1100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-01-18 16:23:22 +0100 |
commit | e012ad9d8b7cea3a86841fe92b80627a6d07d459 (patch) | |
tree | 7ccd7a5650d5f6d3a21cc7e9846402002419cb12 /source3/librpc/rpc | |
parent | 1b6356298ceeb21ebcb125e239316fb29ff623fc (diff) | |
download | samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.tar.gz samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.tar.bz2 samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.zip |
s3-librpc Call GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing with a
struct gensec_security, and allows the gensec module being used to
implement GSSAPI to be swapped when required for AD-server operation.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/librpc/rpc')
-rw-r--r-- | source3/librpc/rpc/dcerpc_helpers.c | 111 |
1 files changed, 3 insertions, 108 deletions
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index 026b1fa32f..4cfe7933fe 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -335,6 +335,7 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, break; case DCERPC_AUTH_TYPE_NTLMSSP: + case DCERPC_AUTH_TYPE_KRB5: gensec_security = talloc_get_type_abort(auth->auth_ctx, struct gensec_security); *auth_len = gensec_sig_size(gensec_security, max_len); @@ -345,14 +346,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, struct schannel_state); *auth_len = netsec_outgoing_sig_size(schannel_auth); break; - - case DCERPC_AUTH_TYPE_KRB5: - gse_ctx = talloc_get_type_abort(auth->auth_ctx, - struct gse_context); - *auth_len = gse_get_signature_length(gse_ctx, - seal, max_len); - break; - default: return NT_STATUS_INVALID_PARAMETER; } @@ -576,82 +569,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx, } /******************************************************************* - Create and add the gssapi sign/seal auth data. - ********************************************************************/ - -static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx, - enum dcerpc_AuthLevel auth_level, - DATA_BLOB *rpc_out) -{ - DATA_BLOB data; - DATA_BLOB auth_blob; - NTSTATUS status; - - if (!gse_ctx) { - return NT_STATUS_INVALID_PARAMETER; - } - - data.data = rpc_out->data + DCERPC_RESPONSE_LENGTH; - data.length = rpc_out->length - DCERPC_RESPONSE_LENGTH - - DCERPC_AUTH_TRAILER_LENGTH; - - switch (auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - status = gse_seal(talloc_tos(), gse_ctx, &data, &auth_blob); - break; - case DCERPC_AUTH_LEVEL_INTEGRITY: - status = gse_sign(talloc_tos(), gse_ctx, &data, &auth_blob); - break; - default: - status = NT_STATUS_INTERNAL_ERROR; - break; - } - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to process packet: %s\n", - nt_errstr(status))); - return status; - } - - /* Finally attach the blob. */ - if (!data_blob_append(NULL, rpc_out, - auth_blob.data, auth_blob.length)) { - return NT_STATUS_NO_MEMORY; - } - - data_blob_free(&auth_blob); - - return NT_STATUS_OK; -} - -/******************************************************************* - Check/unseal the gssapi auth data. (Unseal in place). - ********************************************************************/ - -static NTSTATUS get_gssapi_auth_footer(TALLOC_CTX *mem_ctx, - struct gse_context *gse_ctx, - enum dcerpc_AuthLevel auth_level, - DATA_BLOB *data, DATA_BLOB *full_pkt, - DATA_BLOB *auth_token) -{ - /* TODO: pass in full_pkt when - * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */ - switch (auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - /* Data portion is encrypted. */ - return gse_unseal(mem_ctx, gse_ctx, - data, auth_token); - - case DCERPC_AUTH_LEVEL_INTEGRITY: - /* Data is signed. */ - return gse_sigcheck(mem_ctx, gse_ctx, - data, auth_token); - default: - return NT_STATUS_INVALID_PARAMETER; - } -} - -/******************************************************************* Create and add the spnego-negotiated sign/seal auth data. ********************************************************************/ @@ -752,7 +669,6 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, struct schannel_state *schannel_auth; struct gensec_security *gensec_security; struct spnego_context *spnego_ctx; - struct gse_context *gse_ctx; char pad[CLIENT_NDR_PADDING_SIZE] = { 0, }; DATA_BLOB auth_info; DATA_BLOB auth_blob; @@ -806,6 +722,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, status = add_spnego_auth_footer(spnego_ctx, auth->auth_level, rpc_out); break; + case DCERPC_AUTH_TYPE_KRB5: case DCERPC_AUTH_TYPE_NTLMSSP: gensec_security = talloc_get_type_abort(auth->auth_ctx, struct gensec_security); @@ -820,13 +737,6 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, auth->auth_level, rpc_out); break; - case DCERPC_AUTH_TYPE_KRB5: - gse_ctx = talloc_get_type_abort(auth->auth_ctx, - struct gse_context); - status = add_gssapi_auth_footer(gse_ctx, - auth->auth_level, - rpc_out); - break; default: status = NT_STATUS_INVALID_PARAMETER; break; @@ -857,7 +767,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, struct schannel_state *schannel_auth; struct gensec_security *gensec_security; struct spnego_context *spnego_ctx; - struct gse_context *gse_ctx; NTSTATUS status; struct dcerpc_auth auth_info; uint32_t auth_length; @@ -935,6 +844,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, } break; + case DCERPC_AUTH_TYPE_KRB5: case DCERPC_AUTH_TYPE_NTLMSSP: DEBUG(10, ("GENSEC auth\n")); @@ -965,21 +875,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, } break; - case DCERPC_AUTH_TYPE_KRB5: - - DEBUG(10, ("KRB5 auth\n")); - - gse_ctx = talloc_get_type_abort(auth->auth_ctx, - struct gse_context); - status = get_gssapi_auth_footer(pkt, gse_ctx, - auth->auth_level, - &data, &full_pkt, - &auth_info.credentials); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - break; - default: DEBUG(0, ("process_request_pdu: " "unknown auth type %u set.\n", |