summaryrefslogtreecommitdiff
path: root/source3/librpc/rpc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-01-02 13:06:29 +1100
committerStefan Metzmacher <metze@samba.org>2012-01-18 16:23:22 +0100
commite012ad9d8b7cea3a86841fe92b80627a6d07d459 (patch)
tree7ccd7a5650d5f6d3a21cc7e9846402002419cb12 /source3/librpc/rpc
parent1b6356298ceeb21ebcb125e239316fb29ff623fc (diff)
downloadsamba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.tar.gz
samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.tar.bz2
samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.zip
s3-librpc Call GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing with a struct gensec_security, and allows the gensec module being used to implement GSSAPI to be swapped when required for AD-server operation. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/librpc/rpc')
-rw-r--r--source3/librpc/rpc/dcerpc_helpers.c111
1 files changed, 3 insertions, 108 deletions
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 026b1fa32f..4cfe7933fe 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -335,6 +335,7 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(auth->auth_ctx,
struct gensec_security);
*auth_len = gensec_sig_size(gensec_security, max_len);
@@ -345,14 +346,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
struct schannel_state);
*auth_len = netsec_outgoing_sig_size(schannel_auth);
break;
-
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct gse_context);
- *auth_len = gse_get_signature_length(gse_ctx,
- seal, max_len);
- break;
-
default:
return NT_STATUS_INVALID_PARAMETER;
}
@@ -576,82 +569,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
}
/*******************************************************************
- Create and add the gssapi sign/seal auth data.
- ********************************************************************/
-
-static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx,
- enum dcerpc_AuthLevel auth_level,
- DATA_BLOB *rpc_out)
-{
- DATA_BLOB data;
- DATA_BLOB auth_blob;
- NTSTATUS status;
-
- if (!gse_ctx) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- data.data = rpc_out->data + DCERPC_RESPONSE_LENGTH;
- data.length = rpc_out->length - DCERPC_RESPONSE_LENGTH
- - DCERPC_AUTH_TRAILER_LENGTH;
-
- switch (auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- status = gse_seal(talloc_tos(), gse_ctx, &data, &auth_blob);
- break;
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- status = gse_sign(talloc_tos(), gse_ctx, &data, &auth_blob);
- break;
- default:
- status = NT_STATUS_INTERNAL_ERROR;
- break;
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to process packet: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- /* Finally attach the blob. */
- if (!data_blob_append(NULL, rpc_out,
- auth_blob.data, auth_blob.length)) {
- return NT_STATUS_NO_MEMORY;
- }
-
- data_blob_free(&auth_blob);
-
- return NT_STATUS_OK;
-}
-
-/*******************************************************************
- Check/unseal the gssapi auth data. (Unseal in place).
- ********************************************************************/
-
-static NTSTATUS get_gssapi_auth_footer(TALLOC_CTX *mem_ctx,
- struct gse_context *gse_ctx,
- enum dcerpc_AuthLevel auth_level,
- DATA_BLOB *data, DATA_BLOB *full_pkt,
- DATA_BLOB *auth_token)
-{
- /* TODO: pass in full_pkt when
- * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */
- switch (auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- /* Data portion is encrypted. */
- return gse_unseal(mem_ctx, gse_ctx,
- data, auth_token);
-
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- /* Data is signed. */
- return gse_sigcheck(mem_ctx, gse_ctx,
- data, auth_token);
- default:
- return NT_STATUS_INVALID_PARAMETER;
- }
-}
-
-/*******************************************************************
Create and add the spnego-negotiated sign/seal auth data.
********************************************************************/
@@ -752,7 +669,6 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
DATA_BLOB auth_info;
DATA_BLOB auth_blob;
@@ -806,6 +722,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
status = add_spnego_auth_footer(spnego_ctx,
auth->auth_level, rpc_out);
break;
+ case DCERPC_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_NTLMSSP:
gensec_security = talloc_get_type_abort(auth->auth_ctx,
struct gensec_security);
@@ -820,13 +737,6 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
auth->auth_level,
rpc_out);
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct gse_context);
- status = add_gssapi_auth_footer(gse_ctx,
- auth->auth_level,
- rpc_out);
- break;
default:
status = NT_STATUS_INVALID_PARAMETER;
break;
@@ -857,7 +767,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
NTSTATUS status;
struct dcerpc_auth auth_info;
uint32_t auth_length;
@@ -935,6 +844,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
}
break;
+ case DCERPC_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_NTLMSSP:
DEBUG(10, ("GENSEC auth\n"));
@@ -965,21 +875,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
}
break;
- case DCERPC_AUTH_TYPE_KRB5:
-
- DEBUG(10, ("KRB5 auth\n"));
-
- gse_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct gse_context);
- status = get_gssapi_auth_footer(pkt, gse_ctx,
- auth->auth_level,
- &data, &full_pkt,
- &auth_info.credentials);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- break;
-
default:
DEBUG(0, ("process_request_pdu: "
"unknown auth type %u set.\n",