s3-librpc Call SPENGO/GSSAPI via the auth_generic layer and gensec

This simplifies a lot of code, as we know we are always dealing
with a struct gensec_security, and allows the gensec module being
used to implement GSSAPI to be swapped for AD-server operation.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>

2 files changed, 25 insertions, 104 deletions

diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c
index e89563a9fb..1bea2321ef 100644
--- a/source3/rpc_server/dcesrv_spnego.c
+++ b/source3/rpc_server/dcesrv_spnego.c
@@ -23,6 +23,7 @@
 #include "dcesrv_auth_generic.h"
 #include "dcesrv_gssapi.h"
 #include "dcesrv_spnego.h"
+#include "auth/gensec/gensec.h"
 
 static NTSTATUS spnego_init_server(TALLOC_CTX *mem_ctx,
 				   bool do_sign, bool do_seal,
@@ -55,51 +56,38 @@ static NTSTATUS spnego_server_mech_init(struct spnego_context *sp_ctx,
 					DATA_BLOB *token_out)
 {
 	struct gensec_security *gensec_security;
-	struct gse_context *gse_ctx;
 	NTSTATUS status;
+	const char *oid;
 
 	switch (sp_ctx->mech) {
 	case SPNEGO_KRB5:
-		status = gssapi_server_auth_start(sp_ctx,
-						  sp_ctx->do_sign,
-						  sp_ctx->do_seal,
-						  sp_ctx->is_dcerpc,
-						  token_in,
-						  token_out,
-						  &gse_ctx);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(0, ("Failed to init gssapi server "
-				  "(%s)\n", nt_errstr(status)));
-			return status;
-		}
-
-		sp_ctx->mech_ctx.gssapi_state = gse_ctx;
+		oid = GENSEC_OID_KERBEROS5;
 		break;
-
 	case SPNEGO_NTLMSSP:
-		status = auth_generic_server_start(sp_ctx,
-						   OID_NTLMSSP,
-						   sp_ctx->do_sign,
-						   sp_ctx->do_seal,
-						   sp_ctx->is_dcerpc,
-						   token_in,
-						   token_out,
-						   sp_ctx->remote_address,
-						   &gensec_security);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(0, ("Failed to init ntlmssp server "
-				  "(%s)\n", nt_errstr(status)));
-			return status;
-		}
-
-		sp_ctx->mech_ctx.gensec_security = gensec_security;
+		oid = GENSEC_OID_NTLMSSP;
 		break;
-
 	default:
 		DEBUG(3, ("No known mechanisms available\n"));
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	status = auth_generic_server_start(sp_ctx,
+					   oid,
+					   sp_ctx->do_sign,
+					   sp_ctx->do_seal,
+					   sp_ctx->is_dcerpc,
+					   token_in,
+					   token_out,
+					   sp_ctx->remote_address,
+					   &gensec_security);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("Failed to init ntlmssp server "
+			  "(%s)\n", nt_errstr(status)));
+		return status;
+	}
+
+	sp_ctx->mech_ctx.gensec_security = gensec_security;
+
 	return NT_STATUS_OK;
 }
 
@@ -150,10 +138,6 @@ NTSTATUS spnego_server_step(struct spnego_context *sp_ctx,
 
 		switch(sp_ctx->mech) {
 		case SPNEGO_KRB5:
-			status = gssapi_server_step(
-					sp_ctx->mech_ctx.gssapi_state,
-					mem_ctx, &token_in, &token_out);
-			break;
 		case SPNEGO_NTLMSSP:
 			status = auth_generic_server_step(
 					sp_ctx->mech_ctx.gensec_security,
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 605ed5420c..18389b42e0 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -676,52 +676,11 @@ static bool pipe_auth_generic_verify_final(TALLOC_CTX *mem_ctx,
 	return true;
 }
 
-static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
-					 struct gse_context *gse_ctx,
-					 const struct tsocket_address *remote_address,
-					 struct auth_session_info **session_info)
-{
-	NTSTATUS status;
-	bool bret;
-
-	/* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
-	   ensure the underlying flags are also set. If not we should
-	   refuse the bind. */
-
-	status = gssapi_server_check_flags(gse_ctx);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("Requested Security Layers not honored!\n"));
-		return status;
-	}
-
-	status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
-					     remote_address, session_info);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, (__location__ ": failed to obtain the server info "
-			  "for authenticated user: %s\n", nt_errstr(status)));
-		return status;
-	}
-
-	/*
-	 * We're an authenticated bind over smb, so the session key needs to
-	 * be set to "SystemLibraryDTC". Weird, but this is what Windows
-	 * does. See the RPC-SAMBA3SESSIONKEY.
-	 */
-
-	bret = session_info_set_session_key((*session_info), generic_session_key());
-	if (!bret) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	return NT_STATUS_OK;
-}
-
 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
 {
 	enum spnego_mech auth_type;
 	struct gensec_security *gensec_security;
 	struct spnego_context *spnego_ctx;
-	struct gse_context *gse_ctx;
 	void *mech_ctx;
 	NTSTATUS status;
 
@@ -740,37 +699,15 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
 		spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
 						   struct spnego_context);
 		status = spnego_get_negotiated_mech(spnego_ctx,
-						    &auth_type, &mech_ctx);
+						    &auth_type, &gensec_security);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(0, ("Bad SPNEGO state (%s)\n",
 				  nt_errstr(status)));
 			return status;
 		}
-		switch(auth_type) {
-		case SPNEGO_KRB5:
-			gse_ctx = talloc_get_type_abort(mech_ctx,
-							struct gse_context);
-			status = pipe_gssapi_verify_final(p, gse_ctx,
-							  p->remote_address,
-							  &p->session_info);
-			if (!NT_STATUS_IS_OK(status)) {
-				DEBUG(1, ("gssapi bind failed with: %s",
-					  nt_errstr(status)));
-				return status;
-			}
-			break;
-		case SPNEGO_NTLMSSP:
-			gensec_security = talloc_get_type_abort(mech_ctx,
-						struct gensec_security);
-			if (!pipe_auth_generic_verify_final(p, gensec_security,
-							p->auth.auth_level,
-							&p->session_info)) {
-				return NT_STATUS_ACCESS_DENIED;
-			}
-			break;
-		default:
-			DEBUG(0, (__location__ ": incorrect spnego type "
-				  "(%d).\n", auth_type));
+		if (!pipe_auth_generic_verify_final(p, gensec_security,
+						    p->auth.auth_level,
+						    &p->session_info)) {
 			return NT_STATUS_ACCESS_DENIED;
 		}
 		break;