s3-rpc_server: Rework pipe_ntlmssp_auth_bind() to be generic

Signed-off-by: Stefan Metzmacher <metze@samba.org>

3 files changed, 63 insertions, 25 deletions

diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c
index 16dfd4a976..73737c24b7 100644
--- a/source3/rpc_server/dcesrv_auth_generic.c
+++ b/source3/rpc_server/dcesrv_auth_generic.c
@@ -71,7 +71,49 @@ NTSTATUS auth_generic_server_start(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-	/* steal ntlmssp context too */
+	/* steal gensec context too */
+	*ctx = talloc_move(mem_ctx, &a->gensec_security);
+
+	status = NT_STATUS_OK;
+
+done:
+	TALLOC_FREE(a);
+
+	return status;
+}
+
+NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
+					    uint8_t auth_type, uint8_t auth_level,
+					    DATA_BLOB *token_in,
+					    DATA_BLOB *token_out,
+					    const struct tsocket_address *remote_address,
+					    struct gensec_security **ctx)
+{
+	struct auth_generic_state *a = NULL;
+	NTSTATUS status;
+
+	status = auth_generic_prepare(remote_address, &a);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
+			  nt_errstr(status)));
+		return status;
+	}
+
+	status = auth_generic_authtype_start(a, auth_type, auth_level);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, (__location__ ": auth_generic_start failed: %s\n",
+			  nt_errstr(status)));
+		return status;
+	}
+
+	status = gensec_update(a->gensec_security, mem_ctx, NULL, *token_in, token_out);
+	if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		DEBUG(2, (__location__ ": gensec_update failed: %s\n",
+			  nt_errstr(status)));
+		goto done;
+	}
+
+	/* steal gensec context too */
 	*ctx = talloc_move(mem_ctx, &a->gensec_security);
 
 	status = NT_STATUS_OK;
diff --git a/source3/rpc_server/dcesrv_auth_generic.h b/source3/rpc_server/dcesrv_auth_generic.h
index 119e29276a..07e69af1f7 100644
--- a/source3/rpc_server/dcesrv_auth_generic.h
+++ b/source3/rpc_server/dcesrv_auth_generic.h
@@ -31,6 +31,14 @@ NTSTATUS auth_generic_server_start(TALLOC_CTX *mem_ctx,
 				   DATA_BLOB *token_out,
 				   const struct tsocket_address *remote_address,
 				   struct gensec_security **ctx);
+
+NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
+					    uint8_t auth_type, uint8_t auth_level,
+					    DATA_BLOB *token_in,
+					    DATA_BLOB *token_out,
+					    const struct tsocket_address *remote_address,
+					    struct gensec_security **ctx);
+
 NTSTATUS auth_generic_server_step(struct gensec_security *ctx,
 			     TALLOC_CTX *mem_ctx,
 			     DATA_BLOB *token_in,
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index fa95c20f5f..61e306c199 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -584,7 +584,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
  Handle an NTLMSSP bind auth.
 *******************************************************************/
 
-static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
+static bool pipe_auth_generic_bind(struct pipes_struct *p,
 				   TALLOC_CTX *mem_ctx,
 				   struct dcerpc_auth *auth_info,
 				   DATA_BLOB *response)
@@ -592,25 +592,15 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
 	struct gensec_security *gensec_security = NULL;
         NTSTATUS status;
 
-	if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
-		DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
-                return false;
-        }
-
-	/* We have an NTLMSSP blob. */
-	status = auth_generic_server_start(p,
-					   OID_NTLMSSP,
-					   (auth_info->auth_level ==
-						DCERPC_AUTH_LEVEL_INTEGRITY),
-					   (auth_info->auth_level ==
-						DCERPC_AUTH_LEVEL_PRIVACY),
-					   true,
-					   &auth_info->credentials,
-					   response,
-					   p->remote_address,
-					   &gensec_security);
+	status = auth_generic_server_authtype_start(p,
+						    auth_info->auth_type,
+						    auth_info->auth_level,
+						    &auth_info->credentials,
+						    response,
+						    p->remote_address,
+						    &gensec_security);
 	if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
-		DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
+		DEBUG(0, (__location__ ": auth_generic_server_authtype_start failed: %s\n",
 			  nt_errstr(status)));
 		return false;
 	}
@@ -619,9 +609,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
 	talloc_steal(mem_ctx, response->data);
 
 	p->auth.auth_ctx = gensec_security;
-	p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
-
-	DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
+	p->auth.auth_type = auth_info->auth_type;
 
 	return true;
 }
@@ -1000,8 +988,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 
 		switch (auth_type) {
 		case DCERPC_AUTH_TYPE_NTLMSSP:
-			if (!pipe_ntlmssp_auth_bind(p, pkt,
-						&auth_info, &auth_resp)) {
+			if (!pipe_auth_generic_bind(p, pkt,
+						    &auth_info, &auth_resp)) {
 				goto err_exit;
 			}
 			assoc_gid = 0x7a77;