diff options
| -rw-r--r-- | source3/librpc/crypto/gse.c | 42 | ||||
| -rw-r--r-- | source3/librpc/crypto/gse.h | 7 | ||||
| -rw-r--r-- | source3/librpc/rpc/dcerpc_spnego.c | 4 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe.c | 4 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 6 |
5 files changed, 22 insertions, 41 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index c12656b0fa..0754462834 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -89,7 +89,6 @@ struct gse_context { gss_cred_id_t delegated_creds; gss_name_t client_name; - bool spnego_wrap; bool more_processing; bool authenticated; }; @@ -142,8 +141,7 @@ static int gse_context_destructor(void *ptr) } static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, const char *ccache_name, uint32_t add_gss_c_flags, struct gse_context **_gse_ctx) @@ -160,32 +158,16 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); - switch (auth_type) { - case DCERPC_AUTH_TYPE_SPNEGO: - gse_ctx->spnego_wrap = true; - break; - case DCERPC_AUTH_TYPE_KRB5: - gse_ctx->spnego_wrap = false; - break; - default: - status = NT_STATUS_INVALID_PARAMETER; - goto err_out; - } - gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; - switch (auth_level) { - case DCERPC_AUTH_LEVEL_INTEGRITY: + if (do_sign) { gse_ctx->gss_c_flags |= GSS_C_INTEG_FLAG; - break; - case DCERPC_AUTH_LEVEL_PRIVACY: + } + if (do_seal) { gse_ctx->gss_c_flags |= GSS_C_CONF_FLAG; - break; - default: - break; } gse_ctx->gss_c_flags |= add_gss_c_flags; @@ -226,8 +208,7 @@ err_out: } NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, const char *ccache_name, const char *server, const char *service, @@ -246,7 +227,7 @@ NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - status = gse_context_init(mem_ctx, auth_type, auth_level, + status = gse_context_init(mem_ctx, do_sign, do_seal, ccache_name, add_gss_c_flags, &gse_ctx); if (!NT_STATUS_IS_OK(status)) { @@ -357,8 +338,7 @@ done: } NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, uint32_t add_gss_c_flags, const char *server, const char *keytab_name, @@ -371,7 +351,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, const char *ktname; NTSTATUS status; - status = gse_context_init(mem_ctx, auth_type, auth_level, + status = gse_context_init(mem_ctx, do_sign, do_seal, NULL, add_gss_c_flags, &gse_ctx); if (!NT_STATUS_IS_OK(status)) { return NT_STATUS_NO_MEMORY; @@ -928,8 +908,7 @@ done: #else NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, const char *ccache_name, const char *server, const char *service, @@ -950,8 +929,7 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, } NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, uint32_t add_gss_c_flags, const char *server, const char *keytab, diff --git a/source3/librpc/crypto/gse.h b/source3/librpc/crypto/gse.h index 6f8b6735ad..c0fa354b4b 100644 --- a/source3/librpc/crypto/gse.h +++ b/source3/librpc/crypto/gse.h @@ -1,6 +1,5 @@ /* * GSSAPI Security Extensions - * RPC Pipe client routines * Copyright (C) Simo Sorce 2010. * * This program is free software; you can redistribute it and/or modify @@ -27,8 +26,7 @@ struct gse_context; #endif NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, const char *ccache_name, const char *server, const char *service, @@ -42,8 +40,7 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, DATA_BLOB *token_out); NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, uint32_t add_gss_c_flags, const char *server, const char *keytab, diff --git a/source3/librpc/rpc/dcerpc_spnego.c b/source3/librpc/rpc/dcerpc_spnego.c index 9ea2a561da..83c2137a1f 100644 --- a/source3/librpc/rpc/dcerpc_spnego.c +++ b/source3/librpc/rpc/dcerpc_spnego.c @@ -77,7 +77,9 @@ NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx, return status; } - status = gse_init_client(sp_ctx, DCERPC_AUTH_TYPE_KRB5, auth_level, + status = gse_init_client(sp_ctx, + (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY), + (auth_level == DCERPC_AUTH_LEVEL_PRIVACY), ccache_name, server, service, username, password, add_gss_c_flags, &sp_ctx->mech_ctx.gssapi_state); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 21f7c4bf31..077a08a770 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3012,7 +3012,9 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli, goto err_out; } - status = gse_init_client(auth, auth->auth_type, auth->auth_level, + status = gse_init_client(auth, + (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY), + (auth_level == DCERPC_AUTH_LEVEL_PRIVACY), NULL, server, "cifs", username, password, GSS_C_DCE_STYLE, &auth->a_u.gssapi_state); diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 4a159ce997..15aaa8254a 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -1027,8 +1027,10 @@ static bool pipe_gssapi_auth_bind(struct pipes_struct *p, /* by passing NULL, the code will attempt to set a default * keytab based on configuration options */ status = gse_init_server(p, - DCERPC_AUTH_TYPE_KRB5, - auth_info->auth_level, + (auth_info->auth_level == + DCERPC_AUTH_LEVEL_INTEGRITY), + (auth_info->auth_level == + DCERPC_AUTH_LEVEL_PRIVACY), GSS_C_DCE_STYLE, NULL, NULL, &gse_ctx); |