diff options
-rw-r--r-- | source3/librpc/rpc/dcerpc_helpers.c | 18 | ||||
-rw-r--r-- | source3/librpc/rpc/dcerpc_spnego.c | 67 | ||||
-rw-r--r-- | source3/librpc/rpc/dcerpc_spnego.h | 15 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 19 |
4 files changed, 72 insertions, 47 deletions
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index 8944b395d8..fd51ca253e 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -267,7 +267,7 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, size_t max_len; size_t mod_len; struct gse_context *gse_ctx; - enum dcerpc_AuthType auth_type; + enum spnego_mech auth_type; void *auth_ctx; bool seal = false; NTSTATUS status; @@ -315,11 +315,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, return status; } switch (auth_type) { - case DCERPC_AUTH_TYPE_NTLMSSP: + case SPNEGO_NTLMSSP: *auth_len = NTLMSSP_SIG_SIZE; break; - case DCERPC_AUTH_TYPE_KRB5: + case SPNEGO_KRB5: gse_ctx = talloc_get_type(auth_ctx, struct gse_context); if (!gse_ctx) { @@ -653,7 +653,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx, enum dcerpc_AuthLevel auth_level, DATA_BLOB *rpc_out) { - enum dcerpc_AuthType auth_type; + enum spnego_mech auth_type; struct gse_context *gse_ctx; struct auth_ntlmssp_state *ntlmssp_ctx; void *auth_ctx; @@ -670,7 +670,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx, } switch (auth_type) { - case DCERPC_AUTH_TYPE_KRB5: + case SPNEGO_KRB5: gse_ctx = talloc_get_type(auth_ctx, struct gse_context); if (!gse_ctx) { status = NT_STATUS_INTERNAL_ERROR; @@ -680,7 +680,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx, auth_level, rpc_out); break; - case DCERPC_AUTH_TYPE_NTLMSSP: + case SPNEGO_NTLMSSP: ntlmssp_ctx = talloc_get_type(auth_ctx, struct auth_ntlmssp_state); if (!ntlmssp_ctx) { @@ -705,7 +705,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx, DATA_BLOB *data, DATA_BLOB *full_pkt, DATA_BLOB *auth_token) { - enum dcerpc_AuthType auth_type; + enum spnego_mech auth_type; struct auth_ntlmssp_state *ntlmssp_ctx; struct gse_context *gse_ctx; void *auth_ctx; @@ -717,7 +717,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx, } switch (auth_type) { - case DCERPC_AUTH_TYPE_KRB5: + case SPNEGO_KRB5: gse_ctx = talloc_get_type(auth_ctx, struct gse_context); if (!gse_ctx) { @@ -730,7 +730,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx, auth_level, data, full_pkt, auth_token); - case DCERPC_AUTH_TYPE_NTLMSSP: + case SPNEGO_NTLMSSP: ntlmssp_ctx = talloc_get_type(auth_ctx, struct auth_ntlmssp_state); if (!ntlmssp_ctx) { diff --git a/source3/librpc/rpc/dcerpc_spnego.c b/source3/librpc/rpc/dcerpc_spnego.c index 83c2137a1f..89baa03cf3 100644 --- a/source3/librpc/rpc/dcerpc_spnego.c +++ b/source3/librpc/rpc/dcerpc_spnego.c @@ -21,11 +21,14 @@ #include "../libcli/auth/spnego.h" #include "include/ntlmssp_wrap.h" #include "librpc/gen_ndr/ntlmssp.h" -#include "dcerpc_spnego.h" #include "librpc/crypto/gse.h" +#include "dcerpc_spnego.h" struct spnego_context { - enum dcerpc_AuthType auth_type; + enum spnego_mech mech; + + bool do_sign; + bool do_seal; union { struct auth_ntlmssp_state *ntlmssp_state; @@ -41,7 +44,7 @@ struct spnego_context { }; static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, + bool do_sign, bool do_seal, struct spnego_context **spnego_ctx) { struct spnego_context *sp_ctx; @@ -51,7 +54,8 @@ static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sp_ctx->auth_type = auth_type; + sp_ctx->do_sign = do_sign; + sp_ctx->do_seal = do_seal; sp_ctx->state = SPNEGO_CONV_INIT; *spnego_ctx = sp_ctx; @@ -59,27 +63,31 @@ static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx, } NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, + bool is_dcerpc, const char *ccache_name, const char *server, const char *service, const char *username, const char *password, - uint32_t add_gss_c_flags, struct spnego_context **spnego_ctx) { struct spnego_context *sp_ctx = NULL; + uint32_t add_gss_c_flags = 0; NTSTATUS status; - status = spnego_context_init(mem_ctx, - DCERPC_AUTH_TYPE_KRB5, &sp_ctx); + status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx); if (!NT_STATUS_IS_OK(status)) { return status; } + sp_ctx->mech = SPNEGO_KRB5; + + if (is_dcerpc) { + add_gss_c_flags = GSS_C_DCE_STYLE; + } status = gse_init_client(sp_ctx, - (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY), - (auth_level == DCERPC_AUTH_LEVEL_PRIVACY), + do_sign, do_seal, ccache_name, server, service, username, password, add_gss_c_flags, &sp_ctx->mech_ctx.gssapi_state); @@ -93,7 +101,8 @@ NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx, } NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, + bool is_dcerpc, const char *domain, const char *username, const char *password, @@ -102,11 +111,11 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx, struct spnego_context *sp_ctx = NULL; NTSTATUS status; - status = spnego_context_init(mem_ctx, - DCERPC_AUTH_TYPE_NTLMSSP, &sp_ctx); + status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx); if (!NT_STATUS_IS_OK(status)) { return status; } + sp_ctx->mech = SPNEGO_NTLMSSP; status = auth_ntlmssp_client_start(sp_ctx, global_myname(), @@ -146,10 +155,10 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx, ~(NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL)); - if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + if (do_sign) { auth_ntlmssp_or_flags(sp_ctx->mech_ctx.ntlmssp_state, NTLMSSP_NEGOTIATE_SIGN); - } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + } else if (do_seal) { auth_ntlmssp_or_flags(sp_ctx->mech_ctx.ntlmssp_state, NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN); @@ -209,8 +218,8 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx, goto done; } - switch (sp_ctx->auth_type) { - case DCERPC_AUTH_TYPE_KRB5: + switch (sp_ctx->mech) { + case SPNEGO_KRB5: gse_ctx = sp_ctx->mech_ctx.gssapi_state; status = gse_get_client_auth_token(mem_ctx, gse_ctx, @@ -224,7 +233,7 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx, break; - case DCERPC_AUTH_TYPE_NTLMSSP: + case SPNEGO_NTLMSSP: ntlmssp_ctx = sp_ctx->mech_ctx.ntlmssp_state; status = auth_ntlmssp_update(ntlmssp_ctx, @@ -309,11 +318,11 @@ bool spnego_require_more_processing(struct spnego_context *sp_ctx) } /* otherwise see if underlying mechnism does */ - switch (sp_ctx->auth_type) { - case DCERPC_AUTH_TYPE_KRB5: + switch (sp_ctx->mech) { + case SPNEGO_KRB5: gse_ctx = sp_ctx->mech_ctx.gssapi_state; return gse_require_more_processing(gse_ctx); - case DCERPC_AUTH_TYPE_NTLMSSP: + case SPNEGO_NTLMSSP: return false; default: DEBUG(0, ("Unsupported type in request!\n")); @@ -322,21 +331,21 @@ bool spnego_require_more_processing(struct spnego_context *sp_ctx) } NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx, - enum dcerpc_AuthType *auth_type, + enum spnego_mech *type, void **auth_context) { - switch (sp_ctx->auth_type) { - case DCERPC_AUTH_TYPE_KRB5: + switch (sp_ctx->mech) { + case SPNEGO_KRB5: *auth_context = sp_ctx->mech_ctx.gssapi_state; break; - case DCERPC_AUTH_TYPE_NTLMSSP: + case SPNEGO_NTLMSSP: *auth_context = sp_ctx->mech_ctx.ntlmssp_state; break; default: return NT_STATUS_INTERNAL_ERROR; } - *auth_type = sp_ctx->auth_type; + *type = sp_ctx->mech; return NT_STATUS_OK; } @@ -345,11 +354,11 @@ DATA_BLOB spnego_get_session_key(TALLOC_CTX *mem_ctx, { DATA_BLOB sk; - switch (sp_ctx->auth_type) { - case DCERPC_AUTH_TYPE_KRB5: + switch (sp_ctx->mech) { + case SPNEGO_KRB5: return gse_get_session_key(mem_ctx, sp_ctx->mech_ctx.gssapi_state); - case DCERPC_AUTH_TYPE_NTLMSSP: + case SPNEGO_NTLMSSP: sk = auth_ntlmssp_get_session_key( sp_ctx->mech_ctx.ntlmssp_state); return data_blob_dup_talloc(mem_ctx, &sk); diff --git a/source3/librpc/rpc/dcerpc_spnego.h b/source3/librpc/rpc/dcerpc_spnego.h index 9d37fd1e38..d4e7c62786 100644 --- a/source3/librpc/rpc/dcerpc_spnego.h +++ b/source3/librpc/rpc/dcerpc_spnego.h @@ -22,17 +22,24 @@ struct spnego_context; +enum spnego_mech { + SPNEGO_NONE = 0, + SPNEGO_KRB5, + SPNEGO_NTLMSSP +}; + NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, + bool is_dcerpc, const char *ccache_name, const char *server, const char *service, const char *username, const char *password, - uint32_t add_gss_c_flags, struct spnego_context **spengo_ctx); NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthLevel auth_level, + bool do_sign, bool do_seal, + bool is_dcerpc, const char *domain, const char *username, const char *password, @@ -46,7 +53,7 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx, bool spnego_require_more_processing(struct spnego_context *sp_ctx); NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx, - enum dcerpc_AuthType *auth_type, + enum spnego_mech *type, void **auth_context); DATA_BLOB spnego_get_session_key(TALLOC_CTX *mem_ctx, diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 077a08a770..cca4f38a8c 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2193,7 +2193,7 @@ bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16]) if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP) { a = rpc_cli->auth->a_u.auth_ntlmssp_state; } else if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO) { - enum dcerpc_AuthType auth_type; + enum spnego_mech auth_type; void *auth_ctx; NTSTATUS status; @@ -2204,7 +2204,7 @@ bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16]) return false; } - if (auth_type == DCERPC_AUTH_TYPE_NTLMSSP) { + if (auth_type == SPNEGO_NTLMSSP) { a = talloc_get_type(auth_ctx, struct auth_ntlmssp_state); } @@ -3083,10 +3083,14 @@ NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli, goto err_out; } - status = spnego_gssapi_init_client(auth, auth->auth_level, + status = spnego_gssapi_init_client(auth, + (auth->auth_level == + DCERPC_AUTH_LEVEL_INTEGRITY), + (auth->auth_level == + DCERPC_AUTH_LEVEL_PRIVACY), + true, NULL, server, "cifs", username, password, - GSS_C_DCE_STYLE, &auth->a_u.spnego_state); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("spnego_init_client returned %s\n", @@ -3153,7 +3157,12 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, goto err_out; } - status = spnego_ntlmssp_init_client(auth, auth->auth_level, + status = spnego_ntlmssp_init_client(auth, + (auth->auth_level == + DCERPC_AUTH_LEVEL_INTEGRITY), + (auth->auth_level == + DCERPC_AUTH_LEVEL_PRIVACY), + true, domain, username, password, &auth->a_u.spnego_state); if (!NT_STATUS_IS_OK(status)) { |