summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/librpc/rpc/dcerpc_helpers.c18
-rw-r--r--source3/librpc/rpc/dcerpc_spnego.c67
-rw-r--r--source3/librpc/rpc/dcerpc_spnego.h15
-rw-r--r--source3/rpc_client/cli_pipe.c19
4 files changed, 72 insertions, 47 deletions
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 8944b395d8..fd51ca253e 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -267,7 +267,7 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
size_t max_len;
size_t mod_len;
struct gse_context *gse_ctx;
- enum dcerpc_AuthType auth_type;
+ enum spnego_mech auth_type;
void *auth_ctx;
bool seal = false;
NTSTATUS status;
@@ -315,11 +315,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
return status;
}
switch (auth_type) {
- case DCERPC_AUTH_TYPE_NTLMSSP:
+ case SPNEGO_NTLMSSP:
*auth_len = NTLMSSP_SIG_SIZE;
break;
- case DCERPC_AUTH_TYPE_KRB5:
+ case SPNEGO_KRB5:
gse_ctx = talloc_get_type(auth_ctx,
struct gse_context);
if (!gse_ctx) {
@@ -653,7 +653,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
enum dcerpc_AuthLevel auth_level,
DATA_BLOB *rpc_out)
{
- enum dcerpc_AuthType auth_type;
+ enum spnego_mech auth_type;
struct gse_context *gse_ctx;
struct auth_ntlmssp_state *ntlmssp_ctx;
void *auth_ctx;
@@ -670,7 +670,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
}
switch (auth_type) {
- case DCERPC_AUTH_TYPE_KRB5:
+ case SPNEGO_KRB5:
gse_ctx = talloc_get_type(auth_ctx, struct gse_context);
if (!gse_ctx) {
status = NT_STATUS_INTERNAL_ERROR;
@@ -680,7 +680,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
auth_level, rpc_out);
break;
- case DCERPC_AUTH_TYPE_NTLMSSP:
+ case SPNEGO_NTLMSSP:
ntlmssp_ctx = talloc_get_type(auth_ctx,
struct auth_ntlmssp_state);
if (!ntlmssp_ctx) {
@@ -705,7 +705,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
DATA_BLOB *data, DATA_BLOB *full_pkt,
DATA_BLOB *auth_token)
{
- enum dcerpc_AuthType auth_type;
+ enum spnego_mech auth_type;
struct auth_ntlmssp_state *ntlmssp_ctx;
struct gse_context *gse_ctx;
void *auth_ctx;
@@ -717,7 +717,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
}
switch (auth_type) {
- case DCERPC_AUTH_TYPE_KRB5:
+ case SPNEGO_KRB5:
gse_ctx = talloc_get_type(auth_ctx,
struct gse_context);
if (!gse_ctx) {
@@ -730,7 +730,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
auth_level,
data, full_pkt,
auth_token);
- case DCERPC_AUTH_TYPE_NTLMSSP:
+ case SPNEGO_NTLMSSP:
ntlmssp_ctx = talloc_get_type(auth_ctx,
struct auth_ntlmssp_state);
if (!ntlmssp_ctx) {
diff --git a/source3/librpc/rpc/dcerpc_spnego.c b/source3/librpc/rpc/dcerpc_spnego.c
index 83c2137a1f..89baa03cf3 100644
--- a/source3/librpc/rpc/dcerpc_spnego.c
+++ b/source3/librpc/rpc/dcerpc_spnego.c
@@ -21,11 +21,14 @@
#include "../libcli/auth/spnego.h"
#include "include/ntlmssp_wrap.h"
#include "librpc/gen_ndr/ntlmssp.h"
-#include "dcerpc_spnego.h"
#include "librpc/crypto/gse.h"
+#include "dcerpc_spnego.h"
struct spnego_context {
- enum dcerpc_AuthType auth_type;
+ enum spnego_mech mech;
+
+ bool do_sign;
+ bool do_seal;
union {
struct auth_ntlmssp_state *ntlmssp_state;
@@ -41,7 +44,7 @@ struct spnego_context {
};
static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
- enum dcerpc_AuthType auth_type,
+ bool do_sign, bool do_seal,
struct spnego_context **spnego_ctx)
{
struct spnego_context *sp_ctx;
@@ -51,7 +54,8 @@ static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- sp_ctx->auth_type = auth_type;
+ sp_ctx->do_sign = do_sign;
+ sp_ctx->do_seal = do_seal;
sp_ctx->state = SPNEGO_CONV_INIT;
*spnego_ctx = sp_ctx;
@@ -59,27 +63,31 @@ static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
}
NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
- enum dcerpc_AuthLevel auth_level,
+ bool do_sign, bool do_seal,
+ bool is_dcerpc,
const char *ccache_name,
const char *server,
const char *service,
const char *username,
const char *password,
- uint32_t add_gss_c_flags,
struct spnego_context **spnego_ctx)
{
struct spnego_context *sp_ctx = NULL;
+ uint32_t add_gss_c_flags = 0;
NTSTATUS status;
- status = spnego_context_init(mem_ctx,
- DCERPC_AUTH_TYPE_KRB5, &sp_ctx);
+ status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ sp_ctx->mech = SPNEGO_KRB5;
+
+ if (is_dcerpc) {
+ add_gss_c_flags = GSS_C_DCE_STYLE;
+ }
status = gse_init_client(sp_ctx,
- (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY),
- (auth_level == DCERPC_AUTH_LEVEL_PRIVACY),
+ do_sign, do_seal,
ccache_name, server, service,
username, password, add_gss_c_flags,
&sp_ctx->mech_ctx.gssapi_state);
@@ -93,7 +101,8 @@ NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
}
NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
- enum dcerpc_AuthLevel auth_level,
+ bool do_sign, bool do_seal,
+ bool is_dcerpc,
const char *domain,
const char *username,
const char *password,
@@ -102,11 +111,11 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
struct spnego_context *sp_ctx = NULL;
NTSTATUS status;
- status = spnego_context_init(mem_ctx,
- DCERPC_AUTH_TYPE_NTLMSSP, &sp_ctx);
+ status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ sp_ctx->mech = SPNEGO_NTLMSSP;
status = auth_ntlmssp_client_start(sp_ctx,
global_myname(),
@@ -146,10 +155,10 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
~(NTLMSSP_NEGOTIATE_SIGN |
NTLMSSP_NEGOTIATE_SEAL));
- if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ if (do_sign) {
auth_ntlmssp_or_flags(sp_ctx->mech_ctx.ntlmssp_state,
NTLMSSP_NEGOTIATE_SIGN);
- } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ } else if (do_seal) {
auth_ntlmssp_or_flags(sp_ctx->mech_ctx.ntlmssp_state,
NTLMSSP_NEGOTIATE_SEAL |
NTLMSSP_NEGOTIATE_SIGN);
@@ -209,8 +218,8 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
goto done;
}
- switch (sp_ctx->auth_type) {
- case DCERPC_AUTH_TYPE_KRB5:
+ switch (sp_ctx->mech) {
+ case SPNEGO_KRB5:
gse_ctx = sp_ctx->mech_ctx.gssapi_state;
status = gse_get_client_auth_token(mem_ctx, gse_ctx,
@@ -224,7 +233,7 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
break;
- case DCERPC_AUTH_TYPE_NTLMSSP:
+ case SPNEGO_NTLMSSP:
ntlmssp_ctx = sp_ctx->mech_ctx.ntlmssp_state;
status = auth_ntlmssp_update(ntlmssp_ctx,
@@ -309,11 +318,11 @@ bool spnego_require_more_processing(struct spnego_context *sp_ctx)
}
/* otherwise see if underlying mechnism does */
- switch (sp_ctx->auth_type) {
- case DCERPC_AUTH_TYPE_KRB5:
+ switch (sp_ctx->mech) {
+ case SPNEGO_KRB5:
gse_ctx = sp_ctx->mech_ctx.gssapi_state;
return gse_require_more_processing(gse_ctx);
- case DCERPC_AUTH_TYPE_NTLMSSP:
+ case SPNEGO_NTLMSSP:
return false;
default:
DEBUG(0, ("Unsupported type in request!\n"));
@@ -322,21 +331,21 @@ bool spnego_require_more_processing(struct spnego_context *sp_ctx)
}
NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx,
- enum dcerpc_AuthType *auth_type,
+ enum spnego_mech *type,
void **auth_context)
{
- switch (sp_ctx->auth_type) {
- case DCERPC_AUTH_TYPE_KRB5:
+ switch (sp_ctx->mech) {
+ case SPNEGO_KRB5:
*auth_context = sp_ctx->mech_ctx.gssapi_state;
break;
- case DCERPC_AUTH_TYPE_NTLMSSP:
+ case SPNEGO_NTLMSSP:
*auth_context = sp_ctx->mech_ctx.ntlmssp_state;
break;
default:
return NT_STATUS_INTERNAL_ERROR;
}
- *auth_type = sp_ctx->auth_type;
+ *type = sp_ctx->mech;
return NT_STATUS_OK;
}
@@ -345,11 +354,11 @@ DATA_BLOB spnego_get_session_key(TALLOC_CTX *mem_ctx,
{
DATA_BLOB sk;
- switch (sp_ctx->auth_type) {
- case DCERPC_AUTH_TYPE_KRB5:
+ switch (sp_ctx->mech) {
+ case SPNEGO_KRB5:
return gse_get_session_key(mem_ctx,
sp_ctx->mech_ctx.gssapi_state);
- case DCERPC_AUTH_TYPE_NTLMSSP:
+ case SPNEGO_NTLMSSP:
sk = auth_ntlmssp_get_session_key(
sp_ctx->mech_ctx.ntlmssp_state);
return data_blob_dup_talloc(mem_ctx, &sk);
diff --git a/source3/librpc/rpc/dcerpc_spnego.h b/source3/librpc/rpc/dcerpc_spnego.h
index 9d37fd1e38..d4e7c62786 100644
--- a/source3/librpc/rpc/dcerpc_spnego.h
+++ b/source3/librpc/rpc/dcerpc_spnego.h
@@ -22,17 +22,24 @@
struct spnego_context;
+enum spnego_mech {
+ SPNEGO_NONE = 0,
+ SPNEGO_KRB5,
+ SPNEGO_NTLMSSP
+};
+
NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
- enum dcerpc_AuthLevel auth_level,
+ bool do_sign, bool do_seal,
+ bool is_dcerpc,
const char *ccache_name,
const char *server,
const char *service,
const char *username,
const char *password,
- uint32_t add_gss_c_flags,
struct spnego_context **spengo_ctx);
NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
- enum dcerpc_AuthLevel auth_level,
+ bool do_sign, bool do_seal,
+ bool is_dcerpc,
const char *domain,
const char *username,
const char *password,
@@ -46,7 +53,7 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
bool spnego_require_more_processing(struct spnego_context *sp_ctx);
NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx,
- enum dcerpc_AuthType *auth_type,
+ enum spnego_mech *type,
void **auth_context);
DATA_BLOB spnego_get_session_key(TALLOC_CTX *mem_ctx,
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 077a08a770..cca4f38a8c 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2193,7 +2193,7 @@ bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
a = rpc_cli->auth->a_u.auth_ntlmssp_state;
} else if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
- enum dcerpc_AuthType auth_type;
+ enum spnego_mech auth_type;
void *auth_ctx;
NTSTATUS status;
@@ -2204,7 +2204,7 @@ bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
return false;
}
- if (auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
+ if (auth_type == SPNEGO_NTLMSSP) {
a = talloc_get_type(auth_ctx,
struct auth_ntlmssp_state);
}
@@ -3083,10 +3083,14 @@ NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
goto err_out;
}
- status = spnego_gssapi_init_client(auth, auth->auth_level,
+ status = spnego_gssapi_init_client(auth,
+ (auth->auth_level ==
+ DCERPC_AUTH_LEVEL_INTEGRITY),
+ (auth->auth_level ==
+ DCERPC_AUTH_LEVEL_PRIVACY),
+ true,
NULL, server, "cifs",
username, password,
- GSS_C_DCE_STYLE,
&auth->a_u.spnego_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("spnego_init_client returned %s\n",
@@ -3153,7 +3157,12 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
goto err_out;
}
- status = spnego_ntlmssp_init_client(auth, auth->auth_level,
+ status = spnego_ntlmssp_init_client(auth,
+ (auth->auth_level ==
+ DCERPC_AUTH_LEVEL_INTEGRITY),
+ (auth->auth_level ==
+ DCERPC_AUTH_LEVEL_PRIVACY),
+ true,
domain, username, password,
&auth->a_u.spnego_state);
if (!NT_STATUS_IS_OK(status)) {