#include "includes.h"
#include "librpc/gen_ndr/cli_epmapper.h"
#include "../librpc/gen_ndr/ndr_schannel.h"
-#include "../librpc/gen_ndr/ndr_lsa.h"
#include "../librpc/gen_ndr/ndr_dssetup.h"
-#include "../librpc/gen_ndr/ndr_samr.h"
#include "../librpc/gen_ndr/ndr_netlogon.h"
-#include "../librpc/gen_ndr/ndr_srvsvc.h"
-#include "../librpc/gen_ndr/ndr_wkssvc.h"
-#include "../librpc/gen_ndr/ndr_winreg.h"
-#include "../librpc/gen_ndr/ndr_spoolss.h"
-#include "../librpc/gen_ndr/ndr_dfs.h"
-#include "../librpc/gen_ndr/ndr_echo.h"
-#include "../librpc/gen_ndr/ndr_initshutdown.h"
-#include "../librpc/gen_ndr/ndr_svcctl.h"
-#include "../librpc/gen_ndr/ndr_eventlog.h"
-#include "../librpc/gen_ndr/ndr_ntsvcs.h"
-#include "../librpc/gen_ndr/ndr_epmapper.h"
-#include "../librpc/gen_ndr/ndr_drsuapi.h"
#include "../libcli/auth/schannel.h"
#include "../libcli/auth/spnego.h"
#include "smb_krb5.h"
#include "../libcli/auth/ntlmssp.h"
+#include "ntlmssp_wrap.h"
#include "rpc_client/cli_netlogon.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "librpc/rpc/dcerpc.h"
+#include "librpc/rpc/dcerpc_gssapi.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_CLI
-static const char *get_pipe_name_from_iface(
- TALLOC_CTX *mem_ctx, const struct ndr_interface_table *interface)
-{
- int i;
- const struct ndr_interface_string_array *ep = interface->endpoints;
- char *p;
-
- for (i=0; i<ep->count; i++) {
- if (strncmp(ep->names[i], "ncacn_np:[\\pipe\\", 16) == 0) {
- break;
- }
- }
- if (i == ep->count) {
- return NULL;
- }
-
- /*
- * extract the pipe name without \\pipe from for example
- * ncacn_np:[\\pipe\\epmapper]
- */
- p = strchr(ep->names[i]+15, ']');
- if (p == NULL) {
- return "PIPE";
- }
- return talloc_strndup(mem_ctx, ep->names[i]+15, p - ep->names[i] - 15);
-}
-
-static const struct ndr_interface_table **interfaces;
-
-bool smb_register_ndr_interface(const struct ndr_interface_table *interface)
-{
- int num_interfaces = talloc_array_length(interfaces);
- const struct ndr_interface_table **tmp;
- int i;
-
- for (i=0; i<num_interfaces; i++) {
- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id,
- &interface->syntax_id)) {
- return true;
- }
- }
-
- tmp = talloc_realloc(NULL, interfaces,
- const struct ndr_interface_table *,
- num_interfaces + 1);
- if (tmp == NULL) {
- DEBUG(1, ("smb_register_ndr_interface: talloc failed\n"));
- return false;
- }
- interfaces = tmp;
- interfaces[num_interfaces] = interface;
- return true;
-}
-
-static bool initialize_interfaces(void)
-{
- if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_samr)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_winreg)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_eventlog)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
- return false;
- }
- if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
- return false;
- }
- return true;
-}
-
-const struct ndr_interface_table *get_iface_from_syntax(
- const struct ndr_syntax_id *syntax)
-{
- int num_interfaces;
- int i;
-
- if (interfaces == NULL) {
- if (!initialize_interfaces()) {
- return NULL;
- }
- }
- num_interfaces = talloc_array_length(interfaces);
-
- for (i=0; i<num_interfaces; i++) {
- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id, syntax)) {
- return interfaces[i];
- }
- }
-
- return NULL;
-}
-
-/****************************************************************************
- Return the pipe name from the interface.
- ****************************************************************************/
-
-const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
- const struct ndr_syntax_id *syntax)
-{
- const struct ndr_interface_table *interface;
- char *guid_str;
- const char *result;
-
- interface = get_iface_from_syntax(syntax);
- if (interface != NULL) {
- result = get_pipe_name_from_iface(mem_ctx, interface);
- if (result != NULL) {
- return result;
- }
- }
-
- /*
- * Here we should ask \\epmapper, but for now our code is only
- * interested in the known pipes mentioned in pipe_names[]
- */
-
- guid_str = GUID_string(talloc_tos(), &syntax->uuid);
- if (guid_str == NULL) {
- return NULL;
- }
- result = talloc_asprintf(mem_ctx, "Interface %s.%d", guid_str,
- (int)syntax->if_version);
- TALLOC_FREE(guid_str);
-
- if (result == NULL) {
- return "PIPE";
- }
- return result;
-}
-
-/********************************************************************
- Map internal value to wire value.
- ********************************************************************/
-
-enum dcerpc_AuthType map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type)
-{
- switch (auth_type) {
-
- case PIPE_AUTH_TYPE_NONE:
- return DCERPC_AUTH_TYPE_NONE;
-
- case PIPE_AUTH_TYPE_NTLMSSP:
- return DCERPC_AUTH_TYPE_NTLMSSP;
-
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- case PIPE_AUTH_TYPE_SPNEGO_KRB5:
- return DCERPC_AUTH_TYPE_SPNEGO;
-
- case PIPE_AUTH_TYPE_SCHANNEL:
- return DCERPC_AUTH_TYPE_SCHANNEL;
-
- case PIPE_AUTH_TYPE_KRB5:
- return DCERPC_AUTH_TYPE_KRB5;
-
- default:
- DEBUG(0,("map_pipe_auth_type_to_rpc_type: unknown pipe "
- "auth type %u\n",
- (unsigned int)auth_type ));
- break;
- }
- return -1;
-}
-
/********************************************************************
Pipe description for a DEBUG
********************************************************************/
return tevent_req_simple_recv_ntstatus(req);
}
-/****************************************************************************
- NTLMSSP specific sign/seal.
- Virtually identical to rpc_server/srv_pipe.c:api_pipe_ntlmssp_auth_process.
- In fact I should probably abstract these into identical pieces of code... JRA.
- ****************************************************************************/
-
-static NTSTATUS cli_pipe_verify_ntlmssp(struct rpc_pipe_client *cli,
- struct ncacn_packet *pkt,
- DATA_BLOB *pdu,
- uint8 *p_ss_padding_len)
-{
- struct dcerpc_auth auth_info;
- DATA_BLOB blob;
- NTSTATUS status;
-
- if (cli->auth->auth_level == DCERPC_AUTH_LEVEL_NONE
- || cli->auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
- return NT_STATUS_OK;
- }
-
- if (!cli->auth->a_u.ntlmssp_state) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* Ensure there's enough data for an authenticated response. */
- if ((pkt->auth_length > RPC_MAX_PDU_FRAG_LEN) ||
- (pkt->frag_length < DCERPC_RESPONSE_LENGTH
- + DCERPC_AUTH_TRAILER_LENGTH
- + pkt->auth_length)) {
- DEBUG(0, ("auth_len %u is too long.\n",
- (unsigned int)pkt->auth_length));
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
- /* get the auth blob at the end of the packet */
- blob = data_blob_const(pdu->data + pkt->frag_length
- - DCERPC_AUTH_TRAILER_LENGTH
- - pkt->auth_length,
- DCERPC_AUTH_TRAILER_LENGTH
- + pkt->auth_length);
-
- status = dcerpc_pull_dcerpc_auth(cli, &blob, &auth_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unmarshall dcerpc_auth.\n"));
- return status;
- }
-
- /* Ensure auth_pad_len fits into the packet. */
- if (pkt->frag_length < DCERPC_RESPONSE_LENGTH
- + auth_info.auth_pad_length
- + DCERPC_AUTH_TRAILER_LENGTH
- + pkt->auth_length) {
- DEBUG(0,("cli_pipe_verify_ntlmssp: auth_info.auth_pad_len "
- "too large (%u), auth_len (%u), frag_len = (%u).\n",
- (unsigned int)auth_info.auth_pad_length,
- (unsigned int)pkt->auth_length,
- (unsigned int)pkt->frag_length));
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
- /*
- * We need the full packet data + length (minus auth stuff) as well as the packet data + length
- * after the RPC header.
- * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
- * functions as NTLMv2 checks the rpc headers also.
- */
-
- switch (cli->auth->auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- /* Data is encrypted. */
- status = ntlmssp_unseal_packet(
- cli->auth->a_u.ntlmssp_state,
- pdu->data + DCERPC_RESPONSE_LENGTH,
- pkt->frag_length
- - DCERPC_RESPONSE_LENGTH
- - DCERPC_AUTH_TRAILER_LENGTH
- - pkt->auth_length,
- pdu->data,
- pkt->frag_length - pkt->auth_length,
- &auth_info.credentials);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("failed to unseal packet from %s."
- " Error was %s.\n",
- rpccli_pipe_txt(talloc_tos(), cli),
- nt_errstr(status)));
- return status;
- }
- break;
-
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- /* Data is signed. */
- status = ntlmssp_check_packet(
- cli->auth->a_u.ntlmssp_state,
- pdu->data + DCERPC_RESPONSE_LENGTH,
- pkt->frag_length
- - DCERPC_RESPONSE_LENGTH
- - DCERPC_AUTH_TRAILER_LENGTH
- - pkt->auth_length,
- pdu->data,
- pkt->frag_length - pkt->auth_length,
- &auth_info.credentials);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("check signing failed on packet from %s."
- " Error was %s.\n",
- rpccli_pipe_txt(talloc_tos(), cli),
- nt_errstr(status)));
- return status;
- }
- break;
-
- default:
- DEBUG(0, ("cli_pipe_verify_ntlmssp: unknown internal "
- "auth level %d\n", cli->auth->auth_level));
- return NT_STATUS_INVALID_INFO_CLASS;
- }
-
- /*
- * Remember the padding length. We must remove it from the real data
- * stream once the sign/seal is done.
- */
-
- *p_ss_padding_len = auth_info.auth_pad_length;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************************
- schannel specific sign/seal.
- ****************************************************************************/
-
-static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client *cli,
- struct ncacn_packet *pkt,
- DATA_BLOB *pdu,
- uint8 *p_ss_padding_len)
-{
- struct dcerpc_auth auth_info;
- DATA_BLOB blob;
- NTSTATUS status;
-
- if (cli->auth->auth_level == DCERPC_AUTH_LEVEL_NONE
- || cli->auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
- return NT_STATUS_OK;
- }
-
- if (pkt->auth_length < SCHANNEL_SIG_SIZE) {
- DEBUG(0, ("auth_len %u.\n", (unsigned int)pkt->auth_length));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!cli->auth->a_u.schannel_auth) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* Ensure there's enough data for an authenticated response. */
- if ((pkt->auth_length > RPC_MAX_PDU_FRAG_LEN) ||
- (pkt->frag_length < DCERPC_RESPONSE_LENGTH
- + DCERPC_AUTH_TRAILER_LENGTH
- + pkt->auth_length)) {
- DEBUG(0, ("auth_len %u is too long.\n",
- (unsigned int)pkt->auth_length));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* get the auth blob at the end of the packet */
- blob = data_blob_const(pdu->data + pkt->frag_length
- - DCERPC_AUTH_TRAILER_LENGTH
- - pkt->auth_length,
- DCERPC_AUTH_TRAILER_LENGTH
- + pkt->auth_length);
-
-
- status = dcerpc_pull_dcerpc_auth(cli, &blob, &auth_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unmarshall dcerpc_auth.\n"));
- return status;
- }
-
- /* Ensure auth_pad_len fits into the packet. */
- if (pkt->frag_length < DCERPC_RESPONSE_LENGTH
- + auth_info.auth_pad_length
- + DCERPC_AUTH_TRAILER_LENGTH
- + pkt->auth_length) {
- DEBUG(0,("cli_pipe_verify_schannel: auth_info.auth_pad_len "
- "too large (%u), auth_len (%u), frag_len = (%u).\n",
- (unsigned int)auth_info.auth_pad_length,
- (unsigned int)pkt->auth_length,
- (unsigned int)pkt->frag_length));
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
- if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
- DEBUG(0, ("Invalid auth info %d on schannel\n",
- auth_info.auth_type));
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
- if (DEBUGLEVEL >= 10) {
- dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_info.credentials);
- }
-
- switch (cli->auth->auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- status = netsec_incoming_packet(
- cli->auth->a_u.schannel_auth,
- talloc_tos(),
- true,
- pdu->data + DCERPC_RESPONSE_LENGTH,
- pkt->frag_length
- - DCERPC_RESPONSE_LENGTH
- - DCERPC_AUTH_TRAILER_LENGTH
- - pkt->auth_length,
- &auth_info.credentials);
- break;
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- status = netsec_incoming_packet(
- cli->auth->a_u.schannel_auth,
- talloc_tos(),
- false,
- pdu->data + DCERPC_RESPONSE_LENGTH,
- pkt->frag_length
- - DCERPC_RESPONSE_LENGTH
- - DCERPC_AUTH_TRAILER_LENGTH
- - pkt->auth_length,
- &auth_info.credentials);
- break;
- default:
- status = NT_STATUS_INTERNAL_ERROR;
- break;
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
- "Connection to %s (%s).\n",
- rpccli_pipe_txt(talloc_tos(), cli),
- nt_errstr(status)));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /*
- * Remember the padding length. We must remove it from the real data
- * stream once the sign/seal is done.
- */
-
- *p_ss_padding_len = auth_info.auth_pad_length;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************************
- Do the authentication checks on an incoming pdu. Check sign and unseal etc.
- ****************************************************************************/
-
-static NTSTATUS cli_pipe_validate_rpc_response(struct rpc_pipe_client *cli,
- struct ncacn_packet *pkt,
- DATA_BLOB *pdu,
- uint8 *p_ss_padding_len)
-{
- NTSTATUS ret = NT_STATUS_OK;
-
- /* Paranioa checks for auth_len. */
- if (pkt->auth_length) {
- if (pkt->auth_length > pkt->frag_length) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if ((pkt->auth_length
- + (unsigned int)DCERPC_AUTH_TRAILER_LENGTH
- < pkt->auth_length) ||
- (pkt->auth_length
- + (unsigned int)DCERPC_AUTH_TRAILER_LENGTH
- < (unsigned int)DCERPC_AUTH_TRAILER_LENGTH)) {
- /* Integer wrap attempt. */
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
-
- /*
- * Now we have a complete RPC request PDU fragment, try and verify any auth data.
- */
-
- switch(cli->auth->auth_type) {
- case PIPE_AUTH_TYPE_NONE:
- if (pkt->auth_length) {
- DEBUG(3, ("cli_pipe_validate_rpc_response: "
- "Connection to %s - got non-zero "
- "auth len %u.\n",
- rpccli_pipe_txt(talloc_tos(), cli),
- (unsigned int)pkt->auth_length));
- return NT_STATUS_INVALID_PARAMETER;
- }
- break;
-
- case PIPE_AUTH_TYPE_NTLMSSP:
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- ret = cli_pipe_verify_ntlmssp(cli, pkt, pdu,
- p_ss_padding_len);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
- case PIPE_AUTH_TYPE_SCHANNEL:
- ret = cli_pipe_verify_schannel(cli, pkt, pdu,
- p_ss_padding_len);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
- case PIPE_AUTH_TYPE_KRB5:
- case PIPE_AUTH_TYPE_SPNEGO_KRB5:
- default:
- DEBUG(3, ("cli_pipe_validate_rpc_response: Connection "
- "to %s - unknown internal auth type %u.\n",
- rpccli_pipe_txt(talloc_tos(), cli),
- cli->auth->auth_type ));
- return NT_STATUS_INVALID_INFO_CLASS;
- }
-
- return NT_STATUS_OK;
-}
-
/****************************************************************************
Do basic authentication checks on an incoming pdu.
****************************************************************************/
DATA_BLOB *reply_pdu)
{
NTSTATUS ret = NT_STATUS_OK;
- uint8 ss_padding_len = 0;
+ size_t pad_len = 0;
- ret = dcerpc_pull_ncacn_packet(cli, pdu, pkt);
+ ret = dcerpc_pull_ncacn_packet(cli, pdu, pkt, false);
if (!NT_STATUS_IS_OK(ret)) {
return ret;
}
case DCERPC_PKT_RESPONSE:
/* Here's where we deal with incoming sign/seal. */
- ret = cli_pipe_validate_rpc_response(cli, pkt, pdu,
- &ss_padding_len);
+ ret = dcerpc_check_auth(cli->auth, pkt,
+ &pkt->u.response.stub_and_verifier,
+ DCERPC_RESPONSE_LENGTH,
+ pdu, &pad_len);
if (!NT_STATUS_IS_OK(ret)) {
return ret;
}
- /* Point the return values at the NDR data.
- * Remember to remove any ss padding. */
- rdata->data = pdu->data + DCERPC_RESPONSE_LENGTH;
-
- if (pdu->length < DCERPC_RESPONSE_LENGTH + ss_padding_len) {
+ if (pdu->length < DCERPC_RESPONSE_LENGTH + pad_len) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
- rdata->length = pdu->length
- - DCERPC_RESPONSE_LENGTH
- - ss_padding_len;
+ /* Point the return values at the NDR data. */
+ rdata->data = pdu->data + DCERPC_RESPONSE_LENGTH;
- /* Remember to remove the auth footer. */
if (pkt->auth_length) {
- /* We've already done integer wrap tests on auth_len in
- cli_pipe_validate_rpc_response(). */
- if (rdata->length < DCERPC_AUTH_TRAILER_LENGTH
- + pkt->auth_length) {
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
- rdata->length -= (DCERPC_AUTH_TRAILER_LENGTH
- + pkt->auth_length);
+ /* We've already done integer wrap tests in
+ * dcerpc_check_auth(). */
+ rdata->length = pdu->length
+ - DCERPC_RESPONSE_LENGTH
+ - pad_len
+ - DCERPC_AUTH_TRAILER_LENGTH
+ - pkt->auth_length;
+ } else {
+ rdata->length = pdu->length - DCERPC_RESPONSE_LENGTH;
}
DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
- pdu->length, rdata->length, ss_padding_len));
+ (long unsigned int)pdu->length,
+ (long unsigned int)rdata->length,
+ (unsigned int)pad_len));
/*
* If this is the first reply, and the allocation hint is
Creates krb5 auth bind.
********************************************************************/
-static NTSTATUS create_krb5_auth_bind_req(struct rpc_pipe_client *cli,
- enum dcerpc_AuthLevel auth_level,
- DATA_BLOB *auth_info)
+static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx,
+ struct pipe_auth_data *auth,
+ DATA_BLOB *auth_info)
{
-#ifdef HAVE_KRB5
- int ret;
+ DATA_BLOB in_token = data_blob_null;
+ DATA_BLOB auth_token = data_blob_null;
NTSTATUS status;
- struct kerberos_auth_struct *a = cli->auth->a_u.kerberos_auth;
- DATA_BLOB tkt = data_blob_null;
- DATA_BLOB tkt_wrapped = data_blob_null;
-
- DEBUG(5, ("create_krb5_auth_bind_req: creating a service ticket for principal %s\n",
- a->service_principal ));
-
- /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
-
- ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
- &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, NULL);
- if (ret) {
- DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
- "failed with %s\n",
- a->service_principal,
- error_message(ret) ));
-
- data_blob_free(&tkt);
- return NT_STATUS_INVALID_PARAMETER;
+ /* Negotiate the initial auth token */
+ status = gse_get_client_auth_token(mem_ctx,
+ auth->a_u.gssapi_state,
+ &in_token,
+ &auth_token);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- /* wrap that up in a nice GSS-API wrapping */
- tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
-
- data_blob_free(&tkt);
-
- status = dcerpc_push_dcerpc_auth(cli,
- DCERPC_AUTH_TYPE_KRB5,
- auth_level,
+ status = dcerpc_push_dcerpc_auth(mem_ctx,
+ auth->auth_type,
+ auth->auth_level,
0, /* auth_pad_length */
1, /* auth_context_id */
- &tkt_wrapped,
+ &auth_token,
auth_info);
if (!NT_STATUS_IS_OK(status)) {
- data_blob_free(&tkt_wrapped);
+ data_blob_free(&auth_token);
return status;
}
- DEBUG(5, ("create_krb5_auth_bind_req: Created krb5 GSS blob :\n"));
- dump_data(5, tkt_wrapped.data, tkt_wrapped.length);
+ DEBUG(5, ("Created GSS Authentication Token:\n"));
+ dump_data(5, auth_token.data, auth_token.length);
+ data_blob_free(&auth_token);
return NT_STATUS_OK;
-#else
- return NT_STATUS_INVALID_PARAMETER;
-#endif
}
/*******************************************************************
DATA_BLOB null_blob = data_blob_null;
DATA_BLOB request = data_blob_null;
DATA_BLOB spnego_msg = data_blob_null;
+ const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL};
DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
- status = ntlmssp_update(cli->auth->a_u.ntlmssp_state,
+ status = auth_ntlmssp_update(cli->auth->a_u.auth_ntlmssp_state,
null_blob,
&request);
}
/* Wrap this in SPNEGO. */
- spnego_msg = gen_negTokenInit(OID_NTLMSSP, request);
+ spnego_msg = spnego_gen_negTokenInit(talloc_tos(), OIDs_ntlm, &request, NULL);
data_blob_free(&request);
1, /* auth_context_id */
&spnego_msg,
auth_info);
+
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&spnego_msg);
return status;
DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
dump_data(5, spnego_msg.data, spnego_msg.length);
+ data_blob_free(&spnego_msg);
return NT_STATUS_OK;
}
DATA_BLOB request = data_blob_null;
DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
- status = ntlmssp_update(cli->auth->a_u.ntlmssp_state,
+ status = auth_ntlmssp_update(cli->auth->a_u.auth_ntlmssp_state,
null_blob,
&request);
ctx_list.context_id = 0;
ctx_list.num_transfer_syntaxes = 1;
ctx_list.abstract_syntax = *abstract;
- ctx_list.transfer_syntaxes = discard_const(transfer);
+ ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
Creates a DCE/RPC bind request.
********************************************************************/
-static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client *cli,
- uint32 rpc_call_id,
- const struct ndr_syntax_id *abstract,
- const struct ndr_syntax_id *transfer,
- enum pipe_auth_type auth_type,
- enum dcerpc_AuthLevel auth_level,
- DATA_BLOB *rpc_out)
-{
- DATA_BLOB auth_info = data_blob_null;
- NTSTATUS ret = NT_STATUS_OK;
-
- switch (auth_type) {
- case PIPE_AUTH_TYPE_SCHANNEL:
- ret = create_schannel_auth_rpc_bind_req(cli, auth_level, &auth_info);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
- case PIPE_AUTH_TYPE_NTLMSSP:
- ret = create_ntlmssp_auth_rpc_bind_req(cli, auth_level, &auth_info);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli, auth_level, &auth_info);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
- case PIPE_AUTH_TYPE_KRB5:
- ret = create_krb5_auth_bind_req(cli, auth_level, &auth_info);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
- case PIPE_AUTH_TYPE_NONE:
- break;
-
- default:
- /* "Can't" happen. */
- return NT_STATUS_INVALID_INFO_CLASS;
- }
-
- ret = create_bind_or_alt_ctx_internal(mem_ctx,
- DCERPC_PKT_BIND,
- rpc_call_id,
- abstract,
- transfer,
- &auth_info,
- rpc_out);
- return ret;
-}
-
-/*******************************************************************
- Create and add the NTLMSSP sign/seal auth header and data.
- ********************************************************************/
-
-static NTSTATUS add_ntlmssp_auth_footer(struct rpc_pipe_client *cli,
- uint32 ss_padding_len,
- DATA_BLOB *rpc_out)
-{
- DATA_BLOB auth_info;
- NTSTATUS status;
- DATA_BLOB auth_blob = data_blob_null;
- uint16_t data_and_pad_len = rpc_out->length - DCERPC_RESPONSE_LENGTH;
-
- if (!cli->auth->a_u.ntlmssp_state) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* marshall the dcerpc_auth with an actually empty auth_blob.
- * this is needed because the ntmlssp signature includes the
- * auth header */
- status = dcerpc_push_dcerpc_auth(rpc_out->data,
- map_pipe_auth_type_to_rpc_auth_type(cli->auth->auth_type),
- cli->auth->auth_level,
- ss_padding_len,
- 1 /* context id. */,
- &auth_blob,
- &auth_info);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- /* append the header */
- if (!data_blob_append(NULL, rpc_out,
- auth_info.data, auth_info.length)) {
- DEBUG(0, ("Failed to add %u bytes auth blob.\n",
- (unsigned int)auth_info.length));
- return NT_STATUS_NO_MEMORY;
- }
- data_blob_free(&auth_info);
-
- switch (cli->auth->auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- /* Data portion is encrypted. */
- status = ntlmssp_seal_packet(cli->auth->a_u.ntlmssp_state,
- rpc_out->data,
- rpc_out->data
- + DCERPC_RESPONSE_LENGTH,
- data_and_pad_len,
- rpc_out->data,
- rpc_out->length,
- &auth_blob);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- break;
-
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- /* Data is signed. */
- status = ntlmssp_sign_packet(cli->auth->a_u.ntlmssp_state,
- rpc_out->data,
- rpc_out->data
- + DCERPC_RESPONSE_LENGTH,
- data_and_pad_len,
- rpc_out->data,
- rpc_out->length,
- &auth_blob);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- break;
-
- default:
- /* Can't happen. */
- smb_panic("bad auth level");
- /* Notreached. */
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* Finally attach the blob. */
- if (!data_blob_append(NULL, rpc_out,
- auth_blob.data, auth_blob.length)) {
- DEBUG(0, ("Failed to add %u bytes auth blob.\n",
- (unsigned int)auth_info.length));
- return NT_STATUS_NO_MEMORY;
- }
- data_blob_free(&auth_blob);
-
- return NT_STATUS_OK;
-}
-
-/*******************************************************************
- Create and add the schannel sign/seal auth header and data.
- ********************************************************************/
-
-static NTSTATUS add_schannel_auth_footer(struct rpc_pipe_client *cli,
- uint32 ss_padding_len,
- DATA_BLOB *rpc_out)
-{
- DATA_BLOB auth_info;
- struct schannel_state *sas = cli->auth->a_u.schannel_auth;
- uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
- size_t data_and_pad_len = rpc_out->length
- - DCERPC_RESPONSE_LENGTH;
- DATA_BLOB blob;
- NTSTATUS status;
-
- if (!sas) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
- sas->seq_num));
+static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *cli,
+ struct pipe_auth_data *auth,
+ uint32 rpc_call_id,
+ const struct ndr_syntax_id *abstract,
+ const struct ndr_syntax_id *transfer,
+ DATA_BLOB *rpc_out)
+{
+ DATA_BLOB auth_info = data_blob_null;
+ NTSTATUS ret = NT_STATUS_OK;
- switch (cli->auth->auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- status = netsec_outgoing_packet(sas,
- rpc_out->data,
- true,
- data_p,
- data_and_pad_len,
- &blob);
- break;
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- status = netsec_outgoing_packet(sas,
- rpc_out->data,
- false,
- data_p,
- data_and_pad_len,
- &blob);
+ switch (auth->auth_type) {
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+ ret = create_schannel_auth_rpc_bind_req(cli,
+ auth->auth_level,
+ &auth_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
+ }
break;
- default:
- status = NT_STATUS_INTERNAL_ERROR;
+
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ ret = create_ntlmssp_auth_rpc_bind_req(cli,
+ auth->auth_level,
+ &auth_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
+ }
break;
- }
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
- nt_errstr(status)));
- return status;
- }
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ /* "Can't" happen. */
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+ ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli,
+ auth->auth_level,
+ &auth_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
+ }
+ break;
- if (DEBUGLEVEL >= 10) {
- dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
- }
+ case DCERPC_AUTH_TYPE_KRB5:
+ ret = create_gssapi_auth_bind_req(mem_ctx, auth, &auth_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
+ }
+ break;
- /* Finally marshall the blob. */
- status = dcerpc_push_dcerpc_auth(rpc_out->data,
- map_pipe_auth_type_to_rpc_auth_type(cli->auth->auth_type),
- cli->auth->auth_level,
- ss_padding_len,
- 1 /* context id. */,
- &blob,
- &auth_info);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- data_blob_free(&blob);
+ case DCERPC_AUTH_TYPE_NONE:
+ break;
- if (!data_blob_append(NULL, rpc_out,
- auth_info.data, auth_info.length)) {
- return NT_STATUS_NO_MEMORY;
+ default:
+ /* "Can't" happen. */
+ return NT_STATUS_INVALID_INFO_CLASS;
}
- data_blob_free(&auth_info);
- return NT_STATUS_OK;
+ ret = create_bind_or_alt_ctx_internal(mem_ctx,
+ DCERPC_PKT_BIND,
+ rpc_call_id,
+ abstract,
+ transfer,
+ &auth_info,
+ rpc_out);
+ return ret;
}
/*******************************************************************
work out any sign/seal padding length.
********************************************************************/
-static uint32 calculate_data_len_tosend(struct rpc_pipe_client *cli,
- uint32 data_left,
- uint16 *p_frag_len,
- uint16 *p_auth_len,
- uint32 *p_ss_padding)
+static NTSTATUS calculate_data_len_tosend(struct rpc_pipe_client *cli,
+ uint32_t data_left,
+ uint32_t *data_to_send,
+ uint16_t *p_frag_len,
+ uint16_t *p_auth_len,
+ uint32_t *p_ss_padding)
{
- uint32 data_space, data_len;
-
-#if 0
- if ((data_left > 0) && (sys_random() % 2)) {
- data_left = MAX(data_left/2, 1);
- }
-#endif
+ uint32_t data_space, data_len;
+ size_t max_len;
switch (cli->auth->auth_level) {
- case DCERPC_AUTH_LEVEL_NONE:
- case DCERPC_AUTH_LEVEL_CONNECT:
- data_space = cli->max_xmit_frag - DCERPC_REQUEST_LENGTH;
- data_len = MIN(data_space, data_left);
- *p_ss_padding = 0;
- *p_auth_len = 0;
- *p_frag_len = DCERPC_REQUEST_LENGTH + data_len;
- return data_len;
-
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- case DCERPC_AUTH_LEVEL_PRIVACY:
- /* Treat the same for all authenticated rpc requests. */
- switch(cli->auth->auth_type) {
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- case PIPE_AUTH_TYPE_NTLMSSP:
- *p_auth_len = NTLMSSP_SIG_SIZE;
- break;
- case PIPE_AUTH_TYPE_SCHANNEL:
- *p_auth_len = SCHANNEL_SIG_SIZE;
- break;
- default:
- smb_panic("bad auth type");
- break;
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ case DCERPC_AUTH_LEVEL_PACKET:
+ data_space = cli->max_xmit_frag - DCERPC_REQUEST_LENGTH;
+ data_len = MIN(data_space, data_left);
+ *p_ss_padding = 0;
+ *p_auth_len = 0;
+ *p_frag_len = DCERPC_REQUEST_LENGTH + data_len;
+ *data_to_send = data_len;
+ return NT_STATUS_OK;
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ max_len = cli->max_xmit_frag
+ - DCERPC_REQUEST_LENGTH
+ - DCERPC_AUTH_TRAILER_LENGTH;
+
+ /* Treat the same for all authenticated rpc requests. */
+ switch(cli->auth->auth_type) {
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ switch (cli->auth->spnego_type) {
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ *p_auth_len = NTLMSSP_SIG_SIZE;
+ break;
+ case PIPE_AUTH_TYPE_SPNEGO_KRB5:
+ *p_auth_len = 0; /* TODO */
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
}
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ *p_auth_len = NTLMSSP_SIG_SIZE;
+ break;
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+ *p_auth_len = NL_AUTH_SIGNATURE_SIZE;
+ break;
+ case DCERPC_AUTH_TYPE_KRB5:
+ *p_auth_len = gse_get_signature_length(
+ cli->auth->a_u.gssapi_state,
+ (cli->auth->auth_level ==
+ DCERPC_AUTH_LEVEL_PRIVACY),
+ max_len);
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- data_space = cli->max_xmit_frag
- - DCERPC_REQUEST_LENGTH
- - DCERPC_AUTH_TRAILER_LENGTH
- - *p_auth_len;
+ data_space = max_len - *p_auth_len;
- data_len = MIN(data_space, data_left);
- *p_ss_padding = 0;
- if (data_len % CLIENT_NDR_PADDING_SIZE) {
- *p_ss_padding = CLIENT_NDR_PADDING_SIZE - (data_len % CLIENT_NDR_PADDING_SIZE);
- }
- *p_frag_len = DCERPC_REQUEST_LENGTH
- + data_len + *p_ss_padding
- + DCERPC_AUTH_TRAILER_LENGTH
- + *p_auth_len;
- return data_len;
+ data_len = MIN(data_space, data_left);
+ *p_ss_padding = 0;
+ if (data_len % CLIENT_NDR_PADDING_SIZE) {
+ *p_ss_padding = CLIENT_NDR_PADDING_SIZE - (data_len % CLIENT_NDR_PADDING_SIZE);
+ }
+ *p_frag_len = DCERPC_REQUEST_LENGTH
+ + data_len + *p_ss_padding
+ + DCERPC_AUTH_TRAILER_LENGTH
+ + *p_auth_len;
+ *data_to_send = data_len;
+ return NT_STATUS_OK;
- default:
- smb_panic("bad auth level");
- /* Notreached. */
- return 0;
+ default:
+ break;
}
+
+ return NT_STATUS_INVALID_PARAMETER;
}
/*******************************************************************
uint16_t auth_len;
uint16_t frag_len;
uint8_t flags = 0;
- uint32_t ss_padding;
+ uint32_t pad_len;
uint32_t data_left;
- char pad[8] = { 0, };
NTSTATUS status;
union dcerpc_payload u;
data_left = state->req_data->length - state->req_data_sent;
- data_sent_thistime = calculate_data_len_tosend(
- state->cli, data_left, &frag_len, &auth_len, &ss_padding);
+ status = calculate_data_len_tosend(state->cli, data_left,
+ &data_sent_thistime,
+ &frag_len, &auth_len,
+ &pad_len);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
if (state->req_data_sent == 0) {
flags = DCERPC_PFC_FLAG_FIRST;
}
/* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
- * compute it right for requests */
+ * compute it right for requests because the auth trailer is missing
+ * at this stage */
dcerpc_set_frag_length(&state->rpc_out, frag_len);
- /* Copy in the data, plus any ss padding. */
+ /* Copy in the data. */
if (!data_blob_append(NULL, &state->rpc_out,
state->req_data->data + state->req_data_sent,
data_sent_thistime)) {
return NT_STATUS_NO_MEMORY;
}
- if (ss_padding) {
- /* Copy the sign/seal padding data. */
- if (!data_blob_append(NULL, &state->rpc_out,
- pad, ss_padding)) {
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- /* Generate any auth sign/seal and add the auth footer. */
- switch (state->cli->auth->auth_type) {
- case PIPE_AUTH_TYPE_NONE:
- status = NT_STATUS_OK;
+ switch (state->cli->auth->auth_level) {
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ case DCERPC_AUTH_LEVEL_PACKET:
break;
- case PIPE_AUTH_TYPE_NTLMSSP:
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- status = add_ntlmssp_auth_footer(state->cli, ss_padding,
- &state->rpc_out);
- break;
- case PIPE_AUTH_TYPE_SCHANNEL:
- status = add_schannel_auth_footer(state->cli, ss_padding,
- &state->rpc_out);
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ status = dcerpc_add_auth_footer(state->cli->auth, pad_len,
+ &state->rpc_out);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
break;
default:
- status = NT_STATUS_INVALID_PARAMETER;
- break;
+ return NT_STATUS_INVALID_PARAMETER;
}
state->req_data_sent += data_sent_thistime;
static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli,
uint32 rpc_call_id,
- enum pipe_auth_type auth_type,
+ enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
DATA_BLOB *pauth_blob,
DATA_BLOB *rpc_out)
u.auth3._pad = 0;
status = dcerpc_push_dcerpc_auth(mem_ctx,
- map_pipe_auth_type_to_rpc_auth_type(auth_type),
+ auth_type,
auth_level,
0, /* auth_pad_length */
1, /* auth_context_id */
********************************************************************/
static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
uint32 rpc_call_id,
const struct ndr_syntax_id *abstract,
const struct ndr_syntax_id *transfer,
- enum dcerpc_AuthLevel auth_level,
const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
DATA_BLOB *rpc_out)
{
NTSTATUS status;
status = dcerpc_push_dcerpc_auth(mem_ctx,
- DCERPC_AUTH_TYPE_SPNEGO,
+ auth_type,
auth_level,
0, /* auth_pad_length */
1, /* auth_context_id */
static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
static NTSTATUS rpc_finish_auth3_bind_send(struct tevent_req *req,
struct rpc_pipe_bind_state *state,
- struct ncacn_packet *r);
+ DATA_BLOB *credentials);
static void rpc_bind_auth3_write_done(struct tevent_req *subreq);
static NTSTATUS rpc_finish_spnego_ntlmssp_bind_send(struct tevent_req *req,
- struct rpc_pipe_bind_state *state,
- struct ncacn_packet *r,
- DATA_BLOB *reply_pdu);
+ struct rpc_pipe_bind_state *state,
+ DATA_BLOB *credentials);
static void rpc_bind_ntlmssp_api_done(struct tevent_req *subreq);
+static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
+ struct rpc_pipe_bind_state *state,
+ DATA_BLOB *credentials);
+static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
+ struct rpc_pipe_bind_state *state,
+ DATA_BLOB *credentials);
struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
struct event_context *ev,
struct rpc_pipe_client *cli,
- struct cli_pipe_auth_data *auth)
+ struct pipe_auth_data *auth)
{
struct tevent_req *req, *subreq;
struct rpc_pipe_bind_state *state;
return NULL;
}
- DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
+ DEBUG(5,("Bind RPC Pipe: %s auth_type %u(%u), auth_level %u\n",
rpccli_pipe_txt(talloc_tos(), cli),
(unsigned int)auth->auth_type,
+ (unsigned int)auth->spnego_type,
(unsigned int)auth->auth_level ));
state->ev = ev;
/* Marshall the outgoing data. */
status = create_rpc_bind_req(state, cli,
+ cli->auth,
state->rpc_call_id,
&cli->abstract_syntax,
&cli->transfer_syntax,
- cli->auth->auth_type,
- cli->auth->auth_level,
&state->rpc_out);
if (!NT_STATUS_IS_OK(status)) {
subreq, struct tevent_req);
struct rpc_pipe_bind_state *state = tevent_req_data(
req, struct rpc_pipe_bind_state);
+ struct pipe_auth_data *pauth = state->cli->auth;
DATA_BLOB reply_pdu;
struct ncacn_packet *pkt;
+ struct dcerpc_auth auth;
+ DATA_BLOB auth_token = data_blob_null;
NTSTATUS status;
status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, &reply_pdu);
state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
+ switch(state->cli->auth->auth_type) {
+
+ case DCERPC_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+ /* Bind complete. */
+ tevent_req_done(req);
+ return;
+
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ case DCERPC_AUTH_TYPE_KRB5:
+ /* Paranoid lenght checks */
+ if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
+ + pkt->auth_length) {
+ tevent_req_nterror(req,
+ NT_STATUS_INFO_LENGTH_MISMATCH);
+ return;
+ }
+ /* get auth credentials */
+ status = dcerpc_pull_dcerpc_auth(talloc_tos(),
+ &pkt->u.bind_ack.auth_info,
+ &auth, false);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
+ nt_errstr(status)));
+ tevent_req_nterror(req, status);
+ return;
+ }
+ break;
+
+ default:
+ goto err_out;
+ }
+
/*
* For authenticated binds we may need to do 3 or 4 leg binds.
*/
switch(state->cli->auth->auth_type) {
- case PIPE_AUTH_TYPE_NONE:
- case PIPE_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
/* Bind complete. */
tevent_req_done(req);
- break;
+ return;
- case PIPE_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
/* Need to send AUTH3 packet - no reply. */
- status = rpc_finish_auth3_bind_send(req, state, pkt);
- if (!NT_STATUS_IS_OK(status)) {
- tevent_req_nterror(req, status);
- }
+ status = rpc_finish_auth3_bind_send(req, state,
+ &auth.credentials);
break;
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (state->cli->auth->spnego_type !=
+ PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ goto err_out;
+ }
/* Need to send alter context request and reply. */
- status = rpc_finish_spnego_ntlmssp_bind_send(req, state, pkt,
- &reply_pdu);
+ status = rpc_finish_spnego_ntlmssp_bind_send(req, state,
+ &auth.credentials);
+ break;
+
+ case DCERPC_AUTH_TYPE_KRB5:
+ status = gse_get_client_auth_token(state,
+ pauth->a_u.gssapi_state,
+ &auth.credentials,
+ &auth_token);
if (!NT_STATUS_IS_OK(status)) {
- tevent_req_nterror(req, status);
+ break;
}
- break;
- case PIPE_AUTH_TYPE_KRB5:
- /* */
+ if (gse_require_more_processing(pauth->a_u.gssapi_state)) {
+ status = rpc_bind_next_send(req, state, &auth_token);
+ } else {
+ status = rpc_bind_finish_send(req, state, &auth_token);
+ }
+ break;
default:
- DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
- (unsigned int)state->cli->auth->auth_type));
- tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ goto err_out;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ tevent_req_nterror(req, status);
}
+ return;
+
+err_out:
+ DEBUG(0,("cli_finish_bind_auth: unknown auth type %u(%u)\n",
+ (unsigned int)state->cli->auth->auth_type,
+ (unsigned int)state->cli->auth->spnego_type));
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
}
static NTSTATUS rpc_finish_auth3_bind_send(struct tevent_req *req,
struct rpc_pipe_bind_state *state,
- struct ncacn_packet *r)
+ DATA_BLOB *credentials)
{
+ struct pipe_auth_data *auth = state->cli->auth;
DATA_BLOB client_reply = data_blob_null;
- struct dcerpc_auth auth;
struct tevent_req *subreq;
NTSTATUS status;
- if ((r->auth_length == 0)
- || (r->frag_length < DCERPC_AUTH_TRAILER_LENGTH
- + r->auth_length)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- status = dcerpc_pull_dcerpc_auth(talloc_tos(),
- &r->u.bind_ack.auth_info,
- &auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
- nt_errstr(status)));
- return status;
- }
-
/* TODO - check auth_type/auth_level match. */
- status = ntlmssp_update(state->cli->auth->a_u.ntlmssp_state,
- auth.credentials, &client_reply);
+ status = auth_ntlmssp_update(auth->a_u.auth_ntlmssp_state,
+ *credentials, &client_reply);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("rpc_finish_auth3_bind: NTLMSSP update using server "
data_blob_free(&state->rpc_out);
- status = create_rpc_bind_auth3(state,
- state->cli, state->rpc_call_id,
- state->cli->auth->auth_type,
- state->cli->auth->auth_level,
- &client_reply, &state->rpc_out);
+ status = create_rpc_bind_auth3(state, state->cli,
+ state->rpc_call_id,
+ auth->auth_type,
+ auth->auth_level,
+ &client_reply,
+ &state->rpc_out);
data_blob_free(&client_reply);
if (!NT_STATUS_IS_OK(status)) {
}
static NTSTATUS rpc_finish_spnego_ntlmssp_bind_send(struct tevent_req *req,
- struct rpc_pipe_bind_state *state,
- struct ncacn_packet *r,
- DATA_BLOB *reply_pdu)
+ struct rpc_pipe_bind_state *state,
+ DATA_BLOB *credentials)
{
+ struct pipe_auth_data *auth = state->cli->auth;
DATA_BLOB server_ntlm_response = data_blob_null;
DATA_BLOB client_reply = data_blob_null;
DATA_BLOB tmp_blob = data_blob_null;
- struct dcerpc_auth auth_info;
- DATA_BLOB auth_blob;
struct tevent_req *subreq;
NTSTATUS status;
- if ((r->auth_length == 0)
- || (r->frag_length < DCERPC_AUTH_TRAILER_LENGTH
- + r->auth_length)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* Process the returned NTLMSSP blob first. */
- auth_blob = data_blob_const(reply_pdu->data
- + r->frag_length
- - DCERPC_AUTH_TRAILER_LENGTH
- - r->auth_length,
- DCERPC_AUTH_TRAILER_LENGTH
- + r->auth_length);
-
- status = dcerpc_pull_dcerpc_auth(state, &auth_blob, &auth_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
- return status;
- }
-
/*
* The server might give us back two challenges - tmp_blob is for the
* second.
*/
- if (!spnego_parse_challenge(auth_info.credentials,
- &server_ntlm_response, &tmp_blob)) {
+ if (!spnego_parse_challenge(state, *credentials,
+ &server_ntlm_response,
+ &tmp_blob)) {
data_blob_free(&server_ntlm_response);
data_blob_free(&tmp_blob);
return NT_STATUS_INVALID_PARAMETER;
/* We're finished with the server spnego response and the tmp_blob. */
data_blob_free(&tmp_blob);
- status = ntlmssp_update(state->cli->auth->a_u.ntlmssp_state,
- server_ntlm_response, &client_reply);
+ status = auth_ntlmssp_update(auth->a_u.auth_ntlmssp_state,
+ server_ntlm_response, &client_reply);
/* Finished with the server_ntlm response */
data_blob_free(&server_ntlm_response);
}
/* SPNEGO wrap the client reply. */
- tmp_blob = spnego_gen_auth(client_reply);
+ tmp_blob = spnego_gen_auth(state, client_reply);
data_blob_free(&client_reply);
client_reply = tmp_blob;
tmp_blob = data_blob_null;
data_blob_free(&state->rpc_out);
status = create_rpc_alter_context(state,
+ auth->auth_type,
+ auth->auth_level,
state->rpc_call_id,
&state->cli->abstract_syntax,
&state->cli->transfer_syntax,
- state->cli->auth->auth_level,
&client_reply,
&state->rpc_out);
data_blob_free(&client_reply);
status = dcerpc_pull_dcerpc_auth(pkt,
&pkt->u.alter_resp.auth_info,
- &auth);
+ &auth, false);
if (!NT_STATUS_IS_OK(status)) {
tevent_req_nterror(req, status);
return;
}
/* Check we got a valid auth response. */
- if (!spnego_parse_auth_response(auth.credentials,
+ if (!spnego_parse_auth_response(talloc_tos(), auth.credentials,
NT_STATUS_OK,
OID_NTLMSSP, &tmp_blob)) {
data_blob_free(&tmp_blob);
tevent_req_done(req);
}
+static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
+ struct rpc_pipe_bind_state *state,
+ DATA_BLOB *auth_token)
+{
+ struct pipe_auth_data *auth = state->cli->auth;
+ struct tevent_req *subreq;
+ NTSTATUS status;
+
+ /* Now prepare the alter context pdu. */
+ data_blob_free(&state->rpc_out);
+
+ status = create_rpc_alter_context(state,
+ auth->auth_type,
+ auth->auth_level,
+ state->rpc_call_id,
+ &state->cli->abstract_syntax,
+ &state->cli->transfer_syntax,
+ auth_token,
+ &state->rpc_out);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ subreq = rpc_api_pipe_send(state, state->ev, state->cli,
+ &state->rpc_out, DCERPC_PKT_ALTER_RESP);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
+ struct rpc_pipe_bind_state *state,
+ DATA_BLOB *auth_token)
+{
+ struct pipe_auth_data *auth = state->cli->auth;
+ struct tevent_req *subreq;
+ NTSTATUS status;
+
+ /* Now prepare the auth3 context pdu. */
+ data_blob_free(&state->rpc_out);
+
+ status = create_rpc_bind_auth3(state, state->cli,
+ state->rpc_call_id,
+ auth->auth_type,
+ auth->auth_level,
+ auth_token,
+ &state->rpc_out);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ subreq = rpc_write_send(state, state->ev, state->cli->transport,
+ state->rpc_out.data, state->rpc_out.length);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(subreq, rpc_bind_auth3_write_done, req);
+ return NT_STATUS_OK;
+}
+
NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
{
return tevent_req_simple_recv_ntstatus(req);
}
NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
- struct cli_pipe_auth_data *auth)
+ struct pipe_auth_data *auth)
{
TALLOC_CTX *frame = talloc_stackframe();
struct event_context *ev;
{
struct cli_state *cli;
- if ((rpc_cli->auth->auth_type == PIPE_AUTH_TYPE_NTLMSSP)
- || (rpc_cli->auth->auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)) {
- memcpy(nt_hash, rpc_cli->auth->a_u.ntlmssp_state->nt_hash, 16);
+ if ((rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP)
+ || ((rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO
+ && rpc_cli->auth->spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
+ memcpy(nt_hash, auth_ntlmssp_get_nt_hash(rpc_cli->auth->a_u.auth_ntlmssp_state), 16);
return true;
}
}
NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
- struct cli_pipe_auth_data **presult)
+ struct pipe_auth_data **presult)
{
- struct cli_pipe_auth_data *result;
+ struct pipe_auth_data *result;
- result = talloc(mem_ctx, struct cli_pipe_auth_data);
+ result = talloc(mem_ctx, struct pipe_auth_data);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
- result->auth_type = PIPE_AUTH_TYPE_NONE;
+ result->auth_type = DCERPC_AUTH_TYPE_NONE;
+ result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
result->auth_level = DCERPC_AUTH_LEVEL_NONE;
result->user_name = talloc_strdup(result, "");
return NT_STATUS_OK;
}
-static int cli_auth_ntlmssp_data_destructor(struct cli_pipe_auth_data *auth)
+static int cli_auth_ntlmssp_data_destructor(struct pipe_auth_data *auth)
{
- ntlmssp_end(&auth->a_u.ntlmssp_state);
+ TALLOC_FREE(auth->a_u.auth_ntlmssp_state);
return 0;
}
static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
- enum pipe_auth_type auth_type,
+ enum dcerpc_AuthType auth_type,
+ enum pipe_auth_type_spnego spnego_type,
enum dcerpc_AuthLevel auth_level,
const char *domain,
const char *username,
const char *password,
- struct cli_pipe_auth_data **presult)
+ struct pipe_auth_data **presult)
{
- struct cli_pipe_auth_data *result;
+ struct pipe_auth_data *result;
NTSTATUS status;
- result = talloc(mem_ctx, struct cli_pipe_auth_data);
+ result = talloc(mem_ctx, struct pipe_auth_data);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
result->auth_type = auth_type;
+ result->spnego_type = spnego_type;
result->auth_level = auth_level;
result->user_name = talloc_strdup(result, username);
goto fail;
}
- status = ntlmssp_client_start(NULL,
+ status = auth_ntlmssp_client_start(NULL,
global_myname(),
lp_workgroup(),
lp_client_ntlmv2_auth(),
- &result->a_u.ntlmssp_state);
+ &result->a_u.auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
talloc_set_destructor(result, cli_auth_ntlmssp_data_destructor);
- status = ntlmssp_set_username(result->a_u.ntlmssp_state, username);
+ status = auth_ntlmssp_set_username(result->a_u.auth_ntlmssp_state,
+ username);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- status = ntlmssp_set_domain(result->a_u.ntlmssp_state, domain);
+ status = auth_ntlmssp_set_domain(result->a_u.auth_ntlmssp_state,
+ domain);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- status = ntlmssp_set_password(result->a_u.ntlmssp_state, password);
+ status = auth_ntlmssp_set_password(result->a_u.auth_ntlmssp_state,
+ password);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
/*
* Turn off sign+seal to allow selected auth level to turn it back on.
*/
- result->a_u.ntlmssp_state->neg_flags &=
- ~(NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL);
+ auth_ntlmssp_and_flags(result->a_u.auth_ntlmssp_state,
+ ~(NTLMSSP_NEGOTIATE_SIGN |
+ NTLMSSP_NEGOTIATE_SEAL));
if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
- result->a_u.ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
+ NTLMSSP_NEGOTIATE_SIGN);
} else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
- result->a_u.ntlmssp_state->neg_flags
- |= NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN;
+ auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
+ NTLMSSP_NEGOTIATE_SEAL |
+ NTLMSSP_NEGOTIATE_SIGN);
}
*presult = result;
NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
enum dcerpc_AuthLevel auth_level,
struct netlogon_creds_CredentialState *creds,
- struct cli_pipe_auth_data **presult)
+ struct pipe_auth_data **presult)
{
- struct cli_pipe_auth_data *result;
+ struct pipe_auth_data *result;
- result = talloc(mem_ctx, struct cli_pipe_auth_data);
+ result = talloc(mem_ctx, struct pipe_auth_data);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
- result->auth_type = PIPE_AUTH_TYPE_SCHANNEL;
+ result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
+ result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
result->auth_level = auth_level;
result->user_name = talloc_strdup(result, "");
return NT_STATUS_NO_MEMORY;
}
-#ifdef HAVE_KRB5
-static int cli_auth_kerberos_data_destructor(struct kerberos_auth_struct *auth)
-{
- data_blob_free(&auth->session_key);
- return 0;
-}
-#endif
-
-static NTSTATUS rpccli_kerberos_bind_data(TALLOC_CTX *mem_ctx,
- enum dcerpc_AuthLevel auth_level,
- const char *service_princ,
- const char *username,
- const char *password,
- struct cli_pipe_auth_data **presult)
-{
-#ifdef HAVE_KRB5
- struct cli_pipe_auth_data *result;
-
- if ((username != NULL) && (password != NULL)) {
- int ret = kerberos_kinit_password(username, password, 0, NULL);
- if (ret != 0) {
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
- result = talloc(mem_ctx, struct cli_pipe_auth_data);
- if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- result->auth_type = PIPE_AUTH_TYPE_KRB5;
- result->auth_level = auth_level;
-
- /*
- * Username / domain need fixing!
- */
- result->user_name = talloc_strdup(result, "");
- result->domain = talloc_strdup(result, "");
- if ((result->user_name == NULL) || (result->domain == NULL)) {
- goto fail;
- }
-
- result->a_u.kerberos_auth = TALLOC_ZERO_P(
- result, struct kerberos_auth_struct);
- if (result->a_u.kerberos_auth == NULL) {
- goto fail;
- }
- talloc_set_destructor(result->a_u.kerberos_auth,
- cli_auth_kerberos_data_destructor);
-
- result->a_u.kerberos_auth->service_principal = talloc_strdup(
- result, service_princ);
- if (result->a_u.kerberos_auth->service_principal == NULL) {
- goto fail;
- }
-
- *presult = result;
- return NT_STATUS_OK;
-
- fail:
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
-#else
- return NT_STATUS_NOT_SUPPORTED;
-#endif
-}
-
/**
* Create an rpc pipe client struct, connecting to a tcp port.
*/
{
NTSTATUS status;
struct rpc_pipe_client *epm_pipe = NULL;
- struct cli_pipe_auth_data *auth = NULL;
+ struct pipe_auth_data *auth = NULL;
struct dcerpc_binding *map_binding = NULL;
struct dcerpc_binding *res_binding = NULL;
struct epm_twr_t *map_tower = NULL;
struct rpc_pipe_client **presult)
{
struct rpc_pipe_client *result;
- struct cli_pipe_auth_data *auth;
+ struct pipe_auth_data *auth;
NTSTATUS status;
result = talloc(mem_ctx, struct rpc_pipe_client);
struct rpc_pipe_client **presult)
{
struct rpc_pipe_client *result;
- struct cli_pipe_auth_data *auth;
+ struct pipe_auth_data *auth;
NTSTATUS status;
status = cli_rpc_pipe_open(cli, transport, interface, &result);
static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
const struct ndr_syntax_id *interface,
enum dcerpc_transport_t transport,
- enum pipe_auth_type auth_type,
+ bool use_spnego,
enum dcerpc_AuthLevel auth_level,
const char *domain,
const char *username,
struct rpc_pipe_client **presult)
{
struct rpc_pipe_client *result;
- struct cli_pipe_auth_data *auth;
+ struct pipe_auth_data *auth;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+ enum pipe_auth_type_spnego spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
NTSTATUS status;
status = cli_rpc_pipe_open(cli, transport, interface, &result);
return status;
}
- status = rpccli_ntlmssp_bind_data(
- result, auth_type, auth_level, domain, username,
- password, &auth);
+ if (use_spnego) {
+ auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
+ }
+
+ status = rpccli_ntlmssp_bind_data(result,
+ auth_type, spnego_type, auth_level,
+ domain, username, password,
+ &auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
nt_errstr(status)));
return cli_rpc_pipe_open_ntlmssp_internal(cli,
interface,
transport,
- PIPE_AUTH_TYPE_NTLMSSP,
+ false,
auth_level,
domain,
username,
return cli_rpc_pipe_open_ntlmssp_internal(cli,
interface,
transport,
- PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
+ true,
auth_level,
domain,
username,
struct rpc_pipe_client **presult)
{
struct rpc_pipe_client *result;
- struct cli_pipe_auth_data *auth;
+ struct pipe_auth_data *auth;
NTSTATUS status;
status = cli_rpc_pipe_open(cli, transport, interface, &result);
NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
const struct ndr_syntax_id *interface,
+ enum dcerpc_transport_t transport,
enum dcerpc_AuthLevel auth_level,
- const char *service_princ,
+ const char *server,
const char *username,
const char *password,
struct rpc_pipe_client **presult)
{
-#ifdef HAVE_KRB5
+#ifdef HAVE_GSSAPI_H
struct rpc_pipe_client *result;
- struct cli_pipe_auth_data *auth;
+ struct pipe_auth_data *auth;
NTSTATUS status;
- status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result);
+ status = cli_rpc_pipe_open(cli, transport, interface, &result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- status = rpccli_kerberos_bind_data(result, auth_level, service_princ,
- username, password, &auth);
+ status = gse_init_client(result, DCERPC_AUTH_TYPE_KRB5, auth_level,
+ NULL, server, "cifs", username, password,
+ GSS_C_DCE_STYLE, &auth);
+
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("rpccli_kerberos_bind_data returned %s\n",
+ DEBUG(0, ("gse_init_client returned %s\n",
nt_errstr(status)));
TALLOC_FREE(result);
return status;
struct rpc_pipe_client *cli,
DATA_BLOB *session_key)
{
+ struct pipe_auth_data *a = cli->auth;
+ DATA_BLOB sk;
+
if (!session_key || !cli) {
return NT_STATUS_INVALID_PARAMETER;
}
}
switch (cli->auth->auth_type) {
- case PIPE_AUTH_TYPE_SCHANNEL:
- *session_key = data_blob_talloc(mem_ctx,
- cli->auth->a_u.schannel_auth->creds->session_key, 16);
- break;
- case PIPE_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+ sk = data_blob_const(a->a_u.schannel_auth->creds->session_key,
+ 16);
+ break;
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ switch (cli->auth->spnego_type) {
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- *session_key = data_blob_talloc(mem_ctx,
- cli->auth->a_u.ntlmssp_state->session_key.data,
- cli->auth->a_u.ntlmssp_state->session_key.length);
+ sk = auth_ntlmssp_get_session_key(
+ a->a_u.auth_ntlmssp_state);
break;
- case PIPE_AUTH_TYPE_KRB5:
case PIPE_AUTH_TYPE_SPNEGO_KRB5:
- *session_key = data_blob_talloc(mem_ctx,
- cli->auth->a_u.kerberos_auth->session_key.data,
- cli->auth->a_u.kerberos_auth->session_key.length);
- break;
- case PIPE_AUTH_TYPE_NONE:
- *session_key = data_blob_talloc(mem_ctx,
- cli->auth->user_session_key.data,
- cli->auth->user_session_key.length);
+ sk = gse_get_session_key(a->a_u.gssapi_state);
break;
default:
return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+ break;
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ sk = auth_ntlmssp_get_session_key(a->a_u.auth_ntlmssp_state);
+ break;
+ case DCERPC_AUTH_TYPE_KRB5:
+ sk = gse_get_session_key(a->a_u.gssapi_state);
+ break;
+ case DCERPC_AUTH_TYPE_NONE:
+ sk = data_blob_const(a->user_session_key.data,
+ a->user_session_key.length);
+ break;
+ default:
+ return NT_STATUS_NO_USER_SESSION_KEY;
}
+ *session_key = data_blob_dup_talloc(mem_ctx, &sk);
return NT_STATUS_OK;
}