librpc/crypto/gse.o \
../auth/kerberos/gssapi_pac.o \
../auth/kerberos/gssapi_parse.o \
- librpc/crypto/cli_spnego.o \
librpc/rpc/rpc_common.o \
rpc_client/rpc_transport_np.o \
rpc_client/rpc_transport_sock.o \
RPC_SERVICE = rpc_server/rpc_server.o
-RPC_CRYPTO = rpc_server/dcesrv_auth_generic.o \
- rpc_server/dcesrv_spnego.o
+RPC_CRYPTO = rpc_server/dcesrv_auth_generic.o
RPC_PIPE_OBJ = rpc_server/srv_pipe.o rpc_server/srv_pipe_hnd.o \
$(RPC_CONFIG) $(RPC_NCACN_NP) $(RPC_SERVICE) $(RPC_CRYPTO)
+++ /dev/null
-/*
- * SPNEGO Encapsulation
- * Client functions
- * Copyright (C) Simo Sorce 2010.
- * Copyright (C) Andrew Bartlett 2011.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-#include "../libcli/auth/spnego.h"
-#include "include/auth_generic.h"
-#include "librpc/gen_ndr/ntlmssp.h"
-#include "auth/ntlmssp/ntlmssp.h"
-#include "librpc/crypto/gse.h"
-#include "librpc/crypto/spnego.h"
-#include "auth/gensec/gensec.h"
-
-static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
- bool do_sign, bool do_seal,
- struct spnego_context **spnego_ctx)
-{
- struct spnego_context *sp_ctx;
-
- sp_ctx = talloc_zero(mem_ctx, struct spnego_context);
- if (!sp_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
-
- sp_ctx->do_sign = do_sign;
- sp_ctx->do_seal = do_seal;
- sp_ctx->state = SPNEGO_CONV_INIT;
-
- *spnego_ctx = sp_ctx;
- return NT_STATUS_OK;
-}
-
-NTSTATUS spnego_generic_init_client(TALLOC_CTX *mem_ctx,
- const char *oid,
- bool do_sign, bool do_seal,
- bool is_dcerpc,
- const char *server,
- const char *target_service,
- const char *domain,
- const char *username,
- const char *password,
- struct spnego_context **spnego_ctx)
-{
- struct spnego_context *sp_ctx = NULL;
- struct auth_generic_state *auth_generic_state;
- NTSTATUS status;
-
- status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- if (strcmp(oid, GENSEC_OID_NTLMSSP) == 0) {
- sp_ctx->mech = SPNEGO_NTLMSSP;
- } else if (strcmp(oid, GENSEC_OID_KERBEROS5) == 0) {
- sp_ctx->mech = SPNEGO_KRB5;
- } else {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- status = auth_generic_client_prepare(sp_ctx,
- &auth_generic_state);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sp_ctx);
- return status;
- }
-
- status = auth_generic_set_username(auth_generic_state,
- username);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sp_ctx);
- return status;
- }
-
- status = auth_generic_set_domain(auth_generic_state,
- domain);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sp_ctx);
- return status;
- }
-
- status = auth_generic_set_password(auth_generic_state,
- password);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sp_ctx);
- return status;
- }
-
- if (do_sign) {
- gensec_want_feature(auth_generic_state->gensec_security,
- GENSEC_FEATURE_SIGN);
- } else if (do_seal) {
- gensec_want_feature(auth_generic_state->gensec_security,
- GENSEC_FEATURE_SEAL);
- }
-
- if (is_dcerpc) {
- gensec_want_feature(auth_generic_state->gensec_security,
- GENSEC_FEATURE_DCE_STYLE);
- }
-
- status = gensec_set_target_service(auth_generic_state->gensec_security, target_service);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sp_ctx);
- return status;
- }
-
- status = gensec_set_target_hostname(auth_generic_state->gensec_security, server);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sp_ctx);
- return status;
- }
-
- status = auth_generic_client_start(auth_generic_state, oid);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(sp_ctx);
- return status;
- }
-
- sp_ctx->gensec_security = talloc_move(sp_ctx, &auth_generic_state->gensec_security);
- TALLOC_FREE(auth_generic_state);
- *spnego_ctx = sp_ctx;
- return NT_STATUS_OK;
-}
-
-NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *spnego_in,
- DATA_BLOB *spnego_out)
-{
- struct gensec_security *gensec_security;
- struct spnego_data sp_in, sp_out;
- DATA_BLOB token_in = data_blob_null;
- DATA_BLOB token_out = data_blob_null;
- const char *mech_oids[2] = { NULL, NULL };
- char *principal = NULL;
- ssize_t len_in = 0;
- ssize_t len_out = 0;
- NTSTATUS status;
-
- if (!spnego_in->length) {
- /* server didn't send anything, is init ? */
- if (sp_ctx->state != SPNEGO_CONV_INIT) {
- return NT_STATUS_INVALID_PARAMETER;
- }
- } else {
- len_in = spnego_read_data(mem_ctx, *spnego_in, &sp_in);
- if (len_in == -1) {
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
- if (sp_in.type != SPNEGO_NEG_TOKEN_TARG) {
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
- if (sp_in.negTokenTarg.negResult == SPNEGO_REJECT) {
- status = NT_STATUS_ACCESS_DENIED;
- goto done;
- }
- token_in = sp_in.negTokenTarg.responseToken;
- }
-
- if (sp_ctx->state == SPNEGO_CONV_AUTH_CONFIRM) {
- if (sp_in.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) {
- sp_ctx->state = SPNEGO_CONV_AUTH_DONE;
- *spnego_out = data_blob_null;
- status = NT_STATUS_OK;
- } else {
- status = NT_STATUS_ACCESS_DENIED;
- }
- goto done;
- }
-
- switch (sp_ctx->mech) {
- case SPNEGO_KRB5:
- mech_oids[0] = OID_KERBEROS5;
- break;
-
- case SPNEGO_NTLMSSP:
- mech_oids[0] = OID_NTLMSSP;
- break;
-
- default:
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
-
- gensec_security = sp_ctx->gensec_security;
- status = gensec_update(gensec_security, mem_ctx, NULL,
- token_in, &token_out);
- sp_ctx->more_processing = false;
- if (NT_STATUS_EQUAL(status,
- NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- sp_ctx->more_processing = true;
- } else if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
-
- switch (sp_ctx->state) {
- case SPNEGO_CONV_INIT:
- *spnego_out = spnego_gen_negTokenInit(mem_ctx, mech_oids,
- &token_out, principal);
- if (!spnego_out->data) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
- sp_ctx->state = SPNEGO_CONV_AUTH_MORE;
- break;
-
- case SPNEGO_CONV_AUTH_MORE:
- /* server says it's done and we do not seem to agree */
- if (sp_in.negTokenTarg.negResult ==
- SPNEGO_ACCEPT_COMPLETED) {
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
-
- sp_out.type = SPNEGO_NEG_TOKEN_TARG;
- sp_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
- sp_out.negTokenTarg.supportedMech = NULL;
- sp_out.negTokenTarg.responseToken = token_out;
- sp_out.negTokenTarg.mechListMIC = data_blob_null;
-
- len_out = spnego_write_data(mem_ctx, spnego_out, &sp_out);
- if (len_out == -1) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
-
- if (!sp_ctx->more_processing) {
- /* we still need to get an ack from the server */
- sp_ctx->state = SPNEGO_CONV_AUTH_CONFIRM;
- }
-
- break;
-
- default:
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
-
- status = NT_STATUS_OK;
-
-done:
- if (len_in > 0) {
- spnego_free_data(&sp_in);
- }
- data_blob_free(&token_out);
- return status;
-}
-
-bool spnego_require_more_processing(struct spnego_context *sp_ctx)
-{
-
- /* see if spnego processing itself requires more */
- if (sp_ctx->state == SPNEGO_CONV_AUTH_MORE ||
- sp_ctx->state == SPNEGO_CONV_AUTH_CONFIRM) {
- return true;
- }
-
- return sp_ctx->more_processing;
-}
-
-NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx,
- struct gensec_security **auth_context)
-{
- *auth_context = sp_ctx->gensec_security;
- return NT_STATUS_OK;
-}
-
-NTSTATUS spnego_sign(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *data, DATA_BLOB *full_data,
- DATA_BLOB *signature)
-{
- return gensec_sign_packet(
- sp_ctx->gensec_security,
- mem_ctx,
- data->data, data->length,
- full_data->data, full_data->length,
- signature);
-}
-
-NTSTATUS spnego_sigcheck(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *data, DATA_BLOB *full_data,
- DATA_BLOB *signature)
-{
- return gensec_check_packet(
- sp_ctx->gensec_security,
- data->data, data->length,
- full_data->data, full_data->length,
- signature);
-}
-
-NTSTATUS spnego_seal(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *data, DATA_BLOB *full_data,
- DATA_BLOB *signature)
-{
- return gensec_seal_packet(
- sp_ctx->gensec_security,
- mem_ctx,
- data->data, data->length,
- full_data->data, full_data->length,
- signature);
-}
-
-NTSTATUS spnego_unseal(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *data, DATA_BLOB *full_data,
- DATA_BLOB *signature)
-{
- return gensec_unseal_packet(
- sp_ctx->gensec_security,
- data->data, data->length,
- full_data->data, full_data->length,
- signature);
-}
+++ /dev/null
-/*
- * SPNEGO Encapsulation
- * RPC Pipe client routines
- * Copyright (C) Simo Sorce 2010.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#ifndef _CLI_SPNEGO_H_
-#define _CLI_SPENGO_H_
-
-enum spnego_mech {
- SPNEGO_NONE = 0,
- SPNEGO_KRB5,
- SPNEGO_NTLMSSP
-};
-
-struct spnego_context {
- enum spnego_mech mech;
-
- struct gensec_security *gensec_security;
-
- char *oid_list[ASN1_MAX_OIDS];
- char *mech_oid;
-
- enum {
- SPNEGO_CONV_INIT = 0,
- SPNEGO_CONV_NEGO,
- SPNEGO_CONV_AUTH_MORE,
- SPNEGO_CONV_AUTH_CONFIRM,
- SPNEGO_CONV_AUTH_DONE
- } state;
-
- bool do_sign;
- bool do_seal;
- bool is_dcerpc;
-
- struct tsocket_address *remote_address;
-
- bool more_processing; /* Current mech state requires more processing */
-};
-
-NTSTATUS spnego_generic_init_client(TALLOC_CTX *mem_ctx,
- const char *oid,
- bool do_sign, bool do_seal,
- bool is_dcerpc,
- const char *server,
- const char *target_service,
- const char *domain,
- const char *username,
- const char *password,
- struct spnego_context **spnego_ctx);
-
-NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *spnego_in,
- DATA_BLOB *spnego_out);
-
-bool spnego_require_more_processing(struct spnego_context *sp_ctx);
-
-NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx,
- struct gensec_security **auth_context);
-
-NTSTATUS spnego_sign(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *data, DATA_BLOB *full_data,
- DATA_BLOB *signature);
-NTSTATUS spnego_sigcheck(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *data, DATA_BLOB *full_data,
- DATA_BLOB *signature);
-NTSTATUS spnego_seal(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *data, DATA_BLOB *full_data,
- DATA_BLOB *signature);
-NTSTATUS spnego_unseal(TALLOC_CTX *mem_ctx,
- struct spnego_context *sp_ctx,
- DATA_BLOB *data, DATA_BLOB *full_data,
- DATA_BLOB *signature);
-
-#endif /* _CLI_SPENGO_H_ */
#include "../libcli/auth/schannel.h"
#include "../libcli/auth/spnego.h"
#include "librpc/crypto/gse.h"
-#include "librpc/crypto/spnego.h"
#include "auth/gensec/gensec.h"
#undef DBGC_CLASS
size_t mod_len;
struct gensec_security *gensec_security;
struct schannel_state *schannel_auth;
- struct spnego_context *spnego_ctx;
- NTSTATUS status;
/* no auth token cases first */
switch (auth->auth_level) {
/* Treat the same for all authenticated rpc requests. */
switch (auth->auth_type) {
case DCERPC_AUTH_TYPE_SPNEGO:
- spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct spnego_context);
- status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- *auth_len = gensec_sig_size(gensec_security, max_len);
- break;
-
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(auth->auth_ctx,
{
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
- struct spnego_context *spnego_ctx;
char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
DATA_BLOB auth_info;
DATA_BLOB auth_blob;
status = NT_STATUS_OK;
break;
case DCERPC_AUTH_TYPE_SPNEGO:
- spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct spnego_context);
- status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- status = add_generic_auth_footer(gensec_security,
- auth->auth_level,
- rpc_out);
- break;
case DCERPC_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_NTLMSSP:
gensec_security = talloc_get_type_abort(auth->auth_ctx,
{
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
- struct spnego_context *spnego_ctx;
NTSTATUS status;
struct dcerpc_auth auth_info;
uint32_t auth_length;
return NT_STATUS_OK;
case DCERPC_AUTH_TYPE_SPNEGO:
- spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct spnego_context);
- status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- status = get_generic_auth_footer(gensec_security,
- auth->auth_level,
- &data, &full_pkt,
- &auth_info.credentials);
-
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- break;
-
case DCERPC_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_NTLMSSP:
#include "auth_generic.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "librpc/rpc/dcerpc.h"
-#include "librpc/crypto/spnego.h"
#include "rpc_dce.h"
#include "cli_pipe.h"
#include "libsmb/libsmb.h"
#include "auth/gensec/gensec.h"
+#include "auth/credentials/credentials.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_CLI
return NT_STATUS_OK;
}
-/*******************************************************************
- Creates spnego auth bind.
- ********************************************************************/
-
-static NTSTATUS create_spnego_auth_bind_req(TALLOC_CTX *mem_ctx,
- struct pipe_auth_data *auth,
- DATA_BLOB *auth_token)
-{
- struct spnego_context *spnego_ctx;
- DATA_BLOB in_token = data_blob_null;
- NTSTATUS status;
-
- spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct spnego_context);
-
- /* Negotiate the initial auth token */
- status = spnego_get_client_auth_token(mem_ctx, spnego_ctx,
- &in_token, auth_token);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- DEBUG(5, ("Created GSS Authentication Token:\n"));
- dump_data(5, auth_token->data, auth_token->length);
-
- return NT_STATUS_OK;
-}
-
/*******************************************************************
Creates NTLMSSP auth bind.
********************************************************************/
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_SPNEGO:
ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
if (!NT_STATUS_IS_OK(ret) &&
}
break;
- case DCERPC_AUTH_TYPE_SPNEGO:
- ret = create_spnego_auth_bind_req(cli, auth, &auth_token);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
auth_token = data_blob_talloc(mem_ctx,
"NCALRPC_AUTH_TOKEN",
req, struct rpc_pipe_bind_state);
struct pipe_auth_data *pauth = state->cli->auth;
struct gensec_security *gensec_security;
- struct spnego_context *spnego_ctx;
struct ncacn_packet *pkt = NULL;
struct dcerpc_auth auth;
DATA_BLOB auth_token = data_blob_null;
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_SPNEGO:
gensec_security = talloc_get_type_abort(pauth->auth_ctx,
struct gensec_security);
status = gensec_update(gensec_security, state, NULL,
}
break;
- case DCERPC_AUTH_TYPE_SPNEGO:
- spnego_ctx = talloc_get_type_abort(pauth->auth_ctx,
- struct spnego_context);
- status = spnego_get_client_auth_token(state,
- spnego_ctx,
- &auth.credentials,
- &auth_token);
- if (!NT_STATUS_IS_OK(status)) {
- break;
- }
- if (auth_token.length == 0) {
- /* Bind complete. */
- tevent_req_done(req);
- return;
- }
- if (spnego_require_more_processing(spnego_ctx)) {
- status = rpc_bind_next_send(req, state,
- &auth_token);
- } else {
- status = rpc_bind_finish_send(req, state,
- &auth_token);
- }
- break;
-
default:
goto err_out;
}
const char *domain,
const char *username,
const char *password,
+ enum credentials_use_kerberos use_kerberos,
struct pipe_auth_data **presult)
{
struct auth_generic_state *auth_generic_ctx;
goto fail;
}
+ cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
+
status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
struct rpc_pipe_client *result;
struct pipe_auth_data *auth = NULL;
const char *target_service = table->authservices->names[0];
+
NTSTATUS status;
status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
status = rpccli_generic_bind_data(result,
auth_type, auth_level,
server, target_service,
- domain, username, password,
+ domain, username, password,
+ CRED_AUTO_USE_KERBEROS,
&auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
struct rpc_pipe_client **presult)
{
struct rpc_pipe_client *result;
- struct pipe_auth_data *auth;
- struct spnego_context *spnego_ctx;
- NTSTATUS status;
+ struct pipe_auth_data *auth = NULL;
const char *target_service = table->authservices->names[0];
+
+ NTSTATUS status;
+ enum credentials_use_kerberos use_kerberos;
+
+ if (strcmp(oid, GENSEC_OID_KERBEROS5) == 0) {
+ use_kerberos = CRED_MUST_USE_KERBEROS;
+ } else if (strcmp(oid, GENSEC_OID_NTLMSSP) == 0) {
+ use_kerberos = CRED_DONT_USE_KERBEROS;
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- auth = talloc(result, struct pipe_auth_data);
- if (auth == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
- auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
- auth->auth_level = auth_level;
-
- if (!username) {
- username = "";
- }
- auth->user_name = talloc_strdup(auth, username);
- if (!auth->user_name) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
-
- if (!domain) {
- domain = "";
- }
- auth->domain = talloc_strdup(auth, domain);
- if (!auth->domain) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
-
- status = spnego_generic_init_client(auth,
- oid,
- (auth->auth_level ==
- DCERPC_AUTH_LEVEL_INTEGRITY),
- (auth->auth_level ==
- DCERPC_AUTH_LEVEL_PRIVACY),
- true,
- server, target_service,
- domain, username, password,
- &spnego_ctx);
+ status = rpccli_generic_bind_data(result,
+ DCERPC_AUTH_TYPE_SPNEGO, auth_level,
+ server, target_service,
+ domain, username, password,
+ use_kerberos,
+ &auth);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("spnego_init_client returned %s\n",
+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
nt_errstr(status)));
- goto err_out;
+ goto err;
}
- auth->auth_ctx = spnego_ctx;
status = rpc_pipe_bind(result, auth);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
- nt_errstr(status)));
- goto err_out;
+ DEBUG(0, ("cli_rpc_pipe_open_spnego: cli_rpc_pipe_bind failed with error %s\n",
+ nt_errstr(status) ));
+ goto err;
}
+ DEBUG(10,("cli_rpc_pipe_open_spnego: opened pipe %s to "
+ "machine %s.\n", table->name,
+ result->desthost));
+
*presult = result;
return NT_STATUS_OK;
-err_out:
+ err:
+
TALLOC_FREE(result);
return status;
}
struct pipe_auth_data *a;
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
- struct spnego_context *spnego_ctx;
DATA_BLOB sk = data_blob_null;
bool make_dup = false;
make_dup = true;
break;
case DCERPC_AUTH_TYPE_SPNEGO:
- spnego_ctx = talloc_get_type_abort(a->auth_ctx,
- struct spnego_context);
- status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- status = gensec_session_key(gensec_security, mem_ctx, &sk);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- make_dup = false;
- break;
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(a->auth_ctx,
+++ /dev/null
-/*
- * SPNEGO Encapsulation
- * DCERPC Server functions
- * Copyright (C) Simo Sorce 2010.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-#include "../libcli/auth/spnego.h"
-#include "../lib/tsocket/tsocket.h"
-#include "dcesrv_auth_generic.h"
-#include "dcesrv_spnego.h"
-#include "auth/gensec/gensec.h"
-
-static NTSTATUS spnego_init_server(TALLOC_CTX *mem_ctx,
- bool do_sign, bool do_seal,
- bool is_dcerpc,
- const struct tsocket_address *remote_address,
- struct spnego_context **spnego_ctx)
-{
- struct spnego_context *sp_ctx = NULL;
-
- sp_ctx = talloc_zero(mem_ctx, struct spnego_context);
- if (!sp_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
-
- sp_ctx->remote_address = tsocket_address_copy(remote_address, sp_ctx);
- if (sp_ctx->remote_address == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- sp_ctx->do_sign = do_sign;
- sp_ctx->do_seal = do_seal;
- sp_ctx->is_dcerpc = is_dcerpc;
-
- *spnego_ctx = sp_ctx;
- return NT_STATUS_OK;
-}
-
-static NTSTATUS spnego_server_mech_init(struct spnego_context *sp_ctx,
- DATA_BLOB *token_in,
- DATA_BLOB *token_out)
-{
- struct gensec_security *gensec_security;
- NTSTATUS status;
- const char *oid;
-
- switch (sp_ctx->mech) {
- case SPNEGO_KRB5:
- oid = GENSEC_OID_KERBEROS5;
- break;
- case SPNEGO_NTLMSSP:
- oid = GENSEC_OID_NTLMSSP;
- break;
- default:
- DEBUG(3, ("No known mechanisms available\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- status = auth_generic_server_start(sp_ctx,
- oid,
- sp_ctx->do_sign,
- sp_ctx->do_seal,
- sp_ctx->is_dcerpc,
- token_in,
- token_out,
- sp_ctx->remote_address,
- &gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to init ntlmssp server "
- "(%s)\n", nt_errstr(status)));
- return status;
- }
-
- sp_ctx->gensec_security = gensec_security;
-
- return NT_STATUS_OK;
-}
-
-NTSTATUS spnego_server_step(struct spnego_context *sp_ctx,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *spnego_in,
- DATA_BLOB *spnego_out)
-{
- DATA_BLOB token_in = data_blob_null;
- DATA_BLOB token_out = data_blob_null;
- DATA_BLOB signature = data_blob_null;
- DATA_BLOB MICblob = data_blob_null;
- struct spnego_data sp_in;
- ssize_t len_in = 0;
- NTSTATUS status;
- bool ret;
-
- len_in = spnego_read_data(mem_ctx, *spnego_in, &sp_in);
- if (len_in == -1) {
- DEBUG(1, (__location__ ": invalid SPNEGO blob.\n"));
- dump_data(10, spnego_in->data, spnego_in->length);
- status = NT_STATUS_INVALID_PARAMETER;
- sp_ctx->state = SPNEGO_CONV_AUTH_DONE;
- goto done;
- }
- if (sp_in.type != SPNEGO_NEG_TOKEN_TARG) {
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
- token_in = sp_in.negTokenTarg.responseToken;
- signature = sp_in.negTokenTarg.mechListMIC;
-
- switch (sp_ctx->state) {
- case SPNEGO_CONV_NEGO:
- /* still to initialize */
- status = spnego_server_mech_init(sp_ctx,
- &token_in,
- &token_out);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- /* server always need at least one reply from client */
- status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- sp_ctx->state = SPNEGO_CONV_AUTH_MORE;
- break;
-
- case SPNEGO_CONV_AUTH_MORE:
-
- status = auth_generic_server_step(
- sp_ctx->gensec_security,
- mem_ctx, &token_in, &token_out);
- break;
-
- case SPNEGO_CONV_AUTH_DONE:
- /* we are already done, can't step further */
- /* fall thorugh and return error */
- default:
- /* wrong case */
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (NT_STATUS_IS_OK(status) && signature.length != 0) {
- /* last packet and requires signature check */
- ret = spnego_mech_list_blob(talloc_tos(),
- sp_ctx->oid_list, &MICblob);
- if (ret) {
- status = spnego_sigcheck(talloc_tos(), sp_ctx,
- &MICblob, &MICblob,
- &signature);
- } else {
- status = NT_STATUS_UNSUCCESSFUL;
- }
- }
- if (NT_STATUS_IS_OK(status) && signature.length != 0) {
- /* if signature was good, sign our own packet too */
- status = spnego_sign(talloc_tos(), sp_ctx,
- &MICblob, &MICblob, &signature);
- }
-
-done:
- *spnego_out = spnego_gen_auth_response_and_mic(mem_ctx, status,
- sp_ctx->mech_oid,
- &token_out,
- &signature);
- if (!spnego_out->data) {
- DEBUG(1, ("SPNEGO wrapping failed!\n"));
- status = NT_STATUS_UNSUCCESSFUL;
- }
-
- if (NT_STATUS_IS_OK(status) ||
- !NT_STATUS_EQUAL(status,
- NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- sp_ctx->state = SPNEGO_CONV_AUTH_DONE;
- }
-
- data_blob_free(&token_in);
- data_blob_free(&token_out);
- return status;
-}
-
-NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx,
- bool do_sign,
- bool do_seal,
- bool is_dcerpc,
- DATA_BLOB *spnego_in,
- DATA_BLOB *spnego_out,
- const struct tsocket_address *remote_address,
- struct spnego_context **spnego_ctx)
-{
- struct spnego_context *sp_ctx;
- DATA_BLOB token_in = data_blob_null;
- DATA_BLOB token_out = data_blob_null;
- unsigned int i;
- NTSTATUS status;
- bool ret;
-
- if (!spnego_in->length) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- status = spnego_init_server(mem_ctx,
- do_sign,
- do_seal,
- is_dcerpc,
- remote_address,
- &sp_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- ret = spnego_parse_negTokenInit(sp_ctx, *spnego_in,
- sp_ctx->oid_list, NULL, &token_in);
- if (!ret || sp_ctx->oid_list[0] == NULL) {
- DEBUG(3, ("Invalid SPNEGO message\n"));
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
-
- /* try for krb auth first */
- for (i = 0; sp_ctx->oid_list[i] && sp_ctx->mech == SPNEGO_NONE; i++) {
- if (strcmp(OID_KERBEROS5, sp_ctx->oid_list[i]) == 0 ||
- strcmp(OID_KERBEROS5_OLD, sp_ctx->oid_list[i]) == 0) {
-
- if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
- sp_ctx->mech = SPNEGO_KRB5;
- sp_ctx->mech_oid = sp_ctx->oid_list[i];
- }
- }
- }
-
- /* if auth type still undetermined, try for NTLMSSP */
- for (i = 0; sp_ctx->oid_list[i] && sp_ctx->mech == SPNEGO_NONE; i++) {
- if (strcmp(OID_NTLMSSP, sp_ctx->oid_list[i]) == 0) {
- sp_ctx->mech = SPNEGO_NTLMSSP;
- sp_ctx->mech_oid = sp_ctx->oid_list[i];
- }
- }
-
- if (!sp_ctx->mech_oid) {
- DEBUG(3, ("No known mechanisms available\n"));
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
-
- if (DEBUGLEVEL >= 10) {
- DEBUG(10, ("Client Provided OIDs:\n"));
- for (i = 0; sp_ctx->oid_list[i]; i++) {
- DEBUG(10, (" %d: %s\n", i, sp_ctx->oid_list[i]));
- }
- DEBUG(10, ("Chosen OID: %s\n", sp_ctx->mech_oid));
- }
-
- /* If it is not the first OID, then token_in is not valid for the
- * choosen mech */
- if (sp_ctx->mech_oid != sp_ctx->oid_list[0]) {
- /* request more and send back empty token */
- status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- sp_ctx->state = SPNEGO_CONV_NEGO;
- goto done;
- }
-
- status = spnego_server_mech_init(sp_ctx, &token_in, &token_out);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
-
- DEBUG(10, ("SPNEGO(%d) auth started\n", sp_ctx->mech));
-
- /* server always need at least one reply from client */
- status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- sp_ctx->state = SPNEGO_CONV_AUTH_MORE;
-
-done:
- *spnego_out = spnego_gen_auth_response(mem_ctx, &token_out,
- status, sp_ctx->mech_oid);
- if (!spnego_out->data) {
- status = NT_STATUS_INVALID_PARAMETER;
- TALLOC_FREE(sp_ctx);
- } else {
- status = NT_STATUS_OK;
- *spnego_ctx = sp_ctx;
- }
-
- data_blob_free(&token_in);
- data_blob_free(&token_out);
-
- return status;
-}
+++ /dev/null
-/*
- * SPNEGO Encapsulation
- * Server routines
- * Copyright (C) Simo Sorce 2010.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#ifndef _DCESRV_SPNEGO_H_
-#define _DCESRV_SPENGO_H_
-
-#include "librpc/crypto/spnego.h"
-
-NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx,
- bool do_sign,
- bool do_seal,
- bool is_dcerpc,
- DATA_BLOB *spnego_in,
- DATA_BLOB *spnego_out,
- const struct tsocket_address *remote_address,
- struct spnego_context **spnego_ctx);
-NTSTATUS spnego_server_step(struct spnego_context *sp_ctx,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *spnego_in,
- DATA_BLOB *spnego_out);
-
-#endif /* _DCESRV_SPENGO_H_ */
#include "../libcli/auth/schannel.h"
#include "../libcli/auth/spnego.h"
#include "dcesrv_auth_generic.h"
-#include "dcesrv_spnego.h"
#include "rpc_server.h"
#include "rpc_dce.h"
#include "smbd/smbd.h"
return false;
}
-/*******************************************************************
- Handle the first part of a SPNEGO bind auth.
-*******************************************************************/
-
-static bool pipe_spnego_auth_bind(struct pipes_struct *p,
- TALLOC_CTX *mem_ctx,
- struct dcerpc_auth *auth_info,
- DATA_BLOB *response)
-{
- struct spnego_context *spnego_ctx;
- NTSTATUS status;
-
- status = spnego_server_auth_start(p,
- (auth_info->auth_level ==
- DCERPC_AUTH_LEVEL_INTEGRITY),
- (auth_info->auth_level ==
- DCERPC_AUTH_LEVEL_PRIVACY),
- true,
- &auth_info->credentials,
- response,
- p->remote_address,
- &spnego_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
- nt_errstr(status)));
- return false;
- }
-
- /* Make sure data is bound to the memctx, to be freed the caller */
- talloc_steal(mem_ctx, response->data);
-
- p->auth.auth_ctx = spnego_ctx;
- p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
-
- DEBUG(10, ("SPNEGO auth started\n"));
-
- return true;
-}
-
/*******************************************************************
Handle an schannel bind auth.
*******************************************************************/
static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
{
struct gensec_security *gensec_security;
- struct spnego_context *spnego_ctx;
- NTSTATUS status;
switch (p->auth.auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_SPNEGO:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
struct gensec_security);
if (!pipe_auth_generic_verify_final(p, gensec_security,
return NT_STATUS_ACCESS_DENIED;
}
break;
- case DCERPC_AUTH_TYPE_SPNEGO:
- spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct spnego_context);
- status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Bad SPNEGO state (%s)\n",
- nt_errstr(status)));
- return status;
- }
- if (!pipe_auth_generic_verify_final(p, gensec_security,
- p->auth.auth_level,
- &p->session_info)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
default:
DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
(unsigned int)p->auth.auth_type));
break;
case DCERPC_AUTH_TYPE_SPNEGO:
- if (!pipe_spnego_auth_bind(p, pkt,
- &auth_info, &auth_resp)) {
- goto err_exit;
- }
- break;
-
case DCERPC_AUTH_TYPE_KRB5:
if (!pipe_auth_generic_bind(p, pkt,
&auth_info, &auth_resp)) {
struct dcerpc_auth auth_info;
DATA_BLOB response = data_blob_null;
struct gensec_security *gensec_security;
- struct spnego_context *spnego_ctx;
NTSTATUS status;
DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
switch (auth_info.auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_SPNEGO:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
struct gensec_security);
status = auth_generic_server_step(gensec_security,
pkt, &auth_info.credentials,
&response);
break;
- case DCERPC_AUTH_TYPE_SPNEGO:
- spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct spnego_context);
- status = spnego_server_step(spnego_ctx,
- pkt, &auth_info.credentials,
- &response);
- break;
default:
DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
(unsigned int)auth_info.auth_type));
DATA_BLOB auth_blob = data_blob_null;
int pad_len = 0;
struct gensec_security *gensec_security;
- struct spnego_context *spnego_ctx;
DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
switch (auth_info.auth_type) {
case DCERPC_AUTH_TYPE_SPNEGO:
- spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct spnego_context);
- status = spnego_server_step(spnego_ctx,
- pkt,
- &auth_info.credentials,
- &auth_resp);
- break;
-
case DCERPC_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_NTLMSSP:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
deps='samba-util')
bld.SAMBA3_SUBSYSTEM('RPC_CRYPTO',
- source='dcesrv_auth_generic.c dcesrv_spnego.c',
+ source='dcesrv_auth_generic.c',
deps = 'KRB5_PAC')
bld.SAMBA3_SUBSYSTEM('RPC_PIPE_REGISTER',
LIBMSRPC_SRC = '''
rpc_client/cli_pipe.c
- librpc/crypto/cli_spnego.c
librpc/rpc/rpc_common.c
rpc_client/rpc_transport_np.c
rpc_client/rpc_transport_sock.c
git.samba.org / mat / samba.git / commitdiff