struct spnego_context **spnego_ctx)
{
struct spnego_context *sp_ctx = NULL;
+ struct auth_ntlmssp_state *auth_ntlmssp_state;
NTSTATUS status;
status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
sp_ctx->mech = SPNEGO_NTLMSSP;
status = auth_ntlmssp_client_prepare(sp_ctx,
- &sp_ctx->mech_ctx.ntlmssp_state);
+ &auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
return status;
}
- status = auth_ntlmssp_set_username(sp_ctx->mech_ctx.ntlmssp_state,
+ status = auth_ntlmssp_set_username(auth_ntlmssp_state,
username);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
return status;
}
- status = auth_ntlmssp_set_domain(sp_ctx->mech_ctx.ntlmssp_state,
+ status = auth_ntlmssp_set_domain(auth_ntlmssp_state,
domain);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
return status;
}
- status = auth_ntlmssp_set_password(sp_ctx->mech_ctx.ntlmssp_state,
+ status = auth_ntlmssp_set_password(auth_ntlmssp_state,
password);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
}
if (do_sign) {
- gensec_want_feature(sp_ctx->mech_ctx.ntlmssp_state->gensec_security,
+ gensec_want_feature(auth_ntlmssp_state->gensec_security,
GENSEC_FEATURE_SIGN);
} else if (do_seal) {
- gensec_want_feature(sp_ctx->mech_ctx.ntlmssp_state->gensec_security,
+ gensec_want_feature(auth_ntlmssp_state->gensec_security,
GENSEC_FEATURE_SEAL);
}
- status = auth_ntlmssp_client_start(sp_ctx->mech_ctx.ntlmssp_state);
+ status = auth_ntlmssp_client_start(auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sp_ctx);
return status;
}
+ sp_ctx->mech_ctx.gensec_security = talloc_move(sp_ctx, &auth_ntlmssp_state->gensec_security);
+ TALLOC_FREE(auth_ntlmssp_state);
*spnego_ctx = sp_ctx;
return NT_STATUS_OK;
}
DATA_BLOB *spnego_out)
{
struct gse_context *gse_ctx;
- struct auth_ntlmssp_state *ntlmssp_ctx;
+ struct gensec_security *gensec_security;
struct spnego_data sp_in, sp_out;
DATA_BLOB token_in = data_blob_null;
DATA_BLOB token_out = data_blob_null;
case SPNEGO_NTLMSSP:
- ntlmssp_ctx = sp_ctx->mech_ctx.ntlmssp_state;
- status = gensec_update(ntlmssp_ctx->gensec_security, mem_ctx, NULL,
+ gensec_security = sp_ctx->mech_ctx.gensec_security;
+ status = gensec_update(gensec_security, mem_ctx, NULL,
token_in, &token_out);
if (NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
*auth_context = sp_ctx->mech_ctx.gssapi_state;
break;
case SPNEGO_NTLMSSP:
- *auth_context = sp_ctx->mech_ctx.ntlmssp_state;
+ *auth_context = sp_ctx->mech_ctx.gensec_security;
break;
default:
return NT_STATUS_INTERNAL_ERROR;
return gse_get_session_key(mem_ctx,
sp_ctx->mech_ctx.gssapi_state);
case SPNEGO_NTLMSSP:
- status = gensec_session_key(sp_ctx->mech_ctx.ntlmssp_state->gensec_security, mem_ctx, &sk);
+ status = gensec_session_key(sp_ctx->mech_ctx.gensec_security, mem_ctx, &sk);
if (!NT_STATUS_IS_OK(status)) {
return data_blob_null;
}
data, signature);
case SPNEGO_NTLMSSP:
return gensec_sign_packet(
- sp_ctx->mech_ctx.ntlmssp_state->gensec_security,
+ sp_ctx->mech_ctx.gensec_security,
mem_ctx,
data->data, data->length,
full_data->data, full_data->length,
data, signature);
case SPNEGO_NTLMSSP:
return gensec_check_packet(
- sp_ctx->mech_ctx.ntlmssp_state->gensec_security,
+ sp_ctx->mech_ctx.gensec_security,
data->data, data->length,
full_data->data, full_data->length,
signature);
data, signature);
case SPNEGO_NTLMSSP:
return gensec_seal_packet(
- sp_ctx->mech_ctx.ntlmssp_state->gensec_security,
+ sp_ctx->mech_ctx.gensec_security,
mem_ctx,
data->data, data->length,
full_data->data, full_data->length,
data, signature);
case SPNEGO_NTLMSSP:
return gensec_unseal_packet(
- sp_ctx->mech_ctx.ntlmssp_state->gensec_security,
+ sp_ctx->mech_ctx.gensec_security,
data->data, data->length,
full_data->data, full_data->length,
signature);
enum spnego_mech mech;
union {
- struct auth_ntlmssp_state *ntlmssp_state;
+ struct gensec_security *gensec_security;
struct gse_context *gssapi_state;
} mech_ctx;
Create and add the NTLMSSP sign/seal auth data.
********************************************************************/
-static NTSTATUS add_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
+static NTSTATUS add_ntlmssp_auth_footer(struct gensec_security *gensec_security,
enum dcerpc_AuthLevel auth_level,
DATA_BLOB *rpc_out)
{
DATA_BLOB auth_blob;
NTSTATUS status;
- if (!auth_state) {
+ if (!gensec_security) {
return NT_STATUS_INVALID_PARAMETER;
}
switch (auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
/* Data portion is encrypted. */
- status = gensec_seal_packet(auth_state->gensec_security,
+ status = gensec_seal_packet(gensec_security,
rpc_out->data,
rpc_out->data
+ DCERPC_RESPONSE_LENGTH,
case DCERPC_AUTH_LEVEL_INTEGRITY:
/* Data is signed. */
- status = gensec_sign_packet(auth_state->gensec_security,
+ status = gensec_sign_packet(gensec_security,
rpc_out->data,
rpc_out->data
+ DCERPC_RESPONSE_LENGTH,
Check/unseal the NTLMSSP auth data. (Unseal in place).
********************************************************************/
-static NTSTATUS get_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
+static NTSTATUS get_ntlmssp_auth_footer(struct gensec_security *gensec_security,
enum dcerpc_AuthLevel auth_level,
DATA_BLOB *data, DATA_BLOB *full_pkt,
DATA_BLOB *auth_token)
switch (auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
/* Data portion is encrypted. */
- return gensec_unseal_packet(auth_state->gensec_security,
+ return gensec_unseal_packet(gensec_security,
data->data,
data->length,
full_pkt->data,
case DCERPC_AUTH_LEVEL_INTEGRITY:
/* Data is signed. */
- return gensec_check_packet(auth_state->gensec_security,
+ return gensec_check_packet(gensec_security,
data->data,
data->length,
full_pkt->data,
size_t pad_len, DATA_BLOB *rpc_out)
{
struct schannel_state *schannel_auth;
- struct auth_ntlmssp_state *ntlmssp_ctx;
+ struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
struct gse_context *gse_ctx;
char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
auth->auth_level, rpc_out);
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
- ntlmssp_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct auth_ntlmssp_state);
- status = add_ntlmssp_auth_footer(ntlmssp_ctx,
+ gensec_security = talloc_get_type_abort(auth->auth_ctx,
+ struct gensec_security);
+ status = add_ntlmssp_auth_footer(gensec_security,
auth->auth_level,
rpc_out);
break;
size_t *pad_len)
{
struct schannel_state *schannel_auth;
- struct auth_ntlmssp_state *ntlmssp_ctx;
+ struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
struct gse_context *gse_ctx;
NTSTATUS status;
DEBUG(10, ("NTLMSSP auth\n"));
- ntlmssp_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct auth_ntlmssp_state);
- status = get_ntlmssp_auth_footer(ntlmssp_ctx,
+ gensec_security = talloc_get_type_abort(auth->auth_ctx,
+ struct gensec_security);
+ status = get_ntlmssp_auth_footer(gensec_security,
auth->auth_level,
&data, &full_pkt,
&auth_info.credentials);
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
- struct auth_ntlmssp_state **ctx)
+ struct gensec_security **ctx)
{
struct auth_ntlmssp_state *a = NULL;
NTSTATUS status;
}
/* steal ntlmssp context too */
- *ctx = talloc_move(mem_ctx, &a);
+ *ctx = talloc_move(mem_ctx, &a->gensec_security);
status = NT_STATUS_OK;
done:
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(a);
- }
+ TALLOC_FREE(a);
return status;
}
-NTSTATUS ntlmssp_server_step(struct auth_ntlmssp_state *ctx,
+NTSTATUS ntlmssp_server_step(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
DATA_BLOB *token_in,
DATA_BLOB *token_out)
/* this has to be done as root in order to verify the password */
become_root();
- status = gensec_update(ctx->gensec_security, mem_ctx, NULL, *token_in, token_out);
+ status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
unbecome_root();
return status;
}
-NTSTATUS ntlmssp_server_check_flags(struct auth_ntlmssp_state *ctx,
+NTSTATUS ntlmssp_server_check_flags(struct gensec_security *gensec_security,
bool do_sign, bool do_seal)
{
- if (do_sign && !gensec_have_feature(ctx->gensec_security, GENSEC_FEATURE_SIGN)) {
+ if (do_sign && !gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
DEBUG(1, (__location__ "Integrity was requested but client "
"failed to negotiate signing.\n"));
return NT_STATUS_ACCESS_DENIED;
}
- if (do_seal && !gensec_have_feature(ctx->gensec_security, GENSEC_FEATURE_SEAL)) {
+ if (do_seal && !gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
DEBUG(1, (__location__ "Privacy was requested but client "
"failed to negotiate sealing.\n"));
return NT_STATUS_ACCESS_DENIED;
return NT_STATUS_OK;
}
-NTSTATUS ntlmssp_server_get_user_info(struct auth_ntlmssp_state *ctx,
+NTSTATUS ntlmssp_server_get_user_info(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
NTSTATUS status;
- status = gensec_session_info(ctx->gensec_security, mem_ctx, session_info);
+ status = gensec_session_info(gensec_security, mem_ctx, session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ ": Failed to get authenticated user "
"info: %s\n", nt_errstr(status)));
#ifndef _DCESRV_NTLMSSP_H_
#define _DCESRV_NTLMSSP_H_
-struct auth_ntlmssp_state;
+struct gensec_security;
NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
bool do_sign,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
- struct auth_ntlmssp_state **ctx);
-NTSTATUS ntlmssp_server_step(struct auth_ntlmssp_state *ctx,
+ struct gensec_security **ctx);
+NTSTATUS ntlmssp_server_step(struct gensec_security *ctx,
TALLOC_CTX *mem_ctx,
DATA_BLOB *token_in,
DATA_BLOB *token_out);
-NTSTATUS ntlmssp_server_check_flags(struct auth_ntlmssp_state *ctx,
+NTSTATUS ntlmssp_server_check_flags(struct gensec_security *ctx,
bool do_sign, bool do_seal);
-NTSTATUS ntlmssp_server_get_user_info(struct auth_ntlmssp_state *ctx,
+NTSTATUS ntlmssp_server_get_user_info(struct gensec_security *ctx,
TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info);
DATA_BLOB *token_in,
DATA_BLOB *token_out)
{
- struct auth_ntlmssp_state *ntlmssp_ctx;
+ struct gensec_security *gensec_security;
struct gse_context *gse_ctx;
NTSTATUS status;
token_in,
token_out,
sp_ctx->remote_address,
- &ntlmssp_ctx);
+ &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to init ntlmssp server "
"(%s)\n", nt_errstr(status)));
return status;
}
- sp_ctx->mech_ctx.ntlmssp_state = ntlmssp_ctx;
+ sp_ctx->mech_ctx.gensec_security = gensec_security;
break;
default:
break;
case SPNEGO_NTLMSSP:
status = ntlmssp_server_step(
- sp_ctx->mech_ctx.ntlmssp_state,
+ sp_ctx->mech_ctx.gensec_security,
mem_ctx, &token_in, &token_out);
break;
default:
struct dcerpc_auth *auth_info,
DATA_BLOB *response)
{
- struct auth_ntlmssp_state *ntlmssp_state = NULL;
+ struct gensec_security *gensec_security = NULL;
NTSTATUS status;
if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
&auth_info->credentials,
response,
p->remote_address,
- &ntlmssp_state);
+ &gensec_security);
if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
nt_errstr(status)));
/* Make sure data is bound to the memctx, to be freed the caller */
talloc_steal(mem_ctx, response->data);
- p->auth.auth_ctx = ntlmssp_state;
+ p->auth.auth_ctx = gensec_security;
p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
*******************************************************************/
static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
- struct auth_ntlmssp_state *ntlmssp_ctx,
+ struct gensec_security *gensec_security,
enum dcerpc_AuthLevel auth_level,
struct auth_session_info **session_info)
{
ensure the underlying NTLMSSP flags are also set. If not we should
refuse the bind. */
- status = ntlmssp_server_check_flags(ntlmssp_ctx,
+ status = ntlmssp_server_check_flags(gensec_security,
(auth_level ==
DCERPC_AUTH_LEVEL_INTEGRITY),
(auth_level ==
TALLOC_FREE(*session_info);
- status = ntlmssp_server_get_user_info(ntlmssp_ctx,
+ status = ntlmssp_server_get_user_info(gensec_security,
mem_ctx, session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": failed to obtain the server info "
static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
{
enum spnego_mech auth_type;
- struct auth_ntlmssp_state *ntlmssp_ctx;
+ struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
struct gse_context *gse_ctx;
void *mech_ctx;
switch (p->auth.auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
- ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct auth_ntlmssp_state);
- if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
+ gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
+ struct gensec_security);
+ if (!pipe_ntlmssp_verify_final(p, gensec_security,
p->auth.auth_level,
&p->session_info)) {
return NT_STATUS_ACCESS_DENIED;
}
break;
case SPNEGO_NTLMSSP:
- ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
- struct auth_ntlmssp_state);
- if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
+ gensec_security = talloc_get_type_abort(mech_ctx,
+ struct gensec_security);
+ if (!pipe_ntlmssp_verify_final(p, gensec_security,
p->auth.auth_level,
&p->session_info)) {
return NT_STATUS_ACCESS_DENIED;
{
struct dcerpc_auth auth_info;
DATA_BLOB response = data_blob_null;
- struct auth_ntlmssp_state *ntlmssp_ctx;
+ struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
struct gse_context *gse_ctx;
NTSTATUS status;
switch (auth_info.auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
- ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct auth_ntlmssp_state);
- status = ntlmssp_server_step(ntlmssp_ctx,
+ gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
+ struct gensec_security);
+ status = ntlmssp_server_step(gensec_security,
pkt, &auth_info.credentials,
&response);
break;
DATA_BLOB auth_resp = data_blob_null;
DATA_BLOB auth_blob = data_blob_null;
int pad_len = 0;
- struct auth_ntlmssp_state *ntlmssp_ctx;
+ struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
struct gse_context *gse_ctx;
&auth_resp);
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
- ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct auth_ntlmssp_state);
- status = ntlmssp_server_step(ntlmssp_ctx,
+ gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
+ struct gensec_security);
+ status = ntlmssp_server_step(gensec_security,
pkt,
&auth_info.credentials,
&auth_resp);