spnego: avoid explicit dependency on dcerpc specific structures

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 8944b395d8e254053de7c4f4f14deab879ff0342..fd51ca253ecf48a48e0431d480c385e43b24e8e9 100644 (file)
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -267,7 +267,7 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
        size_t max_len;
        size_t mod_len;
        struct gse_context *gse_ctx;
-       enum dcerpc_AuthType auth_type;
+       enum spnego_mech auth_type;
        void *auth_ctx;
        bool seal = false;
        NTSTATUS status;
@@ -315,11 +315,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
                        return status;
                }
                switch (auth_type) {
-               case DCERPC_AUTH_TYPE_NTLMSSP:
+               case SPNEGO_NTLMSSP:
                        *auth_len = NTLMSSP_SIG_SIZE;
                        break;
 
-               case DCERPC_AUTH_TYPE_KRB5:
+               case SPNEGO_KRB5:
                        gse_ctx = talloc_get_type(auth_ctx,
                                                  struct gse_context);
                        if (!gse_ctx) {
@@ -653,7 +653,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
                                        enum dcerpc_AuthLevel auth_level,
                                        DATA_BLOB *rpc_out)
 {
-       enum dcerpc_AuthType auth_type;
+       enum spnego_mech auth_type;
        struct gse_context *gse_ctx;
        struct auth_ntlmssp_state *ntlmssp_ctx;
        void *auth_ctx;
@@ -670,7 +670,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
        }
 
        switch (auth_type) {
-       case DCERPC_AUTH_TYPE_KRB5:
+       case SPNEGO_KRB5:
                gse_ctx = talloc_get_type(auth_ctx, struct gse_context);
                if (!gse_ctx) {
                        status = NT_STATUS_INTERNAL_ERROR;
@@ -680,7 +680,7 @@ static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
                                                auth_level, rpc_out);
                break;
 
-       case DCERPC_AUTH_TYPE_NTLMSSP:
+       case SPNEGO_NTLMSSP:
                ntlmssp_ctx = talloc_get_type(auth_ctx,
                                                struct auth_ntlmssp_state);
                if (!ntlmssp_ctx) {
@@ -705,7 +705,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
                                        DATA_BLOB *data, DATA_BLOB *full_pkt,
                                        DATA_BLOB *auth_token)
 {
-       enum dcerpc_AuthType auth_type;
+       enum spnego_mech auth_type;
        struct auth_ntlmssp_state *ntlmssp_ctx;
        struct gse_context *gse_ctx;
        void *auth_ctx;
@@ -717,7 +717,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
        }
 
        switch (auth_type) {
-       case DCERPC_AUTH_TYPE_KRB5:
+       case SPNEGO_KRB5:
                gse_ctx = talloc_get_type(auth_ctx,
                                          struct gse_context);
                if (!gse_ctx) {
@@ -730,7 +730,7 @@ static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
                                                auth_level,
                                                data, full_pkt,
                                                auth_token);
-       case DCERPC_AUTH_TYPE_NTLMSSP:
+       case SPNEGO_NTLMSSP:
                ntlmssp_ctx = talloc_get_type(auth_ctx,
                                          struct auth_ntlmssp_state);
                if (!ntlmssp_ctx) {

diff --git a/source3/librpc/rpc/dcerpc_spnego.c b/source3/librpc/rpc/dcerpc_spnego.c
index 83c2137a1fe7d42de36289d9f983a33e8a2a45ef..89baa03cf32e0faf8cd1599b6a7085d962bcdea1 100644 (file)
--- a/source3/librpc/rpc/dcerpc_spnego.c
+++ b/source3/librpc/rpc/dcerpc_spnego.c
@@ -21,11 +21,14 @@
 #include "../libcli/auth/spnego.h"
 #include "include/ntlmssp_wrap.h"
 #include "librpc/gen_ndr/ntlmssp.h"
-#include "dcerpc_spnego.h"
 #include "librpc/crypto/gse.h"
+#include "dcerpc_spnego.h"
 
 struct spnego_context {
-       enum dcerpc_AuthType auth_type;
+       enum spnego_mech mech;
+
+       bool do_sign;
+       bool do_seal;
 
        union {
                struct auth_ntlmssp_state *ntlmssp_state;
@@ -41,7 +44,7 @@ struct spnego_context {
 };
 
 static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
-                                   enum dcerpc_AuthType auth_type,
+                                   bool do_sign, bool do_seal,
                                    struct spnego_context **spnego_ctx)
 {
        struct spnego_context *sp_ctx;
@@ -51,7 +54,8 @@ static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       sp_ctx->auth_type = auth_type;
+       sp_ctx->do_sign = do_sign;
+       sp_ctx->do_seal = do_seal;
        sp_ctx->state = SPNEGO_CONV_INIT;
 
        *spnego_ctx = sp_ctx;
@@ -59,27 +63,31 @@ static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
 }
 
 NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
-                                  enum dcerpc_AuthLevel auth_level,
+                                  bool do_sign, bool do_seal,
+                                  bool is_dcerpc,
                                   const char *ccache_name,
                                   const char *server,
                                   const char *service,
                                   const char *username,
                                   const char *password,
-                                  uint32_t add_gss_c_flags,
                                   struct spnego_context **spnego_ctx)
 {
        struct spnego_context *sp_ctx = NULL;
+       uint32_t add_gss_c_flags = 0;
        NTSTATUS status;
 
-       status = spnego_context_init(mem_ctx,
-                                       DCERPC_AUTH_TYPE_KRB5, &sp_ctx);
+       status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
+       sp_ctx->mech = SPNEGO_KRB5;
+
+       if (is_dcerpc) {
+               add_gss_c_flags = GSS_C_DCE_STYLE;
+       }
 
        status = gse_init_client(sp_ctx,
-                                (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY),
-                                (auth_level == DCERPC_AUTH_LEVEL_PRIVACY),
+                                do_sign, do_seal,
                                 ccache_name, server, service,
                                 username, password, add_gss_c_flags,
                                 &sp_ctx->mech_ctx.gssapi_state);
@@ -93,7 +101,8 @@ NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
 }
 
 NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
-                                   enum dcerpc_AuthLevel auth_level,
+                                   bool do_sign, bool do_seal,
+                                   bool is_dcerpc,
                                    const char *domain,
                                    const char *username,
                                    const char *password,
@@ -102,11 +111,11 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
        struct spnego_context *sp_ctx = NULL;
        NTSTATUS status;
 
-       status = spnego_context_init(mem_ctx,
-                                       DCERPC_AUTH_TYPE_NTLMSSP, &sp_ctx);
+       status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
+       sp_ctx->mech = SPNEGO_NTLMSSP;
 
        status = auth_ntlmssp_client_start(sp_ctx,
                                        global_myname(),
@@ -146,10 +155,10 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
                                                ~(NTLMSSP_NEGOTIATE_SIGN |
                                                  NTLMSSP_NEGOTIATE_SEAL));
 
-       if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+       if (do_sign) {
                auth_ntlmssp_or_flags(sp_ctx->mech_ctx.ntlmssp_state,
                                                NTLMSSP_NEGOTIATE_SIGN);
-       } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+       } else if (do_seal) {
                auth_ntlmssp_or_flags(sp_ctx->mech_ctx.ntlmssp_state,
                                                NTLMSSP_NEGOTIATE_SEAL |
                                                NTLMSSP_NEGOTIATE_SIGN);
@@ -209,8 +218,8 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
                goto done;
        }
 
-       switch (sp_ctx->auth_type) {
-       case DCERPC_AUTH_TYPE_KRB5:
+       switch (sp_ctx->mech) {
+       case SPNEGO_KRB5:
 
                gse_ctx = sp_ctx->mech_ctx.gssapi_state;
                status = gse_get_client_auth_token(mem_ctx, gse_ctx,
@@ -224,7 +233,7 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
 
                break;
 
-       case DCERPC_AUTH_TYPE_NTLMSSP:
+       case SPNEGO_NTLMSSP:
 
                ntlmssp_ctx = sp_ctx->mech_ctx.ntlmssp_state;
                status = auth_ntlmssp_update(ntlmssp_ctx,
@@ -309,11 +318,11 @@ bool spnego_require_more_processing(struct spnego_context *sp_ctx)
        }
 
        /* otherwise see if underlying mechnism does */
-       switch (sp_ctx->auth_type) {
-       case DCERPC_AUTH_TYPE_KRB5:
+       switch (sp_ctx->mech) {
+       case SPNEGO_KRB5:
                gse_ctx = sp_ctx->mech_ctx.gssapi_state;
                return gse_require_more_processing(gse_ctx);
-       case DCERPC_AUTH_TYPE_NTLMSSP:
+       case SPNEGO_NTLMSSP:
                return false;
        default:
                DEBUG(0, ("Unsupported type in request!\n"));
@@ -322,21 +331,21 @@ bool spnego_require_more_processing(struct spnego_context *sp_ctx)
 }
 
 NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx,
-                                   enum dcerpc_AuthType *auth_type,
+                                   enum spnego_mech *type,
                                    void **auth_context)
 {
-       switch (sp_ctx->auth_type) {
-       case DCERPC_AUTH_TYPE_KRB5:
+       switch (sp_ctx->mech) {
+       case SPNEGO_KRB5:
                *auth_context = sp_ctx->mech_ctx.gssapi_state;
                break;
-       case DCERPC_AUTH_TYPE_NTLMSSP:
+       case SPNEGO_NTLMSSP:
                *auth_context = sp_ctx->mech_ctx.ntlmssp_state;
                break;
        default:
                return NT_STATUS_INTERNAL_ERROR;
        }
 
-       *auth_type = sp_ctx->auth_type;
+       *type = sp_ctx->mech;
        return NT_STATUS_OK;
 }
 
@@ -345,11 +354,11 @@ DATA_BLOB spnego_get_session_key(TALLOC_CTX *mem_ctx,
 {
        DATA_BLOB sk;
 
-       switch (sp_ctx->auth_type) {
-       case DCERPC_AUTH_TYPE_KRB5:
+       switch (sp_ctx->mech) {
+       case SPNEGO_KRB5:
                return gse_get_session_key(mem_ctx,
                                           sp_ctx->mech_ctx.gssapi_state);
-       case DCERPC_AUTH_TYPE_NTLMSSP:
+       case SPNEGO_NTLMSSP:
                sk = auth_ntlmssp_get_session_key(
                                        sp_ctx->mech_ctx.ntlmssp_state);
                return data_blob_dup_talloc(mem_ctx, &sk);

diff --git a/source3/librpc/rpc/dcerpc_spnego.h b/source3/librpc/rpc/dcerpc_spnego.h
index 9d37fd1e38a528dbc589ea3fd20188d842e0c72a..d4e7c627860d664be3970445ef3971e0b729433a 100644 (file)
--- a/source3/librpc/rpc/dcerpc_spnego.h
+++ b/source3/librpc/rpc/dcerpc_spnego.h
@@ -22,17 +22,24 @@
 
 struct spnego_context;
 
+enum spnego_mech {
+       SPNEGO_NONE = 0,
+       SPNEGO_KRB5,
+       SPNEGO_NTLMSSP
+};
+
 NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
-                                  enum dcerpc_AuthLevel auth_level,
+                                  bool do_sign, bool do_seal,
+                                  bool is_dcerpc,
                                   const char *ccache_name,
                                   const char *server,
                                   const char *service,
                                   const char *username,
                                   const char *password,
-                                  uint32_t add_gss_c_flags,
                                   struct spnego_context **spengo_ctx);
 NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx,
-                                   enum dcerpc_AuthLevel auth_level,
+                                   bool do_sign, bool do_seal,
+                                   bool is_dcerpc,
                                    const char *domain,
                                    const char *username,
                                    const char *password,
@@ -46,7 +53,7 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
 bool spnego_require_more_processing(struct spnego_context *sp_ctx);
 
 NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx,
-                                   enum dcerpc_AuthType *auth_type,
+                                   enum spnego_mech *type,
                                    void **auth_context);
 
 DATA_BLOB spnego_get_session_key(TALLOC_CTX *mem_ctx,

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 077a08a770fc97212a414c9fc5798b99f15f25d4..cca4f38a8cd0354d258b5da98a799f2f66847157 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2193,7 +2193,7 @@ bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
        if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
                a = rpc_cli->auth->a_u.auth_ntlmssp_state;
        } else if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
-               enum dcerpc_AuthType auth_type;
+               enum spnego_mech auth_type;
                void *auth_ctx;
                NTSTATUS status;
 
@@ -2204,7 +2204,7 @@ bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
                        return false;
                }
 
-               if (auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
+               if (auth_type == SPNEGO_NTLMSSP) {
                        a = talloc_get_type(auth_ctx,
                                            struct auth_ntlmssp_state);
                }
@@ -3083,10 +3083,14 @@ NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
                goto err_out;
        }
 
-       status = spnego_gssapi_init_client(auth, auth->auth_level,
+       status = spnego_gssapi_init_client(auth,
+                                          (auth->auth_level ==
+                                               DCERPC_AUTH_LEVEL_INTEGRITY),
+                                          (auth->auth_level ==
+                                               DCERPC_AUTH_LEVEL_PRIVACY),
+                                          true,
                                           NULL, server, "cifs",
                                           username, password,
-                                          GSS_C_DCE_STYLE,
                                           &auth->a_u.spnego_state);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0, ("spnego_init_client returned %s\n",
@@ -3153,7 +3157,12 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
                goto err_out;
        }
 
-       status = spnego_ntlmssp_init_client(auth, auth->auth_level,
+       status = spnego_ntlmssp_init_client(auth,
+                                           (auth->auth_level ==
+                                               DCERPC_AUTH_LEVEL_INTEGRITY),
+                                           (auth->auth_level ==
+                                               DCERPC_AUTH_LEVEL_PRIVACY),
+                                           true,
                                            domain, username, password,
                                            &auth->a_u.spnego_state);
        if (!NT_STATUS_IS_OK(status)) {