#ifdef HAVE_KRB5
#include "libcli/auth/krb5_wrap.h"
#endif
+#include "librpc/crypto/gse.h"
static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- gensec_settings->backends = talloc_zero_array(gensec_settings, struct gensec_security_ops *, 2);
+ gensec_settings->backends = talloc_zero_array(gensec_settings, struct gensec_security_ops *, 3);
if (gensec_settings->backends == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
gensec_settings->backends[0] = &gensec_ntlmssp3_server_ops;
+#if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
+ gensec_settings->backends[1] = &gensec_gse_krb5_security_ops;
+#endif
+
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
auth4_context, &gensec_security);
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(auth->auth_ctx,
struct gensec_security);
*auth_len = gensec_sig_size(gensec_security, max_len);
struct schannel_state);
*auth_len = netsec_outgoing_sig_size(schannel_auth);
break;
-
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct gse_context);
- *auth_len = gse_get_signature_length(gse_ctx,
- seal, max_len);
- break;
-
default:
return NT_STATUS_INVALID_PARAMETER;
}
}
}
-/*******************************************************************
- Create and add the gssapi sign/seal auth data.
- ********************************************************************/
-
-static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx,
- enum dcerpc_AuthLevel auth_level,
- DATA_BLOB *rpc_out)
-{
- DATA_BLOB data;
- DATA_BLOB auth_blob;
- NTSTATUS status;
-
- if (!gse_ctx) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- data.data = rpc_out->data + DCERPC_RESPONSE_LENGTH;
- data.length = rpc_out->length - DCERPC_RESPONSE_LENGTH
- - DCERPC_AUTH_TRAILER_LENGTH;
-
- switch (auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- status = gse_seal(talloc_tos(), gse_ctx, &data, &auth_blob);
- break;
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- status = gse_sign(talloc_tos(), gse_ctx, &data, &auth_blob);
- break;
- default:
- status = NT_STATUS_INTERNAL_ERROR;
- break;
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to process packet: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- /* Finally attach the blob. */
- if (!data_blob_append(NULL, rpc_out,
- auth_blob.data, auth_blob.length)) {
- return NT_STATUS_NO_MEMORY;
- }
-
- data_blob_free(&auth_blob);
-
- return NT_STATUS_OK;
-}
-
-/*******************************************************************
- Check/unseal the gssapi auth data. (Unseal in place).
- ********************************************************************/
-
-static NTSTATUS get_gssapi_auth_footer(TALLOC_CTX *mem_ctx,
- struct gse_context *gse_ctx,
- enum dcerpc_AuthLevel auth_level,
- DATA_BLOB *data, DATA_BLOB *full_pkt,
- DATA_BLOB *auth_token)
-{
- /* TODO: pass in full_pkt when
- * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */
- switch (auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- /* Data portion is encrypted. */
- return gse_unseal(mem_ctx, gse_ctx,
- data, auth_token);
-
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- /* Data is signed. */
- return gse_sigcheck(mem_ctx, gse_ctx,
- data, auth_token);
- default:
- return NT_STATUS_INVALID_PARAMETER;
- }
-}
-
/*******************************************************************
Create and add the spnego-negotiated sign/seal auth data.
********************************************************************/
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
DATA_BLOB auth_info;
DATA_BLOB auth_blob;
status = add_spnego_auth_footer(spnego_ctx,
auth->auth_level, rpc_out);
break;
+ case DCERPC_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_NTLMSSP:
gensec_security = talloc_get_type_abort(auth->auth_ctx,
struct gensec_security);
auth->auth_level,
rpc_out);
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct gse_context);
- status = add_gssapi_auth_footer(gse_ctx,
- auth->auth_level,
- rpc_out);
- break;
default:
status = NT_STATUS_INVALID_PARAMETER;
break;
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
NTSTATUS status;
struct dcerpc_auth auth_info;
uint32_t auth_length;
}
break;
+ case DCERPC_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_NTLMSSP:
DEBUG(10, ("GENSEC auth\n"));
}
break;
- case DCERPC_AUTH_TYPE_KRB5:
-
- DEBUG(10, ("KRB5 auth\n"));
-
- gse_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct gse_context);
- status = get_gssapi_auth_footer(pkt, gse_ctx,
- auth->auth_level,
- &data, &full_pkt,
- &auth_info.credentials);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- break;
-
default:
DEBUG(0, ("process_request_pdu: "
"unknown auth type %u set.\n",
#include "auth_generic.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "librpc/rpc/dcerpc.h"
-#include "librpc/crypto/gse.h"
#include "librpc/crypto/spnego.h"
#include "rpc_dce.h"
#include "cli_pipe.h"
return NT_STATUS_OK;
}
-/*******************************************************************
- Creates krb5 auth bind.
- ********************************************************************/
-
-static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx,
- struct pipe_auth_data *auth,
- DATA_BLOB *auth_token)
-{
- struct gse_context *gse_ctx;
- DATA_BLOB in_token = data_blob_null;
- NTSTATUS status;
-
- gse_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct gse_context);
-
- /* Negotiate the initial auth token */
- status = gse_get_client_auth_token(mem_ctx, gse_ctx,
- &in_token,
- auth_token);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- DEBUG(5, ("Created GSS Authentication Token:\n"));
- dump_data(5, auth_token->data, auth_token->length);
-
- return NT_STATUS_OK;
-}
-
/*******************************************************************
Creates NTLMSSP auth bind.
********************************************************************/
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
if (!NT_STATUS_IS_OK(ret)) {
return ret;
}
break;
- case DCERPC_AUTH_TYPE_KRB5:
- ret = create_gssapi_auth_bind_req(mem_ctx, auth, &auth_token);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
auth_token = data_blob_talloc(mem_ctx,
"NCALRPC_AUTH_TOKEN",
struct pipe_auth_data *pauth = state->cli->auth;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
struct ncacn_packet *pkt = NULL;
struct dcerpc_auth auth;
DATA_BLOB auth_token = data_blob_null;
return;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(pauth->auth_ctx,
struct gensec_security);
status = gensec_update(gensec_security, state, NULL,
}
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(pauth->auth_ctx,
- struct gse_context);
- status = gse_get_client_auth_token(state,
- gse_ctx,
- &auth.credentials,
- &auth_token);
- if (!NT_STATUS_IS_OK(status)) {
- break;
- }
-
- if (gse_require_more_processing(gse_ctx)) {
- status = rpc_bind_next_send(req, state, &auth_token);
- } else {
- status = rpc_bind_finish_send(req, state, &auth_token);
- }
- break;
-
default:
goto err_out;
}
return NT_STATUS_OK;
}
-/****************************************************************************
- Open a named pipe to an SMB server and bind using krb5 (bind type 16).
- The idea is this can be called with service_princ, username and password all
- NULL so long as the caller has a TGT.
- ****************************************************************************/
-
-NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
- const struct ndr_syntax_id *interface,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *server,
- const char *username,
- const char *password,
- struct rpc_pipe_client **presult)
-{
- struct rpc_pipe_client *result;
- struct pipe_auth_data *auth;
- struct gse_context *gse_ctx;
- NTSTATUS status;
-
- status = cli_rpc_pipe_open(cli, transport, interface, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- auth = talloc(result, struct pipe_auth_data);
- if (auth == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
- auth->auth_type = DCERPC_AUTH_TYPE_KRB5;
- auth->auth_level = auth_level;
-
- if (!username) {
- username = "";
- }
- auth->user_name = talloc_strdup(auth, username);
- if (!auth->user_name) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
-
- /* Fixme, should we fetch/set the Realm ? */
- auth->domain = talloc_strdup(auth, "");
- if (!auth->domain) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
-
- status = gse_init_client(auth,
- (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY),
- (auth_level == DCERPC_AUTH_LEVEL_PRIVACY),
- NULL, server, "cifs", username, password,
- GSS_C_DCE_STYLE, &gse_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("gse_init_client returned %s\n",
- nt_errstr(status)));
- goto err_out;
- }
- auth->auth_ctx = gse_ctx;
-
- status = rpc_pipe_bind(result, auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
- nt_errstr(status)));
- goto err_out;
- }
-
- *presult = result;
- return NT_STATUS_OK;
-
-err_out:
- TALLOC_FREE(result);
- return status;
-}
-
NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
const struct ndr_syntax_id *interface,
enum dcerpc_transport_t transport,
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
DATA_BLOB sk = data_blob_null;
bool make_dup = false;
make_dup = false;
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(a->auth_ctx,
struct gensec_security);
status = gensec_session_key(gensec_security, mem_ctx, &sk);
}
make_dup = false;
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(a->auth_ctx,
- struct gse_context);
- sk = gse_get_session_key(mem_ctx, gse_ctx);
- make_dup = false;
- break;
case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
case DCERPC_AUTH_TYPE_NONE:
sk = data_blob_const(a->user_session_key.data,
return true;
}
-/*******************************************************************
- Handle a GSSAPI bind auth.
-*******************************************************************/
-
-static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
- TALLOC_CTX *mem_ctx,
- struct dcerpc_auth *auth_info,
- DATA_BLOB *response)
-{
- NTSTATUS status;
- struct gse_context *gse_ctx = NULL;
-
- status = gssapi_server_auth_start(p,
- (auth_info->auth_level ==
- DCERPC_AUTH_LEVEL_INTEGRITY),
- (auth_info->auth_level ==
- DCERPC_AUTH_LEVEL_PRIVACY),
- true,
- &auth_info->credentials,
- response,
- &gse_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
- nt_errstr(status)));
- goto err;
- }
-
- /* Make sure data is bound to the memctx, to be freed the caller */
- talloc_steal(mem_ctx, response->data);
-
- p->auth.auth_ctx = gse_ctx;
- p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
-
- DEBUG(10, ("KRB5 auth started\n"));
-
- return true;
-
-err:
- TALLOC_FREE(gse_ctx);
- return false;
-}
-
static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
struct gse_context *gse_ctx,
const struct tsocket_address *remote_address,
switch (p->auth.auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
struct gensec_security);
if (!pipe_auth_generic_verify_final(p, gensec_security,
return NT_STATUS_ACCESS_DENIED;
}
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct gse_context);
- status = pipe_gssapi_verify_final(p, gse_ctx,
- p->remote_address,
- &p->session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("gssapi bind failed with: %s",
- nt_errstr(status)));
- return status;
- }
- break;
case DCERPC_AUTH_TYPE_SPNEGO:
spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
struct spnego_context);
break;
case DCERPC_AUTH_TYPE_KRB5:
- if (!pipe_gssapi_auth_bind(p, pkt,
- &auth_info, &auth_resp)) {
+ if (!pipe_auth_generic_bind(p, pkt,
+ &auth_info, &auth_resp)) {
goto err_exit;
}
break;
DATA_BLOB response = data_blob_null;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
NTSTATUS status;
DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
switch (auth_info.auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
struct gensec_security);
status = auth_generic_server_step(gensec_security,
pkt, &auth_info.credentials,
&response);
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct gse_context);
- status = gssapi_server_step(gse_ctx,
- pkt, &auth_info.credentials,
- &response);
- break;
case DCERPC_AUTH_TYPE_SPNEGO:
spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
struct spnego_context);
int pad_len = 0;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
break;
case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct gse_context);
- status = gssapi_server_step(gse_ctx,
- pkt,
- &auth_info.credentials,
- &auth_resp);
- break;
case DCERPC_AUTH_TYPE_NTLMSSP:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
struct gensec_security);
}
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
ntresult = cli_rpc_pipe_open_generic_auth(
cli, cmd_entry->interface,
default_transport,
get_cmdline_auth_info_domain(auth_info),
&cmd_entry->rpc_pipe);
break;
- case DCERPC_AUTH_TYPE_KRB5:
- ntresult = cli_rpc_pipe_open_krb5(
- cli, cmd_entry->interface,
- default_transport,
- pipe_default_auth_level,
- cli_state_remote_name(cli),
- NULL, NULL,
- &cmd_entry->rpc_pipe);
- break;
default:
DEBUG(0, ("Could not initialise %s. Invalid "
"auth type %u\n",
git.samba.org / metze / samba / wip.git / commitdiff