From 1818612830576419889ff5702d5e85fa63ddb121 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 3 Jan 2012 21:54:49 +1100 Subject: [PATCH] s3-librpc Remove special case for spnego dcerpc sign/seal SPNEGO is implemented only in terms of gensec mechanisms now. Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source3/librpc/rpc/dcerpc_helpers.c | 110 +++++----------------------- 1 file changed, 18 insertions(+), 92 deletions(-) diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index 5a50f2b24a9e..212c98fb1a04 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -543,92 +543,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx, } } -/******************************************************************* - Create and add the spnego-negotiated sign/seal auth data. - ********************************************************************/ - -static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx, - enum dcerpc_AuthLevel auth_level, - DATA_BLOB *rpc_out) -{ - DATA_BLOB auth_blob; - DATA_BLOB rpc_data; - NTSTATUS status; - - if (!spnego_ctx) { - return NT_STATUS_INVALID_PARAMETER; - } - - rpc_data = data_blob_const(rpc_out->data - + DCERPC_RESPONSE_LENGTH, - rpc_out->length - - DCERPC_RESPONSE_LENGTH - - DCERPC_AUTH_TRAILER_LENGTH); - - switch (auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - /* Data portion is encrypted. */ - status = spnego_seal(rpc_out->data, spnego_ctx, - &rpc_data, rpc_out, &auth_blob); - break; - - if (!NT_STATUS_IS_OK(status)) { - return status; - } - break; - - case DCERPC_AUTH_LEVEL_INTEGRITY: - /* Data is signed. */ - status = spnego_sign(rpc_out->data, spnego_ctx, - &rpc_data, rpc_out, &auth_blob); - break; - - if (!NT_STATUS_IS_OK(status)) { - return status; - } - break; - - default: - /* Can't happen. */ - smb_panic("bad auth level"); - /* Notreached. */ - return NT_STATUS_INVALID_PARAMETER; - } - - /* Finally attach the blob. */ - if (!data_blob_append(NULL, rpc_out, - auth_blob.data, auth_blob.length)) { - DEBUG(0, ("Failed to add %u bytes auth blob.\n", - (unsigned int)auth_blob.length)); - return NT_STATUS_NO_MEMORY; - } - data_blob_free(&auth_blob); - - return NT_STATUS_OK; -} - -static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx, - struct spnego_context *sp_ctx, - enum dcerpc_AuthLevel auth_level, - DATA_BLOB *data, DATA_BLOB *full_pkt, - DATA_BLOB *auth_token) -{ - switch (auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - /* Data portion is encrypted. */ - return spnego_unseal(mem_ctx, sp_ctx, - data, full_pkt, auth_token); - - case DCERPC_AUTH_LEVEL_INTEGRITY: - /* Data is signed. */ - return spnego_sigcheck(mem_ctx, sp_ctx, - data, full_pkt, auth_token); - - default: - return NT_STATUS_INVALID_PARAMETER; - } -} - /** * @brief Append an auth footer according to what is the current mechanism * @@ -694,8 +608,14 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, case DCERPC_AUTH_TYPE_SPNEGO: spnego_ctx = talloc_get_type_abort(auth->auth_ctx, struct spnego_context); - status = add_spnego_auth_footer(spnego_ctx, - auth->auth_level, rpc_out); + status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = add_generic_auth_footer(gensec_security, + auth->auth_level, + rpc_out); break; case DCERPC_AUTH_TYPE_KRB5: case DCERPC_AUTH_TYPE_NTLMSSP: @@ -810,10 +730,16 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, case DCERPC_AUTH_TYPE_SPNEGO: spnego_ctx = talloc_get_type_abort(auth->auth_ctx, struct spnego_context); - status = get_spnego_auth_footer(pkt, spnego_ctx, - auth->auth_level, - &data, &full_pkt, - &auth_info.credentials); + status = spnego_get_negotiated_mech(spnego_ctx, &gensec_security); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = get_generic_auth_footer(gensec_security, + auth->auth_level, + &data, &full_pkt, + &auth_info.credentials); + if (!NT_STATUS_IS_OK(status)) { return status; } -- 2.34.1