gssapi: avoid explicit dependency on dcerpc specific structures

Signed-off-by: Günther Deschner <gd@samba.org>

source3/librpc/crypto/gse.c

@@ -89,7 +89,6 @@ struct gse_context {
 	gss_cred_id_t delegated_creds;
 	gss_name_t client_name;
 
-	bool spnego_wrap;
 	bool more_processing;
 	bool authenticated;
 };
@@ -142,8 +141,7 @@ static int gse_context_destructor(void *ptr)
 }
 
 static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
-				 enum dcerpc_AuthType auth_type,
-				 enum dcerpc_AuthLevel auth_level,
+				 bool do_sign, bool do_seal,
 				 const char *ccache_name,
 				 uint32_t add_gss_c_flags,
 				 struct gse_context **_gse_ctx)
@@ -160,32 +158,16 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
 
 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
 
-	switch (auth_type) {
-	case DCERPC_AUTH_TYPE_SPNEGO:
-		gse_ctx->spnego_wrap = true;
-		break;
-	case DCERPC_AUTH_TYPE_KRB5:
-		gse_ctx->spnego_wrap = false;
-		break;
-	default:
-		status = NT_STATUS_INVALID_PARAMETER;
-		goto err_out;
-	}
-
 	gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
 				GSS_C_DELEG_FLAG |
 				GSS_C_DELEG_POLICY_FLAG |
 				GSS_C_REPLAY_FLAG |
 				GSS_C_SEQUENCE_FLAG;
-	switch (auth_level) {
-	case DCERPC_AUTH_LEVEL_INTEGRITY:
+	if (do_sign) {
 		gse_ctx->gss_c_flags |= GSS_C_INTEG_FLAG;
-		break;
-	case DCERPC_AUTH_LEVEL_PRIVACY:
+	}
+	if (do_seal) {
 		gse_ctx->gss_c_flags |= GSS_C_CONF_FLAG;
-		break;
-	default:
-		break;
 	}
 
 	gse_ctx->gss_c_flags |= add_gss_c_flags;
@@ -226,8 +208,7 @@ err_out:
 }
 
 NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
-			  enum dcerpc_AuthType auth_type,
-			  enum dcerpc_AuthLevel auth_level,
+			  bool do_sign, bool do_seal,
 			  const char *ccache_name,
 			  const char *server,
 			  const char *service,
@@ -246,7 +227,7 @@ NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	status = gse_context_init(mem_ctx, auth_type, auth_level,
+	status = gse_context_init(mem_ctx, do_sign, do_seal,
 				  ccache_name, add_gss_c_flags,
 				  &gse_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -357,8 +338,7 @@ done:
 }
 
 NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
-			 enum dcerpc_AuthType auth_type,
-			 enum dcerpc_AuthLevel auth_level,
+			 bool do_sign, bool do_seal,
 			 uint32_t add_gss_c_flags,
 			 const char *server,
 			 const char *keytab_name,
@@ -371,7 +351,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
 	const char *ktname;
 	NTSTATUS status;
 
-	status = gse_context_init(mem_ctx, auth_type, auth_level,
+	status = gse_context_init(mem_ctx, do_sign, do_seal,
 				  NULL, add_gss_c_flags, &gse_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		return NT_STATUS_NO_MEMORY;
@@ -928,8 +908,7 @@ done:
 #else
 
 NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
-			  enum dcerpc_AuthType auth_type,
-			  enum dcerpc_AuthLevel auth_level,
+			  bool do_sign, bool do_seal,
 			  const char *ccache_name,
 			  const char *server,
 			  const char *service,
@@ -950,8 +929,7 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
 }
 
 NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
-			 enum dcerpc_AuthType auth_type,
-			 enum dcerpc_AuthLevel auth_level,
+			 bool do_sign, bool do_seal,
 			 uint32_t add_gss_c_flags,
 			 const char *server,
 			 const char *keytab,

source3/librpc/crypto/gse.h

@@ -1,6 +1,5 @@
 /*
  *  GSSAPI Security Extensions
- *  RPC Pipe client routines
  *  Copyright (C) Simo Sorce 2010.
  *
  *  This program is free software; you can redistribute it and/or modify
@@ -27,8 +26,7 @@ struct gse_context;
 #endif
 
 NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
-			  enum dcerpc_AuthType auth_type,
-			  enum dcerpc_AuthLevel auth_level,
+			  bool do_sign, bool do_seal,
 			  const char *ccache_name,
 			  const char *server,
 			  const char *service,
@@ -42,8 +40,7 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
 				   DATA_BLOB *token_out);
 
 NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
-			 enum dcerpc_AuthType auth_type,
-			 enum dcerpc_AuthLevel auth_level,
+			 bool do_sign, bool do_seal,
 			 uint32_t add_gss_c_flags,
 			 const char *server,
 			 const char *keytab,

source3/librpc/rpc/dcerpc_spnego.c

@@ -77,7 +77,9 @@ NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 
-	status = gse_init_client(sp_ctx, DCERPC_AUTH_TYPE_KRB5, auth_level,
+	status = gse_init_client(sp_ctx,
+				 (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY),
+				 (auth_level == DCERPC_AUTH_LEVEL_PRIVACY),
 				 ccache_name, server, service,
 				 username, password, add_gss_c_flags,
 				 &sp_ctx->mech_ctx.gssapi_state);

source3/rpc_client/cli_pipe.c

@@ -3012,7 +3012,9 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
 		goto err_out;
 	}
 
-	status = gse_init_client(auth, auth->auth_type, auth->auth_level,
+	status = gse_init_client(auth,
+				 (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY),
+				 (auth_level == DCERPC_AUTH_LEVEL_PRIVACY),
 				 NULL, server, "cifs", username, password,
 				 GSS_C_DCE_STYLE, &auth->a_u.gssapi_state);
 

source3/rpc_server/srv_pipe.c

@@ -1027,8 +1027,10 @@ static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
 	/* by passing NULL, the code will attempt to set a default
 	 * keytab based on configuration options */
 	status = gse_init_server(p,
-				 DCERPC_AUTH_TYPE_KRB5,
-				 auth_info->auth_level,
+				 (auth_info->auth_level ==
+						DCERPC_AUTH_LEVEL_INTEGRITY),
+				 (auth_info->auth_level ==
+						DCERPC_AUTH_LEVEL_PRIVACY),
 				 GSS_C_DCE_STYLE,
 				 NULL, NULL,
 				 &gse_ctx);