diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-01-10 10:48:19 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:08:37 -0500 |
commit | 7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b (patch) | |
tree | 380cf934d5d65d5ef2af720d381252efc6056c26 | |
parent | 047d41cc490c05dd07eeab29913b3f2882887678 (diff) | |
download | samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.tar.gz samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.tar.bz2 samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.zip |
r4635: Fix NTLMSSP to return NT_STATUS_OK when it has constructed the auth
token in the client (the final token in the negotiation).
Consequential fixes in the SPNEGO code, which now uses the out.length
as the indicator of 'I need to send something to the other side'.
Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client.
Fix the RPC-MULTIBIND test consequent to this merge.
Andrew Bartlett
(This used to be commit 43e3516fc03008e97ebb4ad1a0cde464303f43c6)
-rw-r--r-- | source4/libcli/auth/ntlmssp.c | 5 | ||||
-rw-r--r-- | source4/libcli/auth/spnego.c | 61 | ||||
-rw-r--r-- | source4/librpc/config.mk | 2 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_auth.c | 105 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_ntlm.c | 85 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_spnego.c | 95 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_util.c | 14 | ||||
-rw-r--r-- | source4/torture/rpc/bind.c | 13 |
8 files changed, 146 insertions, 234 deletions
diff --git a/source4/libcli/auth/ntlmssp.c b/source4/libcli/auth/ntlmssp.c index 7f4a86e274..a9fb66d41e 100644 --- a/source4/libcli/auth/ntlmssp.c +++ b/source4/libcli/auth/ntlmssp.c @@ -1257,13 +1257,14 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->expected_state = NTLMSSP_DONE; - if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) { + nt_status = ntlmssp_sign_init(ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status))); return nt_status; } - return NT_STATUS_MORE_PROCESSING_REQUIRED; + return nt_status; } NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state **ntlmssp_state) diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c index 31dd5aa47d..84bd7ce42c 100644 --- a/source4/libcli/auth/spnego.c +++ b/source4/libcli/auth/spnego.c @@ -685,24 +685,34 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego_state->no_response_expected) { - nt_status = NT_STATUS_OK; + if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) { + DEBUG(1,("gensec_update ok but not accepted\n")); + nt_status = NT_STATUS_INVALID_PARAMETER; + } else { + nt_status = NT_STATUS_OK; + } } else { nt_status = gensec_update(spnego_state->sub_sec_security, out_mem_ctx, spnego.negTokenTarg.responseToken, &unwrapped_out); - } - - - if (NT_STATUS_IS_OK(nt_status) - && (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) { - DEBUG(1,("gensec_update ok but not accepted\n")); - nt_status = NT_STATUS_INVALID_PARAMETER; + + if (NT_STATUS_IS_OK(nt_status)) { + spnego_state->no_response_expected = True; + } } spnego_free_data(&spnego); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) + && !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("SPNEGO(%s) login failed: %s\n", + spnego_state->sub_sec_security->ops->name, + nt_errstr(nt_status))); + return nt_status; + } + + if (unwrapped_out.length) { /* compose reply */ spnego_out.type = SPNEGO_NEG_TOKEN_TARG; spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; @@ -716,30 +726,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } spnego_state->state_position = SPNEGO_CLIENT_TARG; - } else if (NT_STATUS_IS_OK(nt_status)) { + nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else { + /* all done - server has accepted, and we agree */ - - if (unwrapped_out.length) { - spnego_out.type = SPNEGO_NEG_TOKEN_TARG; - spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; - spnego_out.negTokenTarg.supportedMech = NULL; - spnego_out.negTokenTarg.responseToken = unwrapped_out; - spnego_out.negTokenTarg.mechListMIC = null_data_blob; - - if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { - DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); - return NT_STATUS_INVALID_PARAMETER; - } - } else { - *out = null_data_blob; - } + *out = null_data_blob; - spnego_state->state_position = SPNEGO_DONE; - } else { - DEBUG(1, ("SPNEGO(%s) login failed: %s\n", - spnego_state->sub_sec_security->ops->name, - nt_errstr(nt_status))); + if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) { + /* unless of course it did not accept */ + DEBUG(1,("gensec_update ok but not accepted\n")); + nt_status = NT_STATUS_INVALID_PARAMETER; + } } + + spnego_state->state_position = SPNEGO_DONE; + return nt_status; } case SPNEGO_DONE: diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk index 61eb0d5a00..3fbd5dadbc 100644 --- a/source4/librpc/config.mk +++ b/source4/librpc/config.mk @@ -23,8 +23,6 @@ ADD_OBJ_FILES = \ librpc/rpc/dcerpc_util.o \ librpc/rpc/dcerpc_error.o \ librpc/rpc/dcerpc_schannel.o \ - librpc/rpc/dcerpc_ntlm.o \ - librpc/rpc/dcerpc_spnego.o \ librpc/rpc/dcerpc_smb.o \ librpc/rpc/dcerpc_sock.o REQUIRED_SUBSYSTEMS = SOCKET diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index 228a99d5c5..1c73bde6e4 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -5,7 +5,7 @@ Copyright (C) Andrew Tridgell 2003 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 - + Copyright (C) Stefan Metzmacher 2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -86,27 +86,33 @@ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth goto done; } - status = gensec_update(p->conn->security_state.generic_state, tmp_ctx, - p->conn->security_state.auth_info->credentials, - &credentials); - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - goto done; - } + while (1) { + status = gensec_update(p->conn->security_state.generic_state, tmp_ctx, + p->conn->security_state.auth_info->credentials, + &credentials); + if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + break; + } - do { - p->conn->security_state.auth_info->credentials = credentials; + if (!credentials.length) { + break; + } + p->conn->security_state.auth_info->credentials = credentials; + if (auth_type == DCERPC_AUTH_TYPE_SPNEGO) { status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax); - if (NT_STATUS_IS_OK(status)) { - status = gensec_update(p->conn->security_state.generic_state, tmp_ctx, - p->conn->security_state.auth_info->credentials, - &credentials); + if (!NT_STATUS_IS_OK(status)) { + break; } } else { status = dcerpc_auth3(p->conn, tmp_ctx); + credentials = data_blob(NULL, 0); + if (!NT_STATUS_IS_OK(status)) { + break; + } } - } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)); + }; done: talloc_free(tmp_ctx); @@ -122,3 +128,74 @@ done: return status; } +/* + setup GENSEC on a DCE-RPC pipe +*/ +NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p, + const char *uuid, uint_t version, + const char *domain, + const char *username, + const char *password, + uint8_t auth_type) +{ + NTSTATUS status; + + if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) { + p->conn->flags |= DCERPC_CONNECT; + } + + status = gensec_client_start(p, &p->conn->security_state.generic_state); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status))); + return status; + } + + status = gensec_set_domain(p->conn->security_state.generic_state, domain); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n", + domain, nt_errstr(status))); + return status; + } + + status = gensec_set_username(p->conn->security_state.generic_state, username); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n", + username, nt_errstr(status))); + return status; + } + + status = gensec_set_password(p->conn->security_state.generic_state, password); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client password: %s\n", + nt_errstr(status))); + return status; + } + + status = gensec_set_target_hostname(p->conn->security_state.generic_state, + p->conn->transport.peer_name(p->conn)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", + nt_errstr(status))); + return status; + } + + status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, + auth_type, + dcerpc_auth_level(p->conn)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n", + gensec_get_name_by_authtype(auth_type), nt_errstr(status))); + return status; + } + + status = dcerpc_bind_auth(p, auth_type, + dcerpc_auth_level(p->conn), + uuid, version); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(2, ("Failed to bind to pipe with %s: %s\n", + gensec_get_name_by_authtype(auth_type), nt_errstr(status))); + return status; + } + + return status; +} diff --git a/source4/librpc/rpc/dcerpc_ntlm.c b/source4/librpc/rpc/dcerpc_ntlm.c deleted file mode 100644 index 39b5e1c28c..0000000000 --- a/source4/librpc/rpc/dcerpc_ntlm.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - dcerpc authentication operations - - Copyright (C) Andrew Tridgell 2003 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* - do ntlm style authentication on a gensec pipe -*/ -NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p, - const char *uuid, uint_t version, - const char *domain, - const char *username, - const char *password) -{ - NTSTATUS status; - - if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) { - p->conn->flags |= DCERPC_CONNECT; - } - - status = gensec_client_start(p, &p->conn->security_state.generic_state); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status))); - return status; - } - - status = gensec_set_domain(p->conn->security_state.generic_state, domain); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n", - domain, nt_errstr(status))); - return status; - } - - status = gensec_set_username(p->conn->security_state.generic_state, username); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n", - username, nt_errstr(status))); - return status; - } - - status = gensec_set_password(p->conn->security_state.generic_state, password); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client password: %s\n", - nt_errstr(status))); - return status; - } - - status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, - DCERPC_AUTH_TYPE_NTLMSSP, dcerpc_auth_level(p->conn)); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client NTLMSSP mechanism: %s\n", - nt_errstr(status))); - return status; - } - - status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_NTLMSSP, - dcerpc_auth_level(p->conn), - uuid, version); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(2, ("Failed to bind to pipe with NTLMSSP: %s\n", nt_errstr(status))); - return status; - } - - return status; -} diff --git a/source4/librpc/rpc/dcerpc_spnego.c b/source4/librpc/rpc/dcerpc_spnego.c deleted file mode 100644 index 7290139f6e..0000000000 --- a/source4/librpc/rpc/dcerpc_spnego.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - dcerpc authentication operations - - Copyright (C) Stefan Metzmacher 2004 - Copyright (C) Andrew Tridgell 2003-2005 - Copyright (C) Andrew Bartlett 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* - do spnego style authentication on a gensec pipe -*/ -NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p, - const char *uuid, uint_t version, - const char *domain, - const char *username, - const char *password) -{ - NTSTATUS status; - - if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) { - p->conn->flags |= DCERPC_CONNECT; - } - - status = gensec_client_start(p, &p->conn->security_state.generic_state); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status))); - return status; - } - - status = gensec_set_domain(p->conn->security_state.generic_state, domain); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n", - domain, nt_errstr(status))); - return status; - } - - status = gensec_set_username(p->conn->security_state.generic_state, username); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n", - username, nt_errstr(status))); - return status; - } - - status = gensec_set_password(p->conn->security_state.generic_state, password); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client password: %s\n", - nt_errstr(status))); - return status; - } - - status = gensec_set_target_hostname(p->conn->security_state.generic_state, - p->conn->transport.peer_name(p->conn)); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", - nt_errstr(status))); - return status; - } - - status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, - DCERPC_AUTH_TYPE_SPNEGO, - dcerpc_auth_level(p->conn)); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n", - nt_errstr(status))); - return status; - } - - status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SPNEGO, - dcerpc_auth_level(p->conn), - uuid, version); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(2, ("Failed to bind to pipe with SPNEGO: %s\n", nt_errstr(status))); - return status; - } - - return status; -} diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index 992368777c..b815f5317d 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -785,7 +785,6 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, const char *password) { NTSTATUS status; - p->conn->flags = binding->flags; /* remember the binding string for possible secondary connections */ @@ -794,10 +793,17 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) { status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version, domain, username, password); - } else if (username && username[0] && (binding->flags & DCERPC_AUTH_SPNEGO)) { - status = dcerpc_bind_auth_spnego(p, pipe_uuid, pipe_version, domain, username, password); } else if (username && username[0]) { - status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password); + uint8_t auth_type; + if (binding->flags & DCERPC_AUTH_SPNEGO) { + auth_type = DCERPC_AUTH_TYPE_SPNEGO; + } else { + auth_type = DCERPC_AUTH_TYPE_NTLMSSP; + } + + status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, + domain, username, password, + auth_type); } else { status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version); } diff --git a/source4/torture/rpc/bind.c b/source4/torture/rpc/bind.c index 61093d6a89..fe0e29521a 100644 --- a/source4/torture/rpc/bind.c +++ b/source4/torture/rpc/bind.c @@ -72,8 +72,17 @@ BOOL torture_multi_bind(void) if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) { status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version, domain, username, password); - } else if (username && username[0] && (binding->flags & (DCERPC_SIGN | DCERPC_SEAL))) { - status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password); + } else if (username && username[0]) { + uint8_t auth_type; + if (binding->flags & DCERPC_AUTH_SPNEGO) { + auth_type = DCERPC_AUTH_TYPE_SPNEGO; + } else { + auth_type = DCERPC_AUTH_TYPE_NTLMSSP; + } + + status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, + domain, username, password, + auth_type); } else { status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version); } |