diff options
author | Simo Sorce <idra@samba.org> | 2010-02-18 10:19:09 -0500 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2010-02-23 12:46:50 -0500 |
commit | b4c9dc3724b5c34661b6986e81af2dc6c191dde9 (patch) | |
tree | 5b151492b580daaafa96eefb2f5bfa9faaa5ba69 /source3/rpc_server | |
parent | 61b7a24f16c9d3a3c41df19ac7073571164eb47a (diff) | |
download | samba-b4c9dc3724b5c34661b6986e81af2dc6c191dde9.tar.gz samba-b4c9dc3724b5c34661b6986e81af2dc6c191dde9.tar.bz2 samba-b4c9dc3724b5c34661b6986e81af2dc6c191dde9.zip |
s3:schannel more readable check logic
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on ther caller's security
requirements (Integrity/Privacy/Both/None)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 44 |
1 files changed, 39 insertions, 5 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 71463c28ad..769936ca20 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -766,6 +766,36 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, } /************************************************************************* + * If schannel is required for this call test that it actually is available. + *************************************************************************/ +static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info, + const char *computer_name, + bool integrity, bool privacy) +{ + if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) { + if (!privacy && !integrity) { + return NT_STATUS_OK; + } + + if ((!privacy && integrity) && + auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + return NT_STATUS_OK; + } + + if ((privacy || integrity) && + auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + return NT_STATUS_OK; + } + } + + /* test didn't pass */ + DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n", + computer_name)); + + return NT_STATUS_ACCESS_DENIED; +} + +/************************************************************************* *************************************************************************/ static NTSTATUS netr_creds_server_step_check(pipes_struct *p, @@ -778,9 +808,15 @@ static NTSTATUS netr_creds_server_step_check(pipes_struct *p, NTSTATUS status; struct tdb_context *tdb; bool schannel_global_required = (lp_server_schannel() == true) ? true:false; - bool schannel_in_use = (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL) ? true:false; /* && - (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY || - p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY); */ + + if (schannel_global_required) { + status = schannel_check_required(&p->auth, + computer_name, + false, false); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } tdb = open_schannel_session_store(mem_ctx); if (!tdb) { @@ -789,8 +825,6 @@ static NTSTATUS netr_creds_server_step_check(pipes_struct *p, status = schannel_creds_server_step_check_tdb(tdb, mem_ctx, computer_name, - schannel_global_required, - schannel_in_use, received_authenticator, return_authenticator, creds_out); |