diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-08-25 02:25:20 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:58:19 -0500 |
commit | fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc (patch) | |
tree | 608b29fcba6b323474690cd4adcc7f2a4bb5b117 /source4/librpc/rpc | |
parent | b13a9a8f98469fffe0db4cce7e077390d35984a3 (diff) | |
download | samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.tar.gz samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.tar.bz2 samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.zip |
r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.
The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags. If we don't negotiate sealing, we can't use it.
We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.
Andrew Bartlett
(This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
Diffstat (limited to 'source4/librpc/rpc')
-rw-r--r-- | source4/librpc/rpc/dcerpc.c | 18 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_auth.c | 27 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_ntlm.c | 5 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_schannel.c | 4 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_spnego.c | 4 |
5 files changed, 32 insertions, 26 deletions
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index 31db6df738..b605b4d110 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -942,3 +942,21 @@ const char *dcerpc_server_name(struct dcerpc_pipe *p) } return p->transport.peer_name(p); } + +/* + a useful function to get the auth_level +*/ + +uint32 dcerpc_auth_level(struct dcerpc_pipe *p) +{ + uint8_t auth_level; + + if (p->flags & DCERPC_SEAL) { + auth_level = DCERPC_AUTH_LEVEL_PRIVACY; + } else if (p->flags & DCERPC_SIGN) { + auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; + } else { + auth_level = DCERPC_AUTH_LEVEL_NONE; + } + return auth_level; +} diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index 43b2212d60..6ae6a80596 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -44,7 +44,7 @@ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p, return status; } -NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, +NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level, const char *uuid, uint_t version) { NTSTATUS status; @@ -63,7 +63,7 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, return status; } - status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type); + status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type, auth_level); if (!NT_STATUS_IS_OK(status)) { return status; @@ -77,19 +77,12 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, } p->security_state.auth_info->auth_type = auth_type; + p->security_state.auth_info->auth_level = auth_level; p->security_state.auth_info->auth_pad_length = 0; p->security_state.auth_info->auth_reserved = 0; p->security_state.auth_info->auth_context_id = random(); p->security_state.auth_info->credentials = null_data_blob; - if (p->flags & DCERPC_SEAL) { - p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY; - } else if (p->flags & DCERPC_SIGN) { - p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; - } else { - p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE; - } - status = gensec_update(p->security_state.generic_state, mem_ctx, null_data_blob, &credentials); @@ -126,7 +119,7 @@ done: return status; } -NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type, +NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level, const char *uuid, uint_t version) { NTSTATUS status; @@ -145,7 +138,8 @@ NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type, return status; } - status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type); + status = gensec_start_mech_by_authtype(p->security_state.generic_state, + auth_type, auth_level); if (!NT_STATUS_IS_OK(status)) { return status; @@ -159,19 +153,12 @@ NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type, } p->security_state.auth_info->auth_type = auth_type; + p->security_state.auth_info->auth_level = auth_level; p->security_state.auth_info->auth_pad_length = 0; p->security_state.auth_info->auth_reserved = 0; p->security_state.auth_info->auth_context_id = random(); p->security_state.auth_info->credentials = null_data_blob; - if (p->flags & DCERPC_SEAL) { - p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY; - } else if (p->flags & DCERPC_SIGN) { - p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; - } else { - p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE; - } - status = gensec_update(p->security_state.generic_state, mem_ctx, null_data_blob, &credentials); diff --git a/source4/librpc/rpc/dcerpc_ntlm.c b/source4/librpc/rpc/dcerpc_ntlm.c index 1f8dbc993e..eab80a333b 100644 --- a/source4/librpc/rpc/dcerpc_ntlm.c +++ b/source4/librpc/rpc/dcerpc_ntlm.c @@ -60,7 +60,7 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p, return status; } - status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_NTLMSSP); + status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_NTLMSSP, dcerpc_auth_level(p)); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC client NTLMSSP mechanism: %s\n", nt_errstr(status))); @@ -68,7 +68,8 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p, } status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_NTLMSSP, - uuid, version); + dcerpc_auth_level(p), + uuid, version); if (!NT_STATUS_IS_OK(status)) { DEBUG(2, ("Failed to bind to pipe with NTLMSSP: %s\n", nt_errstr(status))); diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index b3d7048501..e7b1d08988 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -469,7 +469,7 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p, return status; } - status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SCHANNEL); + status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p)); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start SCHANNEL GENSEC backend: %s\n", nt_errstr(status))); @@ -477,7 +477,7 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p, return status; } - status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL, + status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p), uuid, version); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/librpc/rpc/dcerpc_spnego.c b/source4/librpc/rpc/dcerpc_spnego.c index 7ccc0cf422..f5e2be0da4 100644 --- a/source4/librpc/rpc/dcerpc_spnego.c +++ b/source4/librpc/rpc/dcerpc_spnego.c @@ -67,14 +67,14 @@ NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p, return status; } - status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SPNEGO); + status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SPNEGO, dcerpc_auth_level(p)); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n", nt_errstr(status))); return status; } - status = dcerpc_bind_alter(p, DCERPC_AUTH_TYPE_SPNEGO, + status = dcerpc_bind_alter(p, DCERPC_AUTH_TYPE_SPNEGO, dcerpc_auth_level(p), uuid, version); if (!NT_STATUS_IS_OK(status)) { |