summaryrefslogtreecommitdiff
path: root/source4/librpc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-08-25 02:25:20 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:58:19 -0500
commitfa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc (patch)
tree608b29fcba6b323474690cd4adcc7f2a4bb5b117 /source4/librpc
parentb13a9a8f98469fffe0db4cce7e077390d35984a3 (diff)
downloadsamba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.tar.gz
samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.tar.bz2
samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.zip
r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.
The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
Diffstat (limited to 'source4/librpc')
-rw-r--r--source4/librpc/rpc/dcerpc.c18
-rw-r--r--source4/librpc/rpc/dcerpc_auth.c27
-rw-r--r--source4/librpc/rpc/dcerpc_ntlm.c5
-rw-r--r--source4/librpc/rpc/dcerpc_schannel.c4
-rw-r--r--source4/librpc/rpc/dcerpc_spnego.c4
5 files changed, 32 insertions, 26 deletions
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 31db6df738..b605b4d110 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -942,3 +942,21 @@ const char *dcerpc_server_name(struct dcerpc_pipe *p)
}
return p->transport.peer_name(p);
}
+
+/*
+ a useful function to get the auth_level
+*/
+
+uint32 dcerpc_auth_level(struct dcerpc_pipe *p)
+{
+ uint8_t auth_level;
+
+ if (p->flags & DCERPC_SEAL) {
+ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+ } else if (p->flags & DCERPC_SIGN) {
+ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+ } else {
+ auth_level = DCERPC_AUTH_LEVEL_NONE;
+ }
+ return auth_level;
+}
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 43b2212d60..6ae6a80596 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -44,7 +44,7 @@ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
return status;
}
-NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
+NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
const char *uuid, uint_t version)
{
NTSTATUS status;
@@ -63,7 +63,7 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
return status;
}
- status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type);
+ status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -77,19 +77,12 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
}
p->security_state.auth_info->auth_type = auth_type;
+ p->security_state.auth_info->auth_level = auth_level;
p->security_state.auth_info->auth_pad_length = 0;
p->security_state.auth_info->auth_reserved = 0;
p->security_state.auth_info->auth_context_id = random();
p->security_state.auth_info->credentials = null_data_blob;
- if (p->flags & DCERPC_SEAL) {
- p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
- } else if (p->flags & DCERPC_SIGN) {
- p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
- } else {
- p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE;
- }
-
status = gensec_update(p->security_state.generic_state, mem_ctx,
null_data_blob,
&credentials);
@@ -126,7 +119,7 @@ done:
return status;
}
-NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
+NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
const char *uuid, uint_t version)
{
NTSTATUS status;
@@ -145,7 +138,8 @@ NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
return status;
}
- status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type);
+ status = gensec_start_mech_by_authtype(p->security_state.generic_state,
+ auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -159,19 +153,12 @@ NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
}
p->security_state.auth_info->auth_type = auth_type;
+ p->security_state.auth_info->auth_level = auth_level;
p->security_state.auth_info->auth_pad_length = 0;
p->security_state.auth_info->auth_reserved = 0;
p->security_state.auth_info->auth_context_id = random();
p->security_state.auth_info->credentials = null_data_blob;
- if (p->flags & DCERPC_SEAL) {
- p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
- } else if (p->flags & DCERPC_SIGN) {
- p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
- } else {
- p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE;
- }
-
status = gensec_update(p->security_state.generic_state, mem_ctx,
null_data_blob,
&credentials);
diff --git a/source4/librpc/rpc/dcerpc_ntlm.c b/source4/librpc/rpc/dcerpc_ntlm.c
index 1f8dbc993e..eab80a333b 100644
--- a/source4/librpc/rpc/dcerpc_ntlm.c
+++ b/source4/librpc/rpc/dcerpc_ntlm.c
@@ -60,7 +60,7 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
return status;
}
- status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_NTLMSSP);
+ status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_NTLMSSP, dcerpc_auth_level(p));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client NTLMSSP mechanism: %s\n",
nt_errstr(status)));
@@ -68,7 +68,8 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
}
status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_NTLMSSP,
- uuid, version);
+ dcerpc_auth_level(p),
+ uuid, version);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to bind to pipe with NTLMSSP: %s\n", nt_errstr(status)));
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index b3d7048501..e7b1d08988 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -469,7 +469,7 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
return status;
}
- status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SCHANNEL);
+ status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start SCHANNEL GENSEC backend: %s\n", nt_errstr(status)));
@@ -477,7 +477,7 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
return status;
}
- status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL,
+ status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p),
uuid, version);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/librpc/rpc/dcerpc_spnego.c b/source4/librpc/rpc/dcerpc_spnego.c
index 7ccc0cf422..f5e2be0da4 100644
--- a/source4/librpc/rpc/dcerpc_spnego.c
+++ b/source4/librpc/rpc/dcerpc_spnego.c
@@ -67,14 +67,14 @@ NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p,
return status;
}
- status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SPNEGO);
+ status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SPNEGO, dcerpc_auth_level(p));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n",
nt_errstr(status)));
return status;
}
- status = dcerpc_bind_alter(p, DCERPC_AUTH_TYPE_SPNEGO,
+ status = dcerpc_bind_alter(p, DCERPC_AUTH_TYPE_SPNEGO, dcerpc_auth_level(p),
uuid, version);
if (!NT_STATUS_IS_OK(status)) {