summaryrefslogtreecommitdiff
path: root/source4/rpc_server
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-09-25 07:25:51 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:59:12 -0500
commit642ba4bfeee9951957287647628fa82269a318b1 (patch)
treeb235192d584c043bb592a499c167d4906b6b1cdb /source4/rpc_server
parent4fa2904290e2c345eae76ad66fc284b76eccd5f8 (diff)
downloadsamba-642ba4bfeee9951957287647628fa82269a318b1.tar.gz
samba-642ba4bfeee9951957287647628fa82269a318b1.tar.bz2
samba-642ba4bfeee9951957287647628fa82269a318b1.zip
r2614: support CONNECT level DCE/RPC security in both client and
server. CONNECT security uses NTLMSSP, but does not do any signing or sealing (or equivalently, its like signing, but with a zero filled checksum). (This used to be commit f4660857bc708db7f5aa7487bf7ab04bffe68928)
Diffstat (limited to 'source4/rpc_server')
-rw-r--r--source4/rpc_server/dcesrv_auth.c43
1 files changed, 41 insertions, 2 deletions
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index e2a798c1ae..bfdf557bdf 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -31,7 +31,8 @@ NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn,
{
NTSTATUS status;
if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY &&
- auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+ auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY &&
+ auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_CONNECT) {
DEBUG(2,("auth_level %d not supported in dcesrv auth\n",
auth->auth_info->auth_level));
return NT_STATUS_INVALID_PARAMETER;
@@ -191,6 +192,34 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call)
return True;
}
+
+/*
+ generate a CONNECT level verifier
+*/
+static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob)
+{
+ *blob = data_blob_talloc(mem_ctx, NULL, 16);
+ if (blob->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ SIVAL(blob->data, 0, 1);
+ memset(blob->data+4, 0, 12);
+ return NT_STATUS_OK;
+}
+
+/*
+ generate a CONNECT level verifier
+*/
+static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob)
+{
+ if (blob->length != 16 ||
+ IVAL(blob->data, 0) != 1) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
+}
+
+
/*
check credentials on a request
*/
@@ -260,6 +289,10 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
&auth.credentials);
break;
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ status = dcesrv_check_connect_verifier(&auth.credentials);
+ break;
+
default:
status = NT_STATUS_INVALID_LEVEL;
break;
@@ -340,7 +373,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
payload_length,
blob->data,
blob->length - dce_conn->auth_state.auth_info->credentials.length,
- &dce_conn->auth_state.auth_info->credentials);
+ &dce_conn->auth_state.auth_info->credentials);
break;
case DCERPC_AUTH_LEVEL_INTEGRITY:
@@ -353,6 +386,12 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
&dce_conn->auth_state.auth_info->credentials);
break;
+
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ status = dcesrv_connect_verifier(call->mem_ctx,
+ &dce_conn->auth_state.auth_info->credentials);
+ break;
+
default:
status = NT_STATUS_INVALID_LEVEL;
break;