diff options
| author | Andrew Tridgell <tridge@samba.org> | 2004-09-25 07:25:51 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:59:12 -0500 |
| commit | 642ba4bfeee9951957287647628fa82269a318b1 (patch) | |
| tree | b235192d584c043bb592a499c167d4906b6b1cdb /source4/rpc_server | |
| parent | 4fa2904290e2c345eae76ad66fc284b76eccd5f8 (diff) | |
| download | samba-642ba4bfeee9951957287647628fa82269a318b1.tar.gz samba-642ba4bfeee9951957287647628fa82269a318b1.tar.bz2 samba-642ba4bfeee9951957287647628fa82269a318b1.zip | |
r2614: support CONNECT level DCE/RPC security in both client and
server. CONNECT security uses NTLMSSP, but does not do any signing or
sealing (or equivalently, its like signing, but with a zero filled
checksum).
(This used to be commit f4660857bc708db7f5aa7487bf7ab04bffe68928)
Diffstat (limited to 'source4/rpc_server')
| -rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 43 |
1 files changed, 41 insertions, 2 deletions
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index e2a798c1ae..bfdf557bdf 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -31,7 +31,8 @@ NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn, { NTSTATUS status; if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY && + auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_CONNECT) { DEBUG(2,("auth_level %d not supported in dcesrv auth\n", auth->auth_info->auth_level)); return NT_STATUS_INVALID_PARAMETER; @@ -191,6 +192,34 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return True; } + +/* + generate a CONNECT level verifier +*/ +static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob) +{ + *blob = data_blob_talloc(mem_ctx, NULL, 16); + if (blob->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + SIVAL(blob->data, 0, 1); + memset(blob->data+4, 0, 12); + return NT_STATUS_OK; +} + +/* + generate a CONNECT level verifier +*/ +static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob) +{ + if (blob->length != 16 || + IVAL(blob->data, 0) != 1) { + return NT_STATUS_ACCESS_DENIED; + } + return NT_STATUS_OK; +} + + /* check credentials on a request */ @@ -260,6 +289,10 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) &auth.credentials); break; + case DCERPC_AUTH_LEVEL_CONNECT: + status = dcesrv_check_connect_verifier(&auth.credentials); + break; + default: status = NT_STATUS_INVALID_LEVEL; break; @@ -340,7 +373,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, payload_length, blob->data, blob->length - dce_conn->auth_state.auth_info->credentials.length, - &dce_conn->auth_state.auth_info->credentials); + &dce_conn->auth_state.auth_info->credentials); break; case DCERPC_AUTH_LEVEL_INTEGRITY: @@ -353,6 +386,12 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, &dce_conn->auth_state.auth_info->credentials); break; + + case DCERPC_AUTH_LEVEL_CONNECT: + status = dcesrv_connect_verifier(call->mem_ctx, + &dce_conn->auth_state.auth_info->credentials); + break; + default: status = NT_STATUS_INVALID_LEVEL; break; |