summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2004-06-04 09:46:46 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:56:25 -0500
commit5165fec02e0e489ac63c3cb71bed31dea9fde644 (patch)
treef253af775d6151ef9e3eb5d01973f2f177febd19 /source4
parentb0d4ed741f9fcb31ef124c1375db13cd6874131e (diff)
downloadsamba-5165fec02e0e489ac63c3cb71bed31dea9fde644.tar.gz
samba-5165fec02e0e489ac63c3cb71bed31dea9fde644.tar.bz2
samba-5165fec02e0e489ac63c3cb71bed31dea9fde644.zip
r1004: continue tridge's work on dcerpc server auth/crypto code
I made it much more generic, and we should be able to add a module interface to this code, so that other DCERPC_AUTH types can be added via modules... metze (This used to be commit d09abeb686c43c62322205689273d1b417113004)
Diffstat (limited to 'source4')
-rw-r--r--source4/rpc_server/config.mk1
-rw-r--r--source4/rpc_server/dcerpc_server.c9
-rw-r--r--source4/rpc_server/dcerpc_server.h23
-rw-r--r--source4/rpc_server/dcesrv_auth.c17
-rw-r--r--source4/rpc_server/dcesrv_crypto.c83
-rw-r--r--source4/rpc_server/dcesrv_crypto_ntlmssp.c139
6 files changed, 231 insertions, 41 deletions
diff --git a/source4/rpc_server/config.mk b/source4/rpc_server/config.mk
index 4f8b4796fd..d532256c10 100644
--- a/source4/rpc_server/config.mk
+++ b/source4/rpc_server/config.mk
@@ -123,6 +123,7 @@ ADD_OBJ_FILES = \
rpc_server/dcerpc_tcp.o \
rpc_server/dcesrv_auth.o \
rpc_server/dcesrv_crypto.o \
+ rpc_server/dcesrv_crypto_ntlmssp.o \
rpc_server/handles.o
#
# End SUBSYSTEM DCERPC
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index fd806c5289..2c0db15081 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -268,8 +268,9 @@ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
(*p)->cli_max_recv_frag = 0;
(*p)->handles = NULL;
(*p)->partial_input = data_blob(NULL, 0);
- (*p)->auth_state.crypto_state = NULL;
(*p)->auth_state.auth_info = NULL;
+ (*p)->auth_state.crypto_ctx.private_data = NULL;
+ (*p)->auth_state.crypto_ctx.ops = NULL;
(*p)->session_key = data_blob(NULL, 0);
return NT_STATUS_OK;
@@ -326,7 +327,11 @@ void dcesrv_endpoint_disconnect(struct dcesrv_connection *p)
while (p->handles) {
dcesrv_handle_destroy(p, p->handles);
}
-
+
+ if (p->auth_state.crypto_ctx.ops) {
+ p->auth_state.crypto_ctx.ops->end(&p->auth_state);
+ }
+
talloc_destroy(p->mem_ctx);
}
diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index bdda8f252f..44726b5828 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -45,6 +45,7 @@ struct dcesrv_ep_description {
struct dcesrv_connection;
struct dcesrv_call_state;
+struct dcesrv_auth;
/* the dispatch functions for an interface take this form */
typedef NTSTATUS (*dcesrv_dispatch_fn_t)(struct dcesrv_call_state *, TALLOC_CTX *, void *);
@@ -93,10 +94,30 @@ struct dcesrv_handle {
void (*destroy)(struct dcesrv_connection *, struct dcesrv_handle *);
};
+struct dcesrv_cyrpto_ops {
+ const char *name;
+ uint8 auth_type;
+ NTSTATUS (*start)(struct dcesrv_auth *auth);
+ NTSTATUS (*update)(struct dcesrv_auth *auth, TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB in, DATA_BLOB *out);
+ NTSTATUS (*seal)(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ uint8_t *data, size_t length, DATA_BLOB *sig);
+ NTSTATUS (*sign)(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ const uint8_t *data, size_t length, DATA_BLOB *sig);
+ NTSTATUS (*check_sig)(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ const uint8_t *data, size_t length, const DATA_BLOB *sig);
+ NTSTATUS (*unseal)(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ uint8_t *data, size_t length, DATA_BLOB *sig);
+ void (*end)(struct dcesrv_auth *auth);
+};
+
/* hold the authentication state information */
struct dcesrv_auth {
- void *crypto_state;
struct dcerpc_auth *auth_info;
+ struct {
+ void *private_data;
+ const struct dcesrv_cyrpto_ops *ops;
+ } crypto_ctx;
};
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 7aa296c245..df1a820039 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -51,11 +51,16 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
return False;
}
- status = dcesrv_crypto_startup(dce_conn, &dce_conn->auth_state);
+ status = dcesrv_crypto_select_type(dce_conn, &dce_conn->auth_state);
if (!NT_STATUS_IS_OK(status)) {
return False;
}
-
+
+ status = dcesrv_crypto_start(&dce_conn->auth_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ return False;
+ }
+
return True;
}
@@ -67,7 +72,7 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *
struct dcesrv_connection *dce_conn = call->conn;
NTSTATUS status;
- if (!call->conn->auth_state.crypto_state) {
+ if (!call->conn->auth_state.crypto_ctx.ops) {
return True;
}
@@ -98,7 +103,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call)
NTSTATUS status;
if (!dce_conn->auth_state.auth_info ||
- !dce_conn->auth_state.crypto_state ||
+ !dce_conn->auth_state.crypto_ctx.ops ||
pkt->u.auth.auth_info.length == 0) {
return False;
}
@@ -138,7 +143,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call)
NTSTATUS status;
if (!dce_conn->auth_state.auth_info ||
- !dce_conn->auth_state.crypto_state) {
+ !dce_conn->auth_state.crypto_ctx.ops) {
return True;
}
@@ -213,7 +218,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
struct ndr_push *ndr;
/* non-signed packets are simple */
- if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.crypto_state) {
+ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.crypto_ctx.ops) {
status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL);
return NT_STATUS_IS_OK(status);
}
diff --git a/source4/rpc_server/dcesrv_crypto.c b/source4/rpc_server/dcesrv_crypto.c
index f9e109abd2..11956fe3be 100644
--- a/source4/rpc_server/dcesrv_crypto.c
+++ b/source4/rpc_server/dcesrv_crypto.c
@@ -4,6 +4,7 @@
server side dcerpc authentication code - crypto support
Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Stefan (metze) Metzmacher 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -30,10 +31,9 @@
/*
startup the cryptographic side of an authenticated dcerpc server
*/
-NTSTATUS dcesrv_crypto_startup(struct dcesrv_connection *dce_conn,
+NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn,
struct dcesrv_auth *auth)
{
- struct auth_ntlmssp_state *ntlmssp = NULL;
NTSTATUS status;
if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY &&
@@ -43,20 +43,34 @@ NTSTATUS dcesrv_crypto_startup(struct dcesrv_connection *dce_conn,
return NT_STATUS_INVALID_PARAMETER;
}
+ if (auth->crypto_ctx.ops != NULL) {
+ /* TODO:
+ * this this function should not be called
+ * twice per dcesrv_connection!
+ *
+ * so we need to find out the right
+ * dcerpc error to return
+ */
+ }
+
+ /*
+ * TODO:
+ * maybe a dcesrv_crypto_find_backend_by_type() whould be better here
+ * to make thinks more generic
+ */
switch (auth->auth_info->auth_type) {
-/*
- case DCERPC_AUTH_TYPE_SCHANNEL:
- return auth_schannel_start();
-*/
+/* case DCERPC_AUTH_TYPE_SCHANNEL:
+ status = dcesrv_crypto_schannel_get_ops(dce_conn, auth);
+ break;
+*/
case DCERPC_AUTH_TYPE_NTLMSSP:
- status = auth_ntlmssp_start(&ntlmssp);
- auth->crypto_state = ntlmssp;
+ status = dcesrv_crypto_ntlmssp_get_ops(dce_conn, auth);
break;
default:
DEBUG(2,("dcesrv auth_type %d not supported\n", auth->auth_info->auth_type));
- status = NT_STATUS_INVALID_PARAMETER;
+ return NT_STATUS_INVALID_PARAMETER;
}
DEBUG(4,("dcesrv_crypto_startup: %s\n", nt_errstr(status)));
@@ -65,58 +79,63 @@ NTSTATUS dcesrv_crypto_startup(struct dcesrv_connection *dce_conn,
}
/*
+ start crypto state
+*/
+NTSTATUS dcesrv_crypto_start(struct dcesrv_auth *auth)
+{
+ return auth->crypto_ctx.ops->start(auth);
+}
+
+/*
update crypto state
*/
NTSTATUS dcesrv_crypto_update(struct dcesrv_auth *auth,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{
- struct auth_ntlmssp_state *ntlmssp = auth->crypto_state;
-
- return ntlmssp_update(ntlmssp->ntlmssp_state, out_mem_ctx, in, out);
+ return auth->crypto_ctx.ops->update(auth, out_mem_ctx, in, out);
}
-
/*
seal a packet
*/
-NTSTATUS dcesrv_crypto_seal(struct dcesrv_auth *auth,
- TALLOC_CTX *sig_mem_ctx, uint8_t *data, size_t length, DATA_BLOB *sig)
+NTSTATUS dcesrv_crypto_seal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ uint8_t *data, size_t length, DATA_BLOB *sig)
{
- struct auth_ntlmssp_state *ntlmssp = auth->crypto_state;
-
- return ntlmssp_seal_packet(ntlmssp->ntlmssp_state, sig_mem_ctx, data, length, sig);
+ return auth->crypto_ctx.ops->seal(auth, sig_mem_ctx, data, length, sig);
}
/*
sign a packet
*/
-NTSTATUS dcesrv_crypto_sign(struct dcesrv_auth *auth,
- TALLOC_CTX *sig_mem_ctx, const uint8_t *data, size_t length, DATA_BLOB *sig)
+NTSTATUS dcesrv_crypto_sign(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ const uint8_t *data, size_t length, DATA_BLOB *sig)
{
- struct auth_ntlmssp_state *ntlmssp = auth->crypto_state;
-
- return ntlmssp_sign_packet(ntlmssp->ntlmssp_state, sig_mem_ctx, data, length, sig);
+ return auth->crypto_ctx.ops->sign(auth, sig_mem_ctx, data, length, sig);
}
/*
check a packet signature
*/
-NTSTATUS dcesrv_crypto_check_sig(struct dcesrv_auth *auth,
- TALLOC_CTX *sig_mem_ctx, const uint8_t *data, size_t length, const DATA_BLOB *sig)
+NTSTATUS dcesrv_crypto_check_sig(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ const uint8_t *data, size_t length, const DATA_BLOB *sig)
{
- struct auth_ntlmssp_state *ntlmssp = auth->crypto_state;
-
- return ntlmssp_check_packet(ntlmssp->ntlmssp_state, sig_mem_ctx, data, length, sig);
+ return auth->crypto_ctx.ops->check_sig(auth, sig_mem_ctx, data, length, sig);
}
/*
unseal a packet
*/
-NTSTATUS dcesrv_crypto_unseal(struct dcesrv_auth *auth,
- TALLOC_CTX *sig_mem_ctx, uint8_t *data, size_t length, DATA_BLOB *sig)
+NTSTATUS dcesrv_crypto_unseal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ uint8_t *data, size_t length, DATA_BLOB *sig)
{
- struct auth_ntlmssp_state *ntlmssp = auth->crypto_state;
+ return auth->crypto_ctx.ops->unseal(auth, sig_mem_ctx, data, length, sig);
+}
- return ntlmssp_unseal_packet(ntlmssp->ntlmssp_state, sig_mem_ctx, data, length, sig);
+/*
+ end crypto state
+*/
+void dcesrv_crypto_end(struct dcesrv_auth *auth)
+{
+ auth->crypto_ctx.ops->end(auth);
}
diff --git a/source4/rpc_server/dcesrv_crypto_ntlmssp.c b/source4/rpc_server/dcesrv_crypto_ntlmssp.c
new file mode 100644
index 0000000000..b894f0f25d
--- /dev/null
+++ b/source4/rpc_server/dcesrv_crypto_ntlmssp.c
@@ -0,0 +1,139 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ server side dcerpc authentication code - NTLMSSP auth/crypto code
+
+ Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Stefan (metze) Metzmacher 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+/*
+ this provides a crypto interface to the various backends (such as
+ NTLMSSP and SCHANNEL) for the rpc server code
+*/
+
+#include "includes.h"
+
+
+/*
+ start crypto state
+*/
+static NTSTATUS dcesrv_crypto_ntlmssp_start(struct dcesrv_auth *auth)
+{
+ struct auth_ntlmssp_state *ntlmssp = NULL;
+ NTSTATUS status;
+
+ status = auth_ntlmssp_start(&ntlmssp);
+
+ auth->crypto_ctx.private_data = ntlmssp;
+
+ return status;
+}
+
+/*
+ update crypto state
+*/
+static NTSTATUS dcesrv_crypto_ntlmssp_update(struct dcesrv_auth *auth, TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB in, DATA_BLOB *out)
+{
+ struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data;
+
+ return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, out_mem_ctx, in, out);
+}
+
+/*
+ seal a packet
+*/
+static NTSTATUS dcesrv_crypto_ntlmssp_seal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ uint8_t *data, size_t length, DATA_BLOB *sig)
+{
+ struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data;
+
+ return ntlmssp_seal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, sig);
+}
+
+/*
+ sign a packet
+*/
+static NTSTATUS dcesrv_crypto_ntlmssp_sign(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ const uint8_t *data, size_t length, DATA_BLOB *sig)
+{
+ struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data;
+
+ return ntlmssp_sign_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, sig);
+}
+
+/*
+ check a packet signature
+*/
+static NTSTATUS dcesrv_crypto_ntlmssp_check_sig(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ const uint8_t *data, size_t length, const DATA_BLOB *sig)
+{
+ struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data;
+
+ return ntlmssp_check_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, sig);
+}
+
+/*
+ unseal a packet
+*/
+static NTSTATUS dcesrv_crypto_ntlmssp_unseal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx,
+ uint8_t *data, size_t length, DATA_BLOB *sig)
+{
+ struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data;
+
+ return ntlmssp_unseal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, sig);
+}
+
+/*
+ end crypto state
+*/
+static void dcesrv_crypto_ntlmssp_end(struct dcesrv_auth *auth)
+{
+ struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data;
+
+ auth->crypto_ctx.private_data = NULL;
+
+ auth_ntlmssp_end(&auth_ntlmssp_state);
+
+ return;
+}
+
+static const struct dcesrv_cyrpto_ops dcesrv_crypto_ntlmssp_ops = {
+ .name = "ntlmssp",
+ .auth_type = DCERPC_AUTH_TYPE_NTLMSSP,
+ .start = dcesrv_crypto_ntlmssp_start,
+ .update = dcesrv_crypto_ntlmssp_update,
+ .seal = dcesrv_crypto_ntlmssp_seal,
+ .sign = dcesrv_crypto_ntlmssp_sign,
+ .check_sig = dcesrv_crypto_ntlmssp_check_sig,
+ .unseal = dcesrv_crypto_ntlmssp_unseal,
+ .end = dcesrv_crypto_ntlmssp_end
+};
+
+/*
+ startup the cryptographic side of an authenticated dcerpc server
+*/
+NTSTATUS dcesrv_crypto_ntlmssp_get_ops(struct dcesrv_connection *dce_conn,
+ struct dcesrv_auth *auth)
+{
+ NTSTATUS status = NT_STATUS_OK;
+
+ auth->crypto_ctx.ops = &dcesrv_crypto_ntlmssp_ops;
+
+ return status;
+}