summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2005-01-10 07:14:12 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:08:35 -0500
commit5da3f75a5975c09dc1db0b1ad146acf1d5f3ae41 (patch)
treeae73c01bdac2e45686eb381f9c1d16fd401f12e4 /source4
parentf6596e4ae77c0125a1362e483aa1aedb8cf489c1 (diff)
downloadsamba-5da3f75a5975c09dc1db0b1ad146acf1d5f3ae41.tar.gz
samba-5da3f75a5975c09dc1db0b1ad146acf1d5f3ae41.tar.bz2
samba-5da3f75a5975c09dc1db0b1ad146acf1d5f3ae41.zip
r4627: - simplified the dcerpc auth code using a common function
- added support for "spnego" in binding strings. This enables SPNEGO auth in the dcerpc client code, using as many allter_context calls as are needed To try SPNEGO do this: smbtorture ncacn_ip_tcp:SERVER[spnego,seal] -Uadministrator%password RPC-SAMR (This used to be commit 9c0a3423f03111c110d21c0d3910e16aa1a8bf87)
Diffstat (limited to 'source4')
-rw-r--r--source4/librpc/rpc/dcerpc.h8
-rw-r--r--source4/librpc/rpc/dcerpc_auth.c61
-rw-r--r--source4/librpc/rpc/dcerpc_ntlm.c6
-rw-r--r--source4/librpc/rpc/dcerpc_schannel.c4
-rw-r--r--source4/librpc/rpc/dcerpc_spnego.c25
-rw-r--r--source4/librpc/rpc/dcerpc_util.c107
6 files changed, 93 insertions, 118 deletions
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 40ac18d13c..289e17fb81 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -119,17 +119,21 @@ struct dcerpc_pipe {
#define DCERPC_SCHANNEL_ANY (DCERPC_SCHANNEL_BDC| \
DCERPC_SCHANNEL_DOMAIN| \
DCERPC_SCHANNEL_WORKSTATION)
-/* use a 128 bit session key */
-#define DCERPC_SCHANNEL_128 (1<<12)
#define DCERPC_AUTH_OPTIONS (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL_ANY)
+/* use a 128 bit session key */
+#define DCERPC_SCHANNEL_128 (1<<12)
+
/* check incoming pad bytes */
#define DCERPC_DEBUG_PAD_CHECK (1<<13)
/* set LIBNDR_FLAG_REF_ALLOC flag when decoding NDR */
#define DCERPC_NDR_REF_ALLOC (1<<14)
+/* enable spnego auth */
+#define DCERPC_AUTH_SPNEGO (1<<15)
+
/*
this is used to find pointers to calls
*/
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 4ff8fe549e..228a99d5c5 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -30,45 +30,33 @@
NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
const char *uuid, uint_t version)
{
- TALLOC_CTX *mem_ctx;
+ TALLOC_CTX *tmp_ctx = talloc_new(p);
NTSTATUS status;
- mem_ctx = talloc_init("dcerpc_bind_auth_ntlm");
- if (!mem_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
-
- status = dcerpc_bind_byuuid(p, mem_ctx, uuid, version);
- talloc_destroy(mem_ctx);
+ status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
+ talloc_free(tmp_ctx);
return status;
}
-NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
+/*
+ perform a multi-part authenticated bind
+*/
+NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
const char *uuid, uint_t version)
{
NTSTATUS status;
- TALLOC_CTX *mem_ctx;
+ TALLOC_CTX *tmp_ctx = talloc_new(p);
DATA_BLOB credentials;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
- mem_ctx = talloc_init("dcerpc_bind_auth");
- if (!mem_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
-
if (!p->conn->security_state.generic_state) {
status = gensec_client_start(p, &p->conn->security_state.generic_state);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ if (!NT_STATUS_IS_OK(status)) goto done;
status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
auth_type, auth_level);
-
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ if (!NT_STATUS_IS_OK(status)) goto done;
}
p->conn->security_state.auth_info = talloc(p, struct dcerpc_auth);
@@ -84,34 +72,44 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t aut
p->conn->security_state.auth_info->auth_context_id = random();
p->conn->security_state.auth_info->credentials = null_data_blob;
- status = gensec_update(p->conn->security_state.generic_state, mem_ctx,
+ status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
null_data_blob,
&credentials);
-
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
goto done;
}
p->conn->security_state.auth_info->credentials = credentials;
- status = dcerpc_bind_byuuid(p, mem_ctx, uuid, version);
+ status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
- status = gensec_update(p->conn->security_state.generic_state, mem_ctx,
+ status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
p->conn->security_state.auth_info->credentials,
&credentials);
-
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
goto done;
}
- p->conn->security_state.auth_info->credentials = credentials;
-
- status = dcerpc_auth3(p->conn, mem_ctx);
+ do {
+ p->conn->security_state.auth_info->credentials = credentials;
+
+ if (auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
+ status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
+ if (NT_STATUS_IS_OK(status)) {
+ status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
+ p->conn->security_state.auth_info->credentials,
+ &credentials);
+ }
+ } else {
+ status = dcerpc_auth3(p->conn, tmp_ctx);
+ }
+ } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
+
done:
- talloc_destroy(mem_ctx);
+ talloc_free(tmp_ctx);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(p->conn->security_state.generic_state);
@@ -123,3 +121,4 @@ done:
return status;
}
+
diff --git a/source4/librpc/rpc/dcerpc_ntlm.c b/source4/librpc/rpc/dcerpc_ntlm.c
index 8a83cea144..39b5e1c28c 100644
--- a/source4/librpc/rpc/dcerpc_ntlm.c
+++ b/source4/librpc/rpc/dcerpc_ntlm.c
@@ -72,9 +72,9 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
return status;
}
- status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_NTLMSSP,
- dcerpc_auth_level(p->conn),
- uuid, version);
+ status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_NTLMSSP,
+ dcerpc_auth_level(p->conn),
+ uuid, version);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to bind to pipe with NTLMSSP: %s\n", nt_errstr(status)));
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 10852159a8..0e218c478f 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -448,8 +448,8 @@ NTSTATUS dcerpc_bind_auth_schannel_withkey(struct dcerpc_pipe *p,
dce_schan_state = p->conn->security_state.generic_state->private_data;
dce_schan_state->creds = talloc_reference(dce_schan_state, creds);
- status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p->conn),
- uuid, version);
+ status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p->conn),
+ uuid, version);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to bind to pipe with SCHANNEL: %s\n", nt_errstr(status)));
diff --git a/source4/librpc/rpc/dcerpc_spnego.c b/source4/librpc/rpc/dcerpc_spnego.c
index f67dd2c7cb..7290139f6e 100644
--- a/source4/librpc/rpc/dcerpc_spnego.c
+++ b/source4/librpc/rpc/dcerpc_spnego.c
@@ -24,22 +24,21 @@
#include "includes.h"
-#if 0
-/*
- metze, can you tell me what you're trying to do with this?
-*/
-
/*
do spnego style authentication on a gensec pipe
*/
NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p,
- const char *uuid, uint_t version,
- const char *domain,
- const char *username,
- const char *password)
+ const char *uuid, uint_t version,
+ const char *domain,
+ const char *username,
+ const char *password)
{
NTSTATUS status;
+ if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
+ p->conn->flags |= DCERPC_CONNECT;
+ }
+
status = gensec_client_start(p, &p->conn->security_state.generic_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
@@ -84,10 +83,9 @@ NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p,
return status;
}
- status = dcerpc_bind_alter(p, DCERPC_AUTH_TYPE_SPNEGO,
- dcerpc_auth_level(p->conn),
- uuid, version);
-
+ status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SPNEGO,
+ dcerpc_auth_level(p->conn),
+ uuid, version);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to bind to pipe with SPNEGO: %s\n", nt_errstr(status)));
return status;
@@ -95,4 +93,3 @@ NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p,
return status;
}
-#endif
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 305c1c7725..534c17678d 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -176,6 +176,7 @@ static const struct {
{"sign", DCERPC_SIGN},
{"seal", DCERPC_SEAL},
{"connect", DCERPC_CONNECT},
+ {"spnego", DCERPC_AUTH_SPNEGO},
{"validate", DCERPC_DEBUG_VALIDATE_BOTH},
{"print", DCERPC_DEBUG_PRINT_BOTH},
{"padcheck", DCERPC_DEBUG_PAD_CHECK},
@@ -772,6 +773,42 @@ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *bind
}
+/*
+ perform an authenticated bind if needed
+*/
+static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
+ struct dcerpc_binding *binding,
+ const char *pipe_uuid,
+ uint32_t pipe_version,
+ const char *domain,
+ const char *username,
+ const char *password)
+{
+ NTSTATUS status;
+
+ p->conn->flags = binding->flags;
+
+ /* remember the binding string for possible secondary connections */
+ p->conn->binding_string = dcerpc_binding_string(p, binding);
+
+ if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
+ status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
+ domain, username, password);
+ } else if (username && username[0] && (binding->flags & DCERPC_AUTH_SPNEGO)) {
+ status = dcerpc_bind_auth_spnego(p, pipe_uuid, pipe_version, domain, username, password);
+ } else if (username && username[0]) {
+ status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
+ } else {
+ status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Failed to bind to uuid %s - %s\n", pipe_uuid, nt_errstr(status)));
+ }
+ return status;
+}
+
+
/* open a rpc connection to a rpc pipe on SMB using the binding
structure to determine the endpoint and options */
static NTSTATUS dcerpc_pipe_connect_ncacn_np(struct dcerpc_pipe **pp,
@@ -846,24 +883,8 @@ static NTSTATUS dcerpc_pipe_connect_ncacn_np(struct dcerpc_pipe **pp,
return status;
}
- p->conn->flags = binding->flags;
-
- /* remember the binding string for possible secondary connections */
- p->conn->binding_string = dcerpc_binding_string(p, binding);
-
- if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
- status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
- domain, username, password);
- } else if (username && username[0] &&
- (binding->flags & (DCERPC_CONNECT|DCERPC_SIGN|DCERPC_SEAL))) {
- status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
- } else {
- status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
-
- }
-
+ status = dcerpc_pipe_auth(p, binding, pipe_uuid, pipe_version, domain, username, password);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Failed to bind to uuid %s - %s\n", pipe_uuid, nt_errstr(status)));
talloc_free(p);
return status;
}
@@ -916,22 +937,8 @@ static NTSTATUS dcerpc_pipe_connect_ncalrpc(struct dcerpc_pipe **pp,
return status;
}
- p->conn->flags = binding->flags;
-
- /* remember the binding string for possible secondary connections */
- p->conn->binding_string = dcerpc_binding_string(p, binding);
-
- if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
- status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
- domain, username, password);
- } else if (username && username[0]) {
- status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
- } else {
- status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
- }
-
+ status = dcerpc_pipe_auth(p, binding, pipe_uuid, pipe_version, domain, username, password);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Failed to bind to uuid %s - %s\n", pipe_uuid, nt_errstr(status)));
talloc_free(p);
return status;
}
@@ -977,22 +984,8 @@ static NTSTATUS dcerpc_pipe_connect_ncacn_unix_stream(struct dcerpc_pipe **pp,
return status;
}
- p->conn->flags = binding->flags;
-
- /* remember the binding string for possible secondary connections */
- p->conn->binding_string = dcerpc_binding_string(p, binding);
-
- if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
- status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
- domain, username, password);
- } else if (username && username[0]) {
- status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
- } else {
- status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
- }
-
+ status = dcerpc_pipe_auth(p, binding, pipe_uuid, pipe_version, domain, username, password);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Failed to bind to uuid %s - %s\n", pipe_uuid, nt_errstr(status)));
talloc_free(p);
return status;
}
@@ -1047,23 +1040,8 @@ static NTSTATUS dcerpc_pipe_connect_ncacn_ip_tcp(struct dcerpc_pipe **pp,
return status;
}
- p->conn->flags = binding->flags;
-
- /* remember the binding string for possible secondary connections */
- p->conn->binding_string = dcerpc_binding_string(p, binding);
-
- if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
- status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
- domain, username, password);
- } else if (username && username[0]) {
- status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
- } else {
- status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
- }
-
+ status = dcerpc_pipe_auth(p, binding, pipe_uuid, pipe_version, domain, username, password);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Failed to bind to uuid %s - %s\n",
- pipe_uuid, nt_errstr(status)));
talloc_free(p);
return status;
}
@@ -1171,7 +1149,6 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe *
if (!tree) {
return NT_STATUS_INVALID_PARAMETER;
}
-
status = dcerpc_pipe_open_smb((*p2)->conn, tree, pipe_name);
break;
@@ -1180,7 +1157,6 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe *
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- b.flags &= ~DCERPC_AUTH_OPTIONS;
status = dcerpc_pipe_open_tcp((*p2)->conn, b.host, atoi(b.endpoint));
break;
@@ -1189,7 +1165,6 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe *
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- b.flags &= ~DCERPC_AUTH_OPTIONS;
status = dcerpc_pipe_open_pipe((*p2)->conn, b.endpoint);
break;