diff options
-rw-r--r-- | source4/librpc/rpc/dcerpc.c | 9 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_auth.c | 332 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_schannel.c | 6 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_util.c | 6 | ||||
-rw-r--r-- | source4/torture/rpc/schannel.c | 20 | ||||
-rw-r--r-- | source4/winbind/wb_connect_lsa.c | 11 | ||||
-rw-r--r-- | source4/winbind/wb_connect_sam.c | 11 | ||||
-rw-r--r-- | source4/winbind/wb_init_domain.c | 12 |
8 files changed, 229 insertions, 178 deletions
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index c7f337de99..ee06d6e2be 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -743,10 +743,9 @@ NTSTATUS dcerpc_auth3(struct dcerpc_connection *c, } -NTSTATUS dcerpc_init_syntaxes(const char *uuid, +NTSTATUS dcerpc_init_syntaxes(const char *uuid, uint_t version, struct dcerpc_syntax_id *syntax, - struct dcerpc_syntax_id *transfer_syntax, - uint_t version) + struct dcerpc_syntax_id *transfer_syntax) { NTSTATUS status; @@ -772,8 +771,8 @@ NTSTATUS dcerpc_bind_byuuid(struct dcerpc_pipe *p, struct dcerpc_syntax_id transfer_syntax; NTSTATUS status; - status = dcerpc_init_syntaxes(uuid, &syntax, &transfer_syntax, - version); + status = dcerpc_init_syntaxes(uuid, version, + &syntax, &transfer_syntax); if (!NT_STATUS_IS_OK(status)) { DEBUG(2,("Invalid uuid string in dcerpc_bind_byuuid\n")); return status; diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index 117112c197..29ab80da7a 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -42,8 +42,8 @@ struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx, c = talloc_zero(mem_ctx, struct composite_context); if (c == NULL) return NULL; - c->status = dcerpc_init_syntaxes(uuid, &syntax, &transfer_syntax, - version); + c->status = dcerpc_init_syntaxes(uuid, version, + &syntax, &transfer_syntax); if (!NT_STATUS_IS_OK(c->status)) { DEBUG(2,("Invalid uuid string in " "dcerpc_bind_auth_none_send\n")); @@ -70,173 +70,227 @@ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p, return dcerpc_bind_auth_none_recv(ctx); } -/* - perform a multi-part authenticated bind -*/ -static NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level, - const char *uuid, uint_t version) -{ - NTSTATUS status; - TALLOC_CTX *tmp_ctx = talloc_new(p); +struct bind_auth_state { + struct dcerpc_pipe *pipe; DATA_BLOB credentials; - DATA_BLOB null_data_blob = data_blob(NULL, 0); + BOOL more_processing; +}; - int num_passes = 0; +static void bind_auth_recv_alter(struct composite_context *creq); - if (!p->conn->security_state.generic_state) { - status = gensec_client_start(p, &p->conn->security_state.generic_state, - p->conn->event_ctx); - if (!NT_STATUS_IS_OK(status)) goto done; +static void bind_auth_next_step(struct composite_context *c) +{ + struct bind_auth_state *state = + talloc_get_type(c->private_data, struct bind_auth_state); + struct dcerpc_security *sec = &state->pipe->conn->security_state; + struct composite_context *creq; + BOOL more_processing = False; + + c->status = gensec_update(sec->generic_state, state, + sec->auth_info->credentials, + &state->credentials); + + if (NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + more_processing = True; + c->status = NT_STATUS_OK; + } + + if (!composite_is_ok(c)) return; - status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, - auth_type, auth_level); - if (!NT_STATUS_IS_OK(status)) goto done; + if (state->credentials.length == 0) { + composite_done(c); + return; } - p->conn->security_state.auth_info = talloc(p, struct dcerpc_auth); - if (!p->conn->security_state.auth_info) { - status = NT_STATUS_NO_MEMORY; - goto done; + sec->auth_info->credentials = state->credentials; + + if (!more_processing) { + /* NO reply expected, so just send it */ + c->status = dcerpc_auth3(state->pipe->conn, state); + if (!composite_is_ok(c)) return; + composite_done(c); + return; } - p->conn->security_state.auth_info->auth_type = auth_type; - p->conn->security_state.auth_info->auth_level = auth_level; - p->conn->security_state.auth_info->auth_pad_length = 0; - p->conn->security_state.auth_info->auth_reserved = 0; - p->conn->security_state.auth_info->auth_context_id = random(); - p->conn->security_state.auth_info->credentials = null_data_blob; - - while (1) { - num_passes++; - status = gensec_update(p->conn->security_state.generic_state, tmp_ctx, - p->conn->security_state.auth_info->credentials, - &credentials); - - /* The status value here, from GENSEC is vital to the security - * of the system. Even if the other end accepts, if GENSEC - * claims 'MORE_PROCESSING_REQUIRED' then you must keep - * feeding it blobs, or else the remote host/attacker might - * avoid mutal authentication requirements. - * - * Likewise, you must not feed GENSEC too much (after the OK), - * it doesn't like that either - */ - - if (!NT_STATUS_IS_OK(status) - && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(1, ("Failed DCERPC client gensec_update with mechanism %s: %s\n", - gensec_get_name_by_authtype(auth_type), nt_errstr(status))); - - break; - } + creq = dcerpc_alter_context_send(state->pipe, state, + &state->pipe->syntax, + &state->pipe->transfer_syntax); + composite_continue(c, creq, bind_auth_recv_alter, c); +} - if (!credentials.length) { - break; - } +static void bind_auth_recv_alter(struct composite_context *creq) +{ + struct composite_context *c = + talloc_get_type(creq->async.private_data, + struct composite_context); - p->conn->security_state.auth_info->credentials = credentials; - - if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - if (num_passes == 1) { - status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version); - } else { - /* We are demanding a reply, so use a request that will get us one */ - status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax); - } - if (!NT_STATUS_IS_OK(status)) { - break; - } - } else if (NT_STATUS_IS_OK(status)) { - /* NO reply expected, so just send it */ - if (num_passes == 1) { - status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version); - } else { - status = dcerpc_auth3(p->conn, tmp_ctx); - } - break; - } else { - break; - } - }; + c->status = dcerpc_alter_context_recv(creq); + if (!composite_is_ok(c)) return; -done: - talloc_free(tmp_ctx); + bind_auth_next_step(c); +} - if (!NT_STATUS_IS_OK(status)) { - talloc_free(p->conn->security_state.generic_state); - ZERO_STRUCT(p->conn->security_state); - } else { - /* Authenticated connections use the generic session key */ - p->conn->security_state.session_key = dcerpc_generic_session_key; +static void bind_auth_recv_bindreply(struct composite_context *creq) +{ + struct composite_context *c = + talloc_get_type(creq->async.private_data, + struct composite_context); + struct bind_auth_state *state = + talloc_get_type(c->private_data, struct bind_auth_state); + + c->status = dcerpc_bind_recv(creq); + if (!composite_is_ok(c)) return; + + if (!state->more_processing) { + composite_done(c); + return; } - return status; + bind_auth_next_step(c); } -/* - setup GENSEC on a DCE-RPC pipe -*/ -NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p, - const char *uuid, uint_t version, - struct cli_credentials *credentials, - uint8_t auth_type, - const char *service) +static struct composite_context *dcerpc_bind_auth_send(struct dcerpc_pipe *p, + TALLOC_CTX *mem_ctx, + const char *uuid, uint_t version, + struct cli_credentials *credentials, + uint8_t auth_type, + const char *service) { - NTSTATUS status; + struct composite_context *c, *creq; + struct bind_auth_state *state; + struct dcerpc_security *sec; + + struct dcerpc_syntax_id syntax, transfer_syntax; + + c = talloc_zero(mem_ctx, struct composite_context); + if (c == NULL) return NULL; - if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) { - p->conn->flags |= DCERPC_CONNECT; + state = talloc(c, struct bind_auth_state); + if (state == NULL) { + c->status = NT_STATUS_NO_MEMORY; + goto failed; } - status = gensec_client_start(p, &p->conn->security_state.generic_state, - p->conn->event_ctx); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status))); - return status; + c->state = COMPOSITE_STATE_IN_PROGRESS; + c->private_data = state; + c->event_ctx = p->conn->event_ctx; + + state->pipe = p; + + c->status = dcerpc_init_syntaxes(uuid, version, + &syntax, + &transfer_syntax); + if (!NT_STATUS_IS_OK(c->status)) goto failed; + + sec = &p->conn->security_state; + + c->status = gensec_client_start(p, &sec->generic_state, + p->conn->event_ctx); + if (!NT_STATUS_IS_OK(c->status)) { + DEBUG(1, ("Failed to start GENSEC client mode: %s\n", + nt_errstr(c->status))); + goto failed; } - status = gensec_set_credentials(p->conn->security_state.generic_state, - credentials); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client credentails: %s\n", - nt_errstr(status))); - return status; + c->status = gensec_set_credentials(sec->generic_state, credentials); + if (!NT_STATUS_IS_OK(c->status)) { + DEBUG(1, ("Failed to set GENSEC client credentails: %s\n", + nt_errstr(c->status))); + goto failed; } - status = gensec_set_target_hostname(p->conn->security_state.generic_state, - p->conn->transport.peer_name(p->conn)); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", - nt_errstr(status))); - return status; + c->status = gensec_set_target_hostname( + sec->generic_state, p->conn->transport.peer_name(p->conn)); + if (!NT_STATUS_IS_OK(c->status)) { + DEBUG(1, ("Failed to set GENSEC target hostname: %s\n", + nt_errstr(c->status))); + goto failed; } - if (service) { - status = gensec_set_target_service(p->conn->security_state.generic_state, service); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC target service: %s\n", - nt_errstr(status))); - return status; + if (service != NULL) { + c->status = gensec_set_target_service(sec->generic_state, + service); + if (!NT_STATUS_IS_OK(c->status)) { + DEBUG(1, ("Failed to set GENSEC target service: %s\n", + nt_errstr(c->status))); + goto failed; } } - status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, - auth_type, - dcerpc_auth_level(p->conn)); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n", - gensec_get_name_by_authtype(auth_type), nt_errstr(status))); - return status; + c->status = gensec_start_mech_by_authtype(sec->generic_state, + auth_type, + dcerpc_auth_level(p->conn)); + if (!NT_STATUS_IS_OK(c->status)) { + DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n", + gensec_get_name_by_authtype(auth_type), + nt_errstr(c->status))); + goto failed; + } + + sec->auth_info = talloc(p, struct dcerpc_auth); + if (sec->auth_info == NULL) { + c->status = NT_STATUS_NO_MEMORY; + goto failed; + } + + sec->auth_info->auth_type = auth_type; + sec->auth_info->auth_level = dcerpc_auth_level(p->conn); + sec->auth_info->auth_pad_length = 0; + sec->auth_info->auth_reserved = 0; + sec->auth_info->auth_context_id = random(); + sec->auth_info->credentials = data_blob(NULL, 0); + + c->status = gensec_update(sec->generic_state, state, + sec->auth_info->credentials, + &state->credentials); + if (!NT_STATUS_IS_OK(c->status) && + !NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + goto failed; + } + + state->more_processing = + NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED); + + if (state->credentials.length == 0) { + composite_trigger_done(c); + return c; } - - status = dcerpc_bind_auth(p, auth_type, - dcerpc_auth_level(p->conn), - uuid, version); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(2, ("Failed to bind to pipe with %s: %s\n", - gensec_get_name_by_authtype(auth_type), nt_errstr(status))); - return status; + + sec->auth_info->credentials = state->credentials; + + creq = dcerpc_bind_send(p, state, &syntax, &transfer_syntax); + if (creq == NULL) { + c->status = NT_STATUS_NO_MEMORY; + goto failed; } - return status; + creq->async.fn = bind_auth_recv_bindreply; + creq->async.private_data = c; + return c; + + failed: + composite_trigger_error(c); + return c; +} + +static NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq) +{ + NTSTATUS result = composite_wait(creq); + talloc_free(creq); + return result; +} + +/* + setup GENSEC on a DCE-RPC pipe +*/ +NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, + const char *uuid, uint_t version, + struct cli_credentials *credentials, + uint8_t auth_type, + const char *service) +{ + struct composite_context *creq; + creq = dcerpc_bind_auth_send(p, p, uuid, version, credentials, + auth_type, service); + return dcerpc_bind_auth_recv(creq); } diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index ae4ce94269..e9e31f294f 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -158,8 +158,8 @@ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, return status; } - return dcerpc_bind_auth_password(p, uuid, version, - credentials, DCERPC_AUTH_TYPE_SCHANNEL, - NULL); + return dcerpc_bind_auth(p, uuid, version, + credentials, DCERPC_AUTH_TYPE_SCHANNEL, + NULL); } diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index ef510f4afc..400a8b5e21 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -985,9 +985,9 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, auth_type = DCERPC_AUTH_TYPE_NTLMSSP; } - status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, - credentials, auth_type, - binding->authservice); + status = dcerpc_bind_auth(p, pipe_uuid, pipe_version, + credentials, auth_type, + binding->authservice); } else { status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version); } diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index 4b9c4a8235..338a71d27b 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -214,11 +214,11 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, goto failed; } - status = dcerpc_bind_auth_password(p_netlogon, - DCERPC_NETLOGON_UUID, - DCERPC_NETLOGON_VERSION, - credentials, DCERPC_AUTH_TYPE_SCHANNEL, - NULL); + status = dcerpc_bind_auth(p_netlogon, + DCERPC_NETLOGON_UUID, + DCERPC_NETLOGON_VERSION, + credentials, DCERPC_AUTH_TYPE_SCHANNEL, + NULL); if (!NT_STATUS_IS_OK(status)) { goto failed; @@ -249,11 +249,11 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, goto failed; } - status = dcerpc_bind_auth_password(p_lsa, - DCERPC_LSARPC_UUID, - DCERPC_LSARPC_VERSION, - credentials, DCERPC_AUTH_TYPE_SCHANNEL, - NULL); + status = dcerpc_bind_auth(p_lsa, + DCERPC_LSARPC_UUID, + DCERPC_LSARPC_VERSION, + credentials, DCERPC_AUTH_TYPE_SCHANNEL, + NULL); if (!NT_STATUS_IS_OK(status)) { goto failed; diff --git a/source4/winbind/wb_connect_lsa.c b/source4/winbind/wb_connect_lsa.c index 779bcb60a2..d5222a6854 100644 --- a/source4/winbind/wb_connect_lsa.c +++ b/source4/winbind/wb_connect_lsa.c @@ -106,12 +106,11 @@ static void init_lsa_recv_pipe(struct composite_context *ctx) } state->lsa_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); state->ctx->status = - dcerpc_bind_auth_password(state->lsa_pipe, - DCERPC_LSARPC_UUID, - DCERPC_LSARPC_VERSION, - state->creds, - state->auth_type, - NULL); + dcerpc_bind_auth(state->lsa_pipe, + DCERPC_LSARPC_UUID, + DCERPC_LSARPC_VERSION, + state->creds, state->auth_type, + NULL); break; default: state->ctx->status = NT_STATUS_INTERNAL_ERROR; diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 2ce189a5c7..c806a6688b 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -113,12 +113,11 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) } state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); state->ctx->status = - dcerpc_bind_auth_password(state->samr_pipe, - DCERPC_SAMR_UUID, - DCERPC_SAMR_VERSION, - state->creds, - state->auth_type, - NULL); + dcerpc_bind_auth(state->samr_pipe, + DCERPC_SAMR_UUID, + DCERPC_SAMR_VERSION, + state->creds, state->auth_type, + NULL); break; default: state->ctx->status = NT_STATUS_INTERNAL_ERROR; diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index 21ea668043..fff3212cd9 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -215,12 +215,12 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx) state->domain->netlogon_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); state->ctx->status = - dcerpc_bind_auth_password(state->domain->netlogon_pipe, - DCERPC_NETLOGON_UUID, - DCERPC_NETLOGON_VERSION, - state->domain->schannel_creds, - DCERPC_AUTH_TYPE_SCHANNEL, - NULL); + dcerpc_bind_auth(state->domain->netlogon_pipe, + DCERPC_NETLOGON_UUID, + DCERPC_NETLOGON_VERSION, + state->domain->schannel_creds, + DCERPC_AUTH_TYPE_SCHANNEL, + NULL); if (!composite_is_ok(state->ctx)) return; ctx = wb_connect_lsa_send(state, state->conn.out.tree, |