summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/rpc_handles.c3
-rw-r--r--source3/rpc_server/srv_lsa_nt.c4
-rw-r--r--source3/rpc_server/srv_netlog_nt.c6
-rw-r--r--source3/rpc_server/srv_pipe.c47
-rw-r--r--source3/rpc_server/srv_samr_nt.c4
5 files changed, 35 insertions, 29 deletions
diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
index 57a3cd44eb..481bb56ee7 100644
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -321,7 +321,8 @@ bool pipe_access_check(struct pipes_struct *p)
if (lp_restrict_anonymous() > 0) {
/* schannel, so we must be ok */
- if (p->pipe_bound && (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL)) {
+ if (p->pipe_bound &&
+ (p->auth.auth_type == DCERPC_AUTH_TYPE_SCHANNEL)) {
return True;
}
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 0dc3cbc5a5..10ea1e3b97 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1040,7 +1040,7 @@ NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
struct lsa_LookupSids2 q;
/* No policy handle on this call. Restrict to crypto connections. */
- if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
@@ -1323,7 +1323,7 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
struct lsa_LookupNames3 q;
/* No policy handle on this call. Restrict to crypto connections. */
- if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index e7b4718f01..56b5027958 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -961,7 +961,7 @@ static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
const char *computer_name,
bool integrity, bool privacy)
{
- if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
+ if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
if (!privacy && !integrity) {
return NT_STATUS_OK;
}
@@ -1419,7 +1419,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
memcpy(pipe_session_key, creds->session_key, 16);
} else {
/* Get the pipe session key from the schannel. */
- if ((p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL)
+ if ((p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL)
|| (p->auth.a_u.schannel_auth == NULL)) {
return NT_STATUS_INVALID_HANDLE;
}
@@ -1535,7 +1535,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
}
/* Only allow this if the pipe is protected. */
- if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ae6c12710e..6f79d3c815 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -112,8 +112,6 @@ static DATA_BLOB generic_session_key(void)
********************************************************************/
static bool create_next_packet(struct pipes_struct *p,
- enum dcerpc_AuthType auth_type,
- enum dcerpc_AuthLevel auth_level,
size_t auth_length,
size_t *_pad_len)
{
@@ -225,8 +223,6 @@ static bool create_next_packet(struct pipes_struct *p,
bool create_next_pdu(struct pipes_struct *p)
{
- enum dcerpc_AuthType auth_type =
- map_pipe_auth_type_to_rpc_auth_type(p->auth.auth_type);
size_t auth_len = 0;
size_t pad_len = 0;
NTSTATUS status;
@@ -255,12 +251,18 @@ bool create_next_pdu(struct pipes_struct *p)
case DCERPC_AUTH_LEVEL_PRIVACY:
switch(p->auth.auth_type) {
- case PIPE_AUTH_TYPE_NTLMSSP:
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ auth_len = NTLMSSP_SIG_SIZE;
+ break;
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (p->auth.spnego_type !=
+ PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ goto err_out;
+ }
auth_len = NTLMSSP_SIG_SIZE;
break;
- case PIPE_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
auth_len = NL_AUTH_SIGNATURE_SIZE;
break;
@@ -274,9 +276,7 @@ bool create_next_pdu(struct pipes_struct *p)
goto err_out;
}
- ret = create_next_packet(p, auth_type,
- p->auth.auth_level,
- auth_len, &pad_len);
+ ret = create_next_packet(p, auth_len, &pad_len);
if (!ret) {
return false;
}
@@ -506,7 +506,8 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
free_pipe_auth_data(&p->auth);
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
- p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
+ p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
p->pipe_bound = False;
return True;
@@ -709,10 +710,8 @@ static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p,
return ret;
}
- if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
- /* Free any previous auth type. */
- free_pipe_auth_data(&p->auth);
- }
+ /* Free any previous auth type. */
+ free_pipe_auth_data(&p->auth);
if (!got_kerberos_mechanism) {
/* Initialize the NTLM engine. */
@@ -770,7 +769,8 @@ static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p,
p->auth.a_u.auth_ntlmssp_state = a;
p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
- p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
data_blob_free(&secblob);
data_blob_free(&chal);
@@ -808,7 +808,8 @@ static bool pipe_spnego_auth_bind_continue(struct pipes_struct *p,
* NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
* fail here as 'a' == NULL.
*/
- if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SPNEGO ||
+ p->auth.spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
goto err;
}
@@ -965,7 +966,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
/* We're finished with this bind - no more packets. */
p->auth.auth_data_free_func = &free_pipe_schannel_auth_data;
- p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
p->pipe_bound = True;
@@ -1026,7 +1027,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
p->auth.a_u.auth_ntlmssp_state = a;
p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
- p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
@@ -1223,7 +1224,8 @@ bool api_pipe_bind_req(struct pipes_struct *p, struct ncacn_packet *pkt)
if (auth_type == DCERPC_AUTH_TYPE_NONE) {
/* Unauthenticated bind request. */
/* We're finished - no more packets. */
- p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
+ p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
/* We must set the pipe auth_level here also. */
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->pipe_bound = True;
@@ -1571,8 +1573,9 @@ bool api_pipe_request(struct pipes_struct *p, struct ncacn_packet *pkt)
PIPE_RPC_FNS *pipe_fns;
if (p->pipe_bound &&
- ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
- (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
+ ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
+ ((p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO) &&
+ (p->auth.spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)))) {
if(!become_authenticated_pipe_user(p)) {
data_blob_free(&p->out_data.rdata);
return False;
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 0f5aad8607..95f69a3bba 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2770,7 +2770,9 @@ static NTSTATUS get_user_info_18(struct pipes_struct *p,
goto query;
}
- if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ if ((p->auth.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) ||
+ ((p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO) &&
+ (p->auth.spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
return NT_STATUS_ACCESS_DENIED;
}
generated by cgit (git 2.34.1) at 2024-07-05 06:40:24 +0000