diff options
Diffstat (limited to 'source4/rpc_server')
| -rw-r--r-- | source4/rpc_server/config.m4 | 1 | ||||
| -rw-r--r-- | source4/rpc_server/config.mk | 20 | ||||
| -rw-r--r-- | source4/rpc_server/dcerpc_server.c | 20 | ||||
| -rw-r--r-- | source4/rpc_server/dcerpc_server.h | 23 | ||||
| -rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 130 | ||||
| -rw-r--r-- | source4/rpc_server/dcesrv_crypto.c | 148 | ||||
| -rw-r--r-- | source4/rpc_server/dcesrv_crypto_ntlmssp.c | 159 | ||||
| -rw-r--r-- | source4/rpc_server/dcesrv_crypto_schannel.c | 239 | ||||
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 14 | ||||
| -rw-r--r-- | source4/rpc_server/samr/samr_password.c | 11 |
10 files changed, 132 insertions, 633 deletions
diff --git a/source4/rpc_server/config.m4 b/source4/rpc_server/config.m4 index 3f64cdcf4b..73cae66456 100644 --- a/source4/rpc_server/config.m4 +++ b/source4/rpc_server/config.m4 @@ -3,6 +3,7 @@ dnl # DCERPC Server subsystem SMB_SUBSYSTEM_MK(DCERPC_COMMON,rpc_server/config.mk) SMB_SUBSYSTEM_MK(SAMDB,rpc_server/config.mk) +SMB_SUBSYSTEM_MK(SCHANNELDB,rpc_server/config.mk) SMB_MODULE_MK(dcerpc_rpcecho,DCERPC,STATIC,rpc_server/config.mk) SMB_MODULE_MK(dcerpc_epmapper,DCERPC,STATIC,rpc_server/config.mk) diff --git a/source4/rpc_server/config.mk b/source4/rpc_server/config.mk index 9d9f12d9aa..dbe8b8344e 100644 --- a/source4/rpc_server/config.mk +++ b/source4/rpc_server/config.mk @@ -19,12 +19,22 @@ INIT_OBJ_FILES = \ ADD_OBJ_FILES = \ rpc_server/samr/samr_utils.o REQUIRED_SUBSYSTEMS = \ + DCERPC_COMMON \ LIBLDB # # End SUBSYSTEM SAMDB ################################################ ################################################ +# Start SUBSYSTEM SCHANNELDB +[SUBSYSTEM::SCHANNELDB] +INIT_OBJ_FILES = \ + rpc_server/netlogon/schannel_state.o +# +# End SUBSYSTEM SCHANNELDB +################################################ + +################################################ # Start MODULE dcerpc_rpcecho [MODULE::dcerpc_rpcecho] INIT_OBJ_FILES = \ @@ -98,10 +108,9 @@ REQUIRED_SUBSYSTEMS = \ [MODULE::dcerpc_netlogon] INIT_OBJ_FILES = \ rpc_server/netlogon/dcerpc_netlogon.o -ADD_OBJ_FILES = \ - rpc_server/netlogon/schannel_state.o REQUIRED_SUBSYSTEMS = \ - DCERPC_COMMON + DCERPC_COMMON \ + SCHANNELDB # End MODULE dcerpc_netlogon ################################################ @@ -135,10 +144,9 @@ INIT_OBJ_FILES = \ ADD_OBJ_FILES = \ rpc_server/dcerpc_tcp.o \ rpc_server/dcesrv_auth.o \ - rpc_server/dcesrv_crypto.o \ - rpc_server/dcesrv_crypto_ntlmssp.o \ - rpc_server/dcesrv_crypto_schannel.o \ rpc_server/handles.o +REQUIRED_SUBSYSTEMS = \ + LIBCLI_AUTH # # End SUBSYSTEM DCERPC ################################################ diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 90ebaf285c..e5c4c120a5 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -146,9 +146,9 @@ static struct dcesrv_call_state *dcesrv_find_call(struct dcesrv_connection *dce_ register an interface on an endpoint */ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx, - const char *ep_name, - const struct dcesrv_interface *iface, - const struct security_descriptor *sd) + const char *ep_name, + const struct dcesrv_interface *iface, + const struct security_descriptor *sd) { struct dcesrv_ep_description ep_description; struct dcesrv_endpoint *ep; @@ -269,8 +269,7 @@ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx, (*p)->handles = NULL; (*p)->partial_input = data_blob(NULL, 0); (*p)->auth_state.auth_info = NULL; - (*p)->auth_state.crypto_ctx.private_data = NULL; - (*p)->auth_state.crypto_ctx.ops = NULL; + (*p)->auth_state.gensec_security = NULL; (*p)->auth_state.session_info = NULL; return NT_STATUS_OK; @@ -298,6 +297,7 @@ NTSTATUS dcesrv_endpoint_search_connect(struct dcesrv_context *dce_ctx, return status; } + session_info->refcount++; (*dce_conn_p)->auth_state.session_info = session_info; /* TODO: check security descriptor of the endpoint here @@ -323,8 +323,12 @@ void dcesrv_endpoint_disconnect(struct dcesrv_connection *p) dcesrv_handle_destroy(p, p->handles); } - if (p->auth_state.crypto_ctx.ops) { - p->auth_state.crypto_ctx.ops->end(&p->auth_state); + if (p->auth_state.gensec_security) { + gensec_end(&p->auth_state.gensec_security); + } + + if (p->auth_state.session_info) { + free_session_info(&p->auth_state.session_info); } talloc_destroy(p->mem_ctx); @@ -1027,7 +1031,7 @@ static int num_ep_servers; The 'type' is used to specify whether this is for a disk, printer or IPC$ share */ -static NTSTATUS dcerpc_register_ep_server(void *_ep_server) +static NTSTATUS dcerpc_register_ep_server(const void *_ep_server) { const struct dcesrv_endpoint_server *ep_server = _ep_server; diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h index 3ad768b32e..b1754dd4a3 100644 --- a/source4/rpc_server/dcerpc_server.h +++ b/source4/rpc_server/dcerpc_server.h @@ -94,31 +94,10 @@ struct dcesrv_handle { void (*destroy)(struct dcesrv_connection *, struct dcesrv_handle *); }; -struct dcesrv_crypto_ops { - const char *name; - uint8 auth_type; - NTSTATUS (*start)(struct dcesrv_auth *auth, DATA_BLOB *auth_blob); - NTSTATUS (*update)(struct dcesrv_auth *auth, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out); - NTSTATUS (*seal)(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, DATA_BLOB *sig); - NTSTATUS (*sign)(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, DATA_BLOB *sig); - NTSTATUS (*check_sig)(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, const DATA_BLOB *sig); - NTSTATUS (*unseal)(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, DATA_BLOB *sig); - NTSTATUS (*session_key)(struct dcesrv_auth *auth, uint8_t session_key[16]); - void (*end)(struct dcesrv_auth *auth); -}; - /* hold the authentication state information */ struct dcesrv_auth { struct dcerpc_auth *auth_info; - struct { - void *private_data; - const struct dcesrv_crypto_ops *ops; - } crypto_ctx; + struct gensec_security *gensec_security; struct auth_session_info *session_info; }; diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 26053b47b9..84a5460d68 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -4,6 +4,7 @@ server side dcerpc authentication code Copyright (C) Andrew Tridgell 2003 + Copyright (C) Stefan (metze) Metzmacher 2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -23,6 +24,48 @@ #include "includes.h" /* + startup the cryptographic side of an authenticated dcerpc server +*/ +NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn, + struct dcesrv_auth *auth) +{ + NTSTATUS status; + if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && + auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + DEBUG(2,("auth_level %d not supported in dcesrv auth\n", + auth->auth_info->auth_level)); + return NT_STATUS_INVALID_PARAMETER; + } + + if (auth->gensec_security != NULL) { + /* TODO: + * this this function should not be called + * twice per dcesrv_connection! + * + * so we need to find out the right + * dcerpc error to return + */ + } + + status = gensec_server_start(&auth->gensec_security); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); + return status; + } + + status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", + (int)auth->auth_info->auth_type, + nt_errstr(status))); + return status; + } + + return status; +} + +/* parse any auth information from a dcerpc bind request return False if we can't handle the auth request for some reason (in which case we send a bind_nak) @@ -56,40 +99,43 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - status = dcesrv_crypto_start(&dce_conn->auth_state, &dce_conn->auth_state.auth_info->credentials); - if (!NT_STATUS_IS_OK(status)) { - return False; - } - return True; } /* - add any auth information needed in a bind ack + add any auth information needed in a bind ack, and process the authentication + information found in the bind. */ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - if (!call->conn->auth_state.crypto_ctx.ops) { + if (!call->conn->auth_state.gensec_security) { return True; } - status = dcesrv_crypto_update(&dce_conn->auth_state, - call->mem_ctx, - dce_conn->auth_state.auth_info->credentials, - &dce_conn->auth_state.auth_info->credentials); - if (!NT_STATUS_IS_OK(status) && - !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + status = gensec_update(dce_conn->auth_state.gensec_security, + call->mem_ctx, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); + + if (NT_STATUS_IS_OK(status)) { + status = gensec_session_info(dce_conn->auth_state.gensec_security, + &dce_conn->auth_state.session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); + return False; + } + return True; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + dce_conn->auth_state.auth_info->auth_pad_length = 0; + dce_conn->auth_state.auth_info->auth_reserved = 0; + return True; + } else { DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status))); return False; } - - dce_conn->auth_state.auth_info->auth_pad_length = 0; - dce_conn->auth_state.auth_info->auth_reserved = 0; - - return True; } @@ -103,7 +149,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.crypto_ctx.ops || + !dce_conn->auth_state.gensec_security || pkt->u.auth.auth_info.length == 0) { return False; } @@ -116,11 +162,19 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return False; } - status = dcesrv_crypto_update(&dce_conn->auth_state, - call->mem_ctx, - dce_conn->auth_state.auth_info->credentials, - &dce_conn->auth_state.auth_info->credentials); - if (!NT_STATUS_IS_OK(status)) { + status = gensec_update(dce_conn->auth_state.gensec_security, + call->mem_ctx, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); + if (NT_STATUS_IS_OK(status)) { + status = gensec_session_info(dce_conn->auth_state.gensec_security, + &dce_conn->auth_state.session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); + return False; + } + return True; + } else { DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", nt_errstr(status))); return False; @@ -143,7 +197,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.crypto_ctx.ops) { + !dce_conn->auth_state.gensec_security) { return True; } @@ -177,7 +231,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) /* check signature or unseal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = dcesrv_crypto_unseal(&dce_conn->auth_state, + status = gensec_unseal_packet(dce_conn->auth_state.gensec_security, call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, @@ -185,11 +239,11 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) break; case DCERPC_AUTH_LEVEL_INTEGRITY: - status = dcesrv_crypto_check_sig(&dce_conn->auth_state, - call->mem_ctx, - pkt->u.request.stub_and_verifier.data, - pkt->u.request.stub_and_verifier.length, - &auth.credentials); + status = gensec_check_packet(dce_conn->auth_state.gensec_security, + call->mem_ctx, + pkt->u.request.stub_and_verifier.data, + pkt->u.request.stub_and_verifier.length, + &auth.credentials); break; default: @@ -218,7 +272,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, struct ndr_push *ndr; /* non-signed packets are simple */ - if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.crypto_ctx.ops) { + if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); return NT_STATUS_IS_OK(status); } @@ -244,15 +298,15 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* sign or seal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = dcesrv_crypto_seal(&dce_conn->auth_state, - call->mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, - &dce_conn->auth_state.auth_info->credentials); + status = gensec_seal_packet(dce_conn->auth_state.gensec_security, + call->mem_ctx, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + &dce_conn->auth_state.auth_info->credentials); break; case DCERPC_AUTH_LEVEL_INTEGRITY: - status = dcesrv_crypto_sign(&dce_conn->auth_state, + status = gensec_sign_packet(dce_conn->auth_state.gensec_security, call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, diff --git a/source4/rpc_server/dcesrv_crypto.c b/source4/rpc_server/dcesrv_crypto.c deleted file mode 100644 index 7765815f3b..0000000000 --- a/source4/rpc_server/dcesrv_crypto.c +++ /dev/null @@ -1,148 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - server side dcerpc authentication code - crypto support - - Copyright (C) Andrew Tridgell 2004 - Copyright (C) Stefan (metze) Metzmacher 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -/* - this provides a crypto interface to the various backends (such as - NTLMSSP and SCHANNEL) for the rpc server code -*/ - -#include "includes.h" - -/* - startup the cryptographic side of an authenticated dcerpc server -*/ -NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn, - struct dcesrv_auth *auth) -{ - if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { - DEBUG(2,("auth_level %d not supported in dcesrv auth\n", - auth->auth_info->auth_level)); - return NT_STATUS_INVALID_PARAMETER; - } - - if (auth->crypto_ctx.ops != NULL) { - /* TODO: - * this this function should not be called - * twice per dcesrv_connection! - * - * so we need to find out the right - * dcerpc error to return - */ - } - - /* - * TODO: - * maybe a dcesrv_crypto_find_backend_by_type() whould be better here - * to make thinks more generic - */ - auth->crypto_ctx.ops = dcesrv_crypto_backend_bytype(auth->auth_info->auth_type); - if (auth->crypto_ctx.ops == NULL) { - DEBUG(2,("dcesrv auth_type %d not supported\n", auth->auth_info->auth_type)); - return NT_STATUS_INVALID_PARAMETER; - } - - return NT_STATUS_OK; -} - -/* - start crypto state -*/ -NTSTATUS dcesrv_crypto_start(struct dcesrv_auth *auth, DATA_BLOB *auth_blob) -{ - return auth->crypto_ctx.ops->start(auth, auth_blob); -} - -/* - update crypto state -*/ -NTSTATUS dcesrv_crypto_update(struct dcesrv_auth *auth, - TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) -{ - return auth->crypto_ctx.ops->update(auth, out_mem_ctx, in, out); -} - -/* - seal a packet -*/ -NTSTATUS dcesrv_crypto_seal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, DATA_BLOB *sig) -{ - return auth->crypto_ctx.ops->seal(auth, sig_mem_ctx, data, length, sig); -} - -/* - sign a packet -*/ -NTSTATUS dcesrv_crypto_sign(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, DATA_BLOB *sig) -{ - return auth->crypto_ctx.ops->sign(auth, sig_mem_ctx, data, length, sig); -} - -/* - check a packet signature -*/ -NTSTATUS dcesrv_crypto_check_sig(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, const DATA_BLOB *sig) -{ - return auth->crypto_ctx.ops->check_sig(auth, sig_mem_ctx, data, length, sig); -} - -/* - unseal a packet -*/ -NTSTATUS dcesrv_crypto_unseal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, DATA_BLOB *sig) -{ - return auth->crypto_ctx.ops->unseal(auth, sig_mem_ctx, data, length, sig); -} - -/* - get the negotiated session key -*/ -NTSTATUS dcesrv_crypto_session_key(struct dcesrv_auth *auth, uint8_t session_key[16]) -{ - return auth->crypto_ctx.ops->session_key(auth, session_key); -} - -/* - end crypto state -*/ -void dcesrv_crypto_end(struct dcesrv_auth *auth) -{ - auth->crypto_ctx.ops->end(auth); -} - -const struct dcesrv_crypto_ops *dcesrv_crypto_backend_bytype(uint8_t auth_type) -{ - switch (auth_type) { - case DCERPC_AUTH_TYPE_SCHANNEL: - return dcesrv_crypto_schannel_get_ops(); - case DCERPC_AUTH_TYPE_NTLMSSP: - return dcesrv_crypto_ntlmssp_get_ops(); - } - - return NULL; -} diff --git a/source4/rpc_server/dcesrv_crypto_ntlmssp.c b/source4/rpc_server/dcesrv_crypto_ntlmssp.c deleted file mode 100644 index 35029a0fee..0000000000 --- a/source4/rpc_server/dcesrv_crypto_ntlmssp.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - server side dcerpc authentication code - NTLMSSP auth/crypto code - - Copyright (C) Andrew Tridgell 2004 - Copyright (C) Stefan (metze) Metzmacher 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -/* - this provides the NTLMSSP backend for server side rpc -*/ - -#include "includes.h" - - -/* - start crypto state -*/ -static NTSTATUS dcesrv_crypto_ntlmssp_start(struct dcesrv_auth *auth, DATA_BLOB *auth_blob) -{ - struct auth_ntlmssp_state *ntlmssp = NULL; - NTSTATUS status; - - /* the auth_blob is ignored here, and is handled in the call - to auth_ntlmssp_update() */ - - status = auth_ntlmssp_start(&ntlmssp); - - auth->crypto_ctx.private_data = ntlmssp; - - return status; -} - -/* - update crypto state -*/ -static NTSTATUS dcesrv_crypto_ntlmssp_update(struct dcesrv_auth *auth, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) -{ - struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data; - NTSTATUS status; - - status = auth_ntlmssp_update(auth_ntlmssp_state, out_mem_ctx, in, out); - if (NT_STATUS_IS_OK(status)) { - /* TODO: what is when the session_info is already set */ - return auth_ntlmssp_get_session_info(auth_ntlmssp_state, &auth->session_info); - } - - return status; -} - -/* - seal a packet -*/ -static NTSTATUS dcesrv_crypto_ntlmssp_seal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, DATA_BLOB *sig) -{ - struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data; - - return ntlmssp_seal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, sig); -} - -/* - sign a packet -*/ -static NTSTATUS dcesrv_crypto_ntlmssp_sign(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, DATA_BLOB *sig) -{ - struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data; - - return ntlmssp_sign_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, sig); -} - -/* - check a packet signature -*/ -static NTSTATUS dcesrv_crypto_ntlmssp_check_sig(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, const DATA_BLOB *sig) -{ - struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data; - - return ntlmssp_check_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, sig); -} - -/* - unseal a packet -*/ -static NTSTATUS dcesrv_crypto_ntlmssp_unseal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, DATA_BLOB *sig) -{ - struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data; - - return ntlmssp_unseal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, sig); -} - -/* - get the session key -*/ -static NTSTATUS dcesrv_crypto_ntlmssp_session_key(struct dcesrv_auth *auth, uint8_t session_key[16]) -{ - struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data; - - if (auth_ntlmssp_state->ntlmssp_state->session_key.length != 16) { - return NT_STATUS_NO_USER_SESSION_KEY; - } - memcpy(session_key, auth_ntlmssp_state->ntlmssp_state->session_key.data, 16); - - return NT_STATUS_OK; -} - -/* - end crypto state -*/ -static void dcesrv_crypto_ntlmssp_end(struct dcesrv_auth *auth) -{ - struct auth_ntlmssp_state *auth_ntlmssp_state = auth->crypto_ctx.private_data; - - auth->crypto_ctx.private_data = NULL; - - auth_ntlmssp_end(&auth_ntlmssp_state); - - return; -} - -static const struct dcesrv_crypto_ops dcesrv_crypto_ntlmssp_ops = { - .name = "ntlmssp", - .auth_type = DCERPC_AUTH_TYPE_NTLMSSP, - .start = dcesrv_crypto_ntlmssp_start, - .update = dcesrv_crypto_ntlmssp_update, - .seal = dcesrv_crypto_ntlmssp_seal, - .sign = dcesrv_crypto_ntlmssp_sign, - .check_sig = dcesrv_crypto_ntlmssp_check_sig, - .unseal = dcesrv_crypto_ntlmssp_unseal, - .session_key = dcesrv_crypto_ntlmssp_session_key, - .end = dcesrv_crypto_ntlmssp_end -}; - -/* - startup the cryptographic side of an authenticated dcerpc server -*/ -const struct dcesrv_crypto_ops *dcesrv_crypto_ntlmssp_get_ops(void) -{ - return &dcesrv_crypto_ntlmssp_ops; -} diff --git a/source4/rpc_server/dcesrv_crypto_schannel.c b/source4/rpc_server/dcesrv_crypto_schannel.c deleted file mode 100644 index 5da1a171f9..0000000000 --- a/source4/rpc_server/dcesrv_crypto_schannel.c +++ /dev/null @@ -1,239 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - server side dcerpc authentication code - schannel auth/crypto code - - Copyright (C) Andrew Tridgell 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -struct srv_schannel_state { - TALLOC_CTX *mem_ctx; - struct schannel_bind bind_info; - struct schannel_state *state; -}; - -static NTSTATUS schannel_setup_session_info(struct srv_schannel_state *schannel, - const char *account_name, - struct auth_session_info **session_info) -{ - TALLOC_CTX *mem_ctx; - - mem_ctx = talloc_init("schannel_setup"); - if (mem_ctx == NULL) { - return NT_STATUS_NO_MEMORY; - } - - (*session_info) = talloc_p(mem_ctx, struct auth_session_info); - if (*session_info == NULL) { - talloc_destroy(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - ZERO_STRUCTP(*session_info); - - (*session_info)->workstation = talloc_strdup(mem_ctx, account_name); - if ((*session_info)->workstation == NULL) { - return NT_STATUS_NO_MEMORY; - } - - /* TODO: fill in the rest of the session_info structure */ - - return NT_STATUS_OK; -} - - -/* - start crypto state -*/ -static NTSTATUS dcesrv_crypto_schannel_start(struct dcesrv_auth *auth, DATA_BLOB *auth_blob) -{ - struct srv_schannel_state *schannel = NULL; - NTSTATUS status; - TALLOC_CTX *mem_ctx; - const char *account_name; - struct schannel_bind_ack ack; - struct creds_CredentialState creds; - - mem_ctx = talloc_init("schannel_start"); - if (!mem_ctx) { - return NT_STATUS_NO_MEMORY; - } - - schannel = talloc_p(mem_ctx, struct srv_schannel_state); - if (!schannel) { - talloc_destroy(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - schannel->mem_ctx = mem_ctx; - - /* parse the schannel startup blob */ - status = ndr_pull_struct_blob(auth_blob, mem_ctx, &schannel->bind_info, - (ndr_pull_flags_fn_t)ndr_pull_schannel_bind); - if (!NT_STATUS_IS_OK(status)) { - talloc_destroy(mem_ctx); - return status; - } - - if (schannel->bind_info.bind_type == 23) { - account_name = schannel->bind_info.u.info23.account_name; - } else { - account_name = schannel->bind_info.u.info3.account_name; - } - - /* pull the session key for this client */ - status = schannel_fetch_session_key(mem_ctx, account_name, &creds); - if (!NT_STATUS_IS_OK(status)) { - talloc_destroy(mem_ctx); - return status; - } - - /* start up the schannel server code */ - status = schannel_start(&schannel->state, creds.session_key, False); - if (!NT_STATUS_IS_OK(status)) { - talloc_destroy(mem_ctx); - return status; - } - - status = schannel_setup_session_info(schannel, account_name, - &auth->session_info); - if (!NT_STATUS_IS_OK(status)) { - talloc_destroy(mem_ctx); - return status; - } - - auth->crypto_ctx.private_data = schannel; - - ack.unknown1 = 1; - ack.unknown2 = 0; - ack.unknown3 = 0x6c0000; - - status = ndr_push_struct_blob(auth_blob, mem_ctx, &ack, - (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack); - if (!NT_STATUS_IS_OK(status)) { - talloc_destroy(mem_ctx); - return NT_STATUS_INVALID_PARAMETER; - } - - return status; -} - -/* - update crypto state -*/ -static NTSTATUS dcesrv_crypto_schannel_update(struct dcesrv_auth *auth, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) -{ - return NT_STATUS_OK; -} - -/* - seal a packet -*/ -static NTSTATUS dcesrv_crypto_schannel_seal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, DATA_BLOB *sig) -{ - struct srv_schannel_state *srv_schannel_state = auth->crypto_ctx.private_data; - - return schannel_seal_packet(srv_schannel_state->state, sig_mem_ctx, data, length, sig); -} - -/* - sign a packet -*/ -static NTSTATUS dcesrv_crypto_schannel_sign(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, DATA_BLOB *sig) -{ - struct srv_schannel_state *srv_schannel_state = auth->crypto_ctx.private_data; - - return schannel_sign_packet(srv_schannel_state->state, sig_mem_ctx, data, length, sig); -} - -/* - check a packet signature -*/ -static NTSTATUS dcesrv_crypto_schannel_check_sig(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, const DATA_BLOB *sig) -{ - struct srv_schannel_state *srv_schannel_state = auth->crypto_ctx.private_data; - - return schannel_check_packet(srv_schannel_state->state, data, length, sig); -} - -/* - unseal a packet -*/ -static NTSTATUS dcesrv_crypto_schannel_unseal(struct dcesrv_auth *auth, TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, DATA_BLOB *sig) -{ - struct srv_schannel_state *srv_schannel_state = auth->crypto_ctx.private_data; - - return schannel_unseal_packet(srv_schannel_state->state, sig_mem_ctx, data, length, sig); -} - -/* - get the session key -*/ -static NTSTATUS dcesrv_crypto_schannel_session_key(struct dcesrv_auth *auth, uint8_t session_key[16]) -{ - struct srv_schannel_state *srv_schannel_state = auth->crypto_ctx.private_data; - - memcpy(session_key, srv_schannel_state->state->session_key, 16); - - return NT_STATUS_OK; -} - -/* - end crypto state -*/ -static void dcesrv_crypto_schannel_end(struct dcesrv_auth *auth) -{ - struct srv_schannel_state *srv_schannel_state = auth->crypto_ctx.private_data; - - if (srv_schannel_state == NULL) { - return; - } - - schannel_end(&srv_schannel_state->state); - - talloc_destroy(srv_schannel_state->mem_ctx); - - auth->crypto_ctx.private_data = NULL; -} - -static const struct dcesrv_crypto_ops dcesrv_crypto_schannel_ops = { - .name = "schannel", - .auth_type = DCERPC_AUTH_TYPE_SCHANNEL, - .start = dcesrv_crypto_schannel_start, - .update = dcesrv_crypto_schannel_update, - .seal = dcesrv_crypto_schannel_seal, - .sign = dcesrv_crypto_schannel_sign, - .check_sig = dcesrv_crypto_schannel_check_sig, - .unseal = dcesrv_crypto_schannel_unseal, - .session_key = dcesrv_crypto_schannel_session_key, - .end = dcesrv_crypto_schannel_end -}; - -/* - startup the cryptographic side of an authenticated dcerpc server -*/ -const struct dcesrv_crypto_ops *dcesrv_crypto_schannel_get_ops(void) -{ - return &dcesrv_crypto_schannel_ops; -} diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 80bbb6b583..7eb4c0e815 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -58,21 +58,15 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) state->mem_ctx = mem_ctx; state->authenticated = True; - state->creds = talloc_p(mem_ctx, struct creds_CredentialState); - if (state->creds == NULL) { - talloc_destroy(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - ZERO_STRUCTP(state->creds); - if (dce_call->conn->auth_state.session_info == NULL) { talloc_destroy(mem_ctx); return NT_STATUS_NO_USER_SESSION_KEY; } - status = schannel_fetch_session_key(mem_ctx, - dce_call->conn->auth_state.session_info->workstation, - state->creds); + status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security, + mem_ctx, + &state->creds); + if (!NT_STATUS_IS_OK(status)) { talloc_destroy(mem_ctx); return status; diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 988c52e4ee..f1947022a2 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -693,7 +693,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, { char new_pass[512]; uint32_t new_pass_len; - DATA_BLOB session_key; + DATA_BLOB session_key = data_blob(NULL, 0); session_key = data_blob(NULL,0); @@ -703,7 +703,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, if (session_key.length == 0) { DEBUG(3,("Bad session key in samr_set_password\n")); - return NT_STATUS_WRONG_PASSWORD; + return NT_STATUS_NO_USER_SESSION_KEY; } arcfour_crypt_blob(pwbuf->data, 516, &session_key); @@ -740,7 +740,7 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, char new_pass[512]; uint32_t new_pass_len; DATA_BLOB co_session_key; - DATA_BLOB session_key; + DATA_BLOB session_key = data_blob(NULL, 0); struct MD5Context ctx; session_key = data_blob(NULL,0); @@ -749,6 +749,11 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, session_key = dce_call->conn->auth_state.session_info->session_key; } + if (session_key.length == 0) { + DEBUG(3,("Bad session key in samr_set_password\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + co_session_key = data_blob_talloc(mem_ctx, NULL, 16); if (!co_session_key.data) { return NT_STATUS_NO_MEMORY; |