From 2463a871776bb4de8653d6a44469d2adb3ec9418 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 20 Jul 2010 13:26:36 -0400 Subject: s3-dcerpc: Use dcerpc_AuthType in pipe_auth_data --- source3/rpc_server/rpc_handles.c | 3 ++- source3/rpc_server/srv_lsa_nt.c | 4 ++-- source3/rpc_server/srv_netlog_nt.c | 6 ++--- source3/rpc_server/srv_pipe.c | 47 ++++++++++++++++++++------------------ source3/rpc_server/srv_samr_nt.c | 4 +++- 5 files changed, 35 insertions(+), 29 deletions(-) (limited to 'source3/rpc_server') diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c index 57a3cd44eb..481bb56ee7 100644 --- a/source3/rpc_server/rpc_handles.c +++ b/source3/rpc_server/rpc_handles.c @@ -321,7 +321,8 @@ bool pipe_access_check(struct pipes_struct *p) if (lp_restrict_anonymous() > 0) { /* schannel, so we must be ok */ - if (p->pipe_bound && (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL)) { + if (p->pipe_bound && + (p->auth.auth_type == DCERPC_AUTH_TYPE_SCHANNEL)) { return True; } diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 0dc3cbc5a5..10ea1e3b97 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1040,7 +1040,7 @@ NTSTATUS _lsa_LookupSids3(struct pipes_struct *p, struct lsa_LookupSids2 q; /* No policy handle on this call. Restrict to crypto connections. */ - if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n", get_remote_machine_name() )); return NT_STATUS_INVALID_PARAMETER; @@ -1323,7 +1323,7 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p, struct lsa_LookupNames3 q; /* No policy handle on this call. Restrict to crypto connections. */ - if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n", get_remote_machine_name() )); return NT_STATUS_INVALID_PARAMETER; diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index e7b4718f01..56b5027958 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -961,7 +961,7 @@ static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info, const char *computer_name, bool integrity, bool privacy) { - if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) { + if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { if (!privacy && !integrity) { return NT_STATUS_OK; } @@ -1419,7 +1419,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, memcpy(pipe_session_key, creds->session_key, 16); } else { /* Get the pipe session key from the schannel. */ - if ((p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) + if ((p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) || (p->auth.a_u.schannel_auth == NULL)) { return NT_STATUS_INVALID_HANDLE; } @@ -1535,7 +1535,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, } /* Only allow this if the pipe is protected. */ - if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n", get_remote_machine_name() )); return NT_STATUS_INVALID_PARAMETER; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index ae6c12710e..6f79d3c815 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -112,8 +112,6 @@ static DATA_BLOB generic_session_key(void) ********************************************************************/ static bool create_next_packet(struct pipes_struct *p, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, size_t auth_length, size_t *_pad_len) { @@ -225,8 +223,6 @@ static bool create_next_packet(struct pipes_struct *p, bool create_next_pdu(struct pipes_struct *p) { - enum dcerpc_AuthType auth_type = - map_pipe_auth_type_to_rpc_auth_type(p->auth.auth_type); size_t auth_len = 0; size_t pad_len = 0; NTSTATUS status; @@ -255,12 +251,18 @@ bool create_next_pdu(struct pipes_struct *p) case DCERPC_AUTH_LEVEL_PRIVACY: switch(p->auth.auth_type) { - case PIPE_AUTH_TYPE_NTLMSSP: - case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: + case DCERPC_AUTH_TYPE_NTLMSSP: + auth_len = NTLMSSP_SIG_SIZE; + break; + case DCERPC_AUTH_TYPE_SPNEGO: + if (p->auth.spnego_type != + PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { + goto err_out; + } auth_len = NTLMSSP_SIG_SIZE; break; - case PIPE_AUTH_TYPE_SCHANNEL: + case DCERPC_AUTH_TYPE_SCHANNEL: auth_len = NL_AUTH_SIGNATURE_SIZE; break; @@ -274,9 +276,7 @@ bool create_next_pdu(struct pipes_struct *p) goto err_out; } - ret = create_next_packet(p, auth_type, - p->auth.auth_level, - auth_len, &pad_len); + ret = create_next_packet(p, auth_len, &pad_len); if (!ret) { return false; } @@ -506,7 +506,8 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt) free_pipe_auth_data(&p->auth); p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; - p->auth.auth_type = PIPE_AUTH_TYPE_NONE; + p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; + p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE; p->pipe_bound = False; return True; @@ -709,10 +710,8 @@ static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p, return ret; } - if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) { - /* Free any previous auth type. */ - free_pipe_auth_data(&p->auth); - } + /* Free any previous auth type. */ + free_pipe_auth_data(&p->auth); if (!got_kerberos_mechanism) { /* Initialize the NTLM engine. */ @@ -770,7 +769,8 @@ static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p, p->auth.a_u.auth_ntlmssp_state = a; p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data; - p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP; + p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO; + p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP; data_blob_free(&secblob); data_blob_free(&chal); @@ -808,7 +808,8 @@ static bool pipe_spnego_auth_bind_continue(struct pipes_struct *p, * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently * fail here as 'a' == NULL. */ - if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) { + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SPNEGO || + p->auth.spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) { DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n")); goto err; } @@ -965,7 +966,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p, /* We're finished with this bind - no more packets. */ p->auth.auth_data_free_func = &free_pipe_schannel_auth_data; - p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL; + p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL; p->pipe_bound = True; @@ -1026,7 +1027,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p, p->auth.a_u.auth_ntlmssp_state = a; p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data; - p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP; + p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP; DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n")); @@ -1223,7 +1224,8 @@ bool api_pipe_bind_req(struct pipes_struct *p, struct ncacn_packet *pkt) if (auth_type == DCERPC_AUTH_TYPE_NONE) { /* Unauthenticated bind request. */ /* We're finished - no more packets. */ - p->auth.auth_type = PIPE_AUTH_TYPE_NONE; + p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; + p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE; /* We must set the pipe auth_level here also. */ p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; p->pipe_bound = True; @@ -1571,8 +1573,9 @@ bool api_pipe_request(struct pipes_struct *p, struct ncacn_packet *pkt) PIPE_RPC_FNS *pipe_fns; if (p->pipe_bound && - ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) || - (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) { + ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) || + ((p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO) && + (p->auth.spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)))) { if(!become_authenticated_pipe_user(p)) { data_blob_free(&p->out_data.rdata); return False; diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0f5aad8607..95f69a3bba 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2770,7 +2770,9 @@ static NTSTATUS get_user_info_18(struct pipes_struct *p, goto query; } - if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { + if ((p->auth.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) || + ((p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO) && + (p->auth.spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) { return NT_STATUS_ACCESS_DENIED; } -- cgit