From 8087d844ef59a82617be51f7c887b9bafe362f80 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 3 Jun 2004 23:15:16 +0000 Subject: r995: - renamed many of our crypto routines to use the industry standard names rather than our crazy naming scheme. So DES is now called des_crypt() rather than smbhash() - added the code from the solution of the ADS crypto challenge that allows Samba to correctly handle a 128 bit session key in all of the netr_ServerAuthenticateX() varients. A huge thanks to Luke Howard from PADL for solving this one! - restructured the server side rpc authentication to allow for other than NTLMSSP sign and seal. This commit just adds the structure, the next commit will add schannel server side support. - added 128 bit session key support to our client side code, and testing against w2k3 with smbtorture. Works well. (This used to be commit 729b2f41c924a0b435d44a14209e6dacc2304cee) --- source4/rpc_server/dcesrv_auth.c | 95 ++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 58 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 48792180c6..7aa296c245 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -22,7 +22,6 @@ #include "includes.h" - /* parse any auth information from a dcerpc bind request return False if we can't handle the auth request for some @@ -52,24 +51,11 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - if (dce_conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { - /* only do NTLMSSP for now */ - DEBUG(2,("auth_type %d not supported\n", dce_conn->auth_state.auth_info->auth_type)); - return False; - } - - if (dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { - DEBUG(2,("auth_level %d not supported\n", dce_conn->auth_state.auth_info->auth_level)); - return False; - } - - status = auth_ntlmssp_start(&dce_conn->auth_state.ntlmssp_state); + status = dcesrv_crypto_startup(dce_conn, &dce_conn->auth_state); if (!NT_STATUS_IS_OK(status)) { - DEBUG(2, ("Failed to start NTLMSSP subsystem!\n")); return False; } - + return True; } @@ -81,17 +67,17 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - if (!call->conn->auth_state.ntlmssp_state) { + if (!call->conn->auth_state.crypto_state) { return True; } - status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, - call->mem_ctx, - dce_conn->auth_state.auth_info->credentials, - &dce_conn->auth_state.auth_info->credentials); + status = dcesrv_crypto_update(&dce_conn->auth_state, + call->mem_ctx, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(2, ("Failed to start NTLMSSP process NTLMSSP negotiate: %s\n", nt_errstr(status))); + DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status))); return False; } @@ -103,7 +89,7 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * /* - process the final stage of a NTLMSSP auth request + process the final stage of a auth request */ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) { @@ -112,7 +98,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.ntlmssp_state || + !dce_conn->auth_state.crypto_state || pkt->u.auth.auth_info.length == 0) { return False; } @@ -125,20 +111,13 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return False; } - if (dce_conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { - return False; - } - if (dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { - return False; - } - - status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, - call->mem_ctx, - dce_conn->auth_state.auth_info->credentials, - &dce_conn->auth_state.auth_info->credentials); + status = dcesrv_crypto_update(&dce_conn->auth_state, + call->mem_ctx, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { - DEBUG(4, ("User failed to authenticated with NTLMSSP: %s\n", nt_errstr(status))); + DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", + nt_errstr(status))); return False; } @@ -159,7 +138,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.ntlmssp_state) { + !dce_conn->auth_state.crypto_state) { return True; } @@ -193,21 +172,21 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) /* check signature or unseal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = ntlmssp_unseal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, - call->mem_ctx, - pkt->u.request.stub_and_verifier.data, - pkt->u.request.stub_and_verifier.length, - &auth.credentials); - break; - - case DCERPC_AUTH_LEVEL_INTEGRITY: - status = ntlmssp_check_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + status = dcesrv_crypto_unseal(&dce_conn->auth_state, call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); break; + case DCERPC_AUTH_LEVEL_INTEGRITY: + status = dcesrv_crypto_check_sig(&dce_conn->auth_state, + call->mem_ctx, + pkt->u.request.stub_and_verifier.data, + pkt->u.request.stub_and_verifier.length, + &auth.credentials); + break; + default: status = NT_STATUS_INVALID_LEVEL; break; @@ -234,7 +213,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, struct ndr_push *ndr; /* non-signed packets are simple */ - if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.ntlmssp_state) { + if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.crypto_state) { status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); return NT_STATUS_IS_OK(status); } @@ -260,19 +239,19 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* sign or seal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = ntlmssp_seal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, - call->mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, - &dce_conn->auth_state.auth_info->credentials); + status = dcesrv_crypto_seal(&dce_conn->auth_state, + call->mem_ctx, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + &dce_conn->auth_state.auth_info->credentials); break; case DCERPC_AUTH_LEVEL_INTEGRITY: - status = ntlmssp_sign_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, - call->mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, - &dce_conn->auth_state.auth_info->credentials); + status = dcesrv_crypto_sign(&dce_conn->auth_state, + call->mem_ctx, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + &dce_conn->auth_state.auth_info->credentials); break; default: status = NT_STATUS_INVALID_LEVEL; -- cgit