From 8f6b3eb1a9c1e996330b0edfb312b2345e292819 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 14 Dec 2003 01:09:10 +0000 Subject: fixed a bug handling multiple PDUs being read from a socket at one time in the rpc server. started on the framework for the dcerpc authentication server code (This used to be commit 74041b6a0a60d792e1b220496d66ec27b9ee6c25) --- source4/rpc_server/dcesrv_auth.c | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 source4/rpc_server/dcesrv_auth.c (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c new file mode 100644 index 0000000000..aea79f2927 --- /dev/null +++ b/source4/rpc_server/dcesrv_auth.c @@ -0,0 +1,42 @@ +/* + Unix SMB/CIFS implementation. + + server side dcerpc authentication code + + Copyright (C) Andrew Tridgell 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + + +/* + parse any auth information from a dcerpc bind request +*/ +BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) +{ + struct dcerpc_packet *pkt = &call->pkt; + + return True; +} + +/* + add any auth information needed in a bind ack +*/ +BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt) +{ + return True; +} -- cgit From d009dc61f90e45b695fb9eaaf11899c7572dc9a7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 14 Dec 2003 10:45:50 +0000 Subject: ntlmssp over rpc over tcp now fully works I needed to hack the ntlmssp code a little, as the auth code in samba4 is out of date relative to the samba3 auth code. I need to do a merge :) (This used to be commit 6ee0935afe9444bf9bb24eed4e02e8377dc746b7) --- source4/rpc_server/dcesrv_auth.c | 253 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 253 insertions(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index aea79f2927..f290c741cb 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -25,10 +25,49 @@ /* parse any auth information from a dcerpc bind request + return False if we can't handle the auth request for some + reason (in which case we send a bind_nak) */ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) { struct dcerpc_packet *pkt = &call->pkt; + struct dcesrv_state *dce = call->dce; + NTSTATUS status; + + if (pkt->u.bind.auth_info.length == 0) { + dce->auth_state.auth_info = NULL; + return True; + } + + dce->auth_state.auth_info = talloc_p(dce->mem_ctx, struct dcerpc_auth); + if (!dce->auth_state.auth_info) { + return False; + } + + status = ndr_pull_struct_blob(&pkt->u.bind.auth_info, + call->mem_ctx, + dce->auth_state.auth_info, + (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + if (dce->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { + /* only do NTLMSSP for now */ + DEBUG(2,("auth_type %d not supported\n", dce->auth_state.auth_info->auth_type)); + return False; + } + + if (dce->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && + dce->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + DEBUG(2,("auth_level %d not supported\n", dce->auth_state.auth_info->auth_level)); + return False; + } + + status = auth_ntlmssp_start(&dce->auth_state.ntlmssp_state); + if (!NT_STATUS_IS_OK(status)) { + return False; + } return True; } @@ -38,5 +77,219 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) */ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt) { + struct dcesrv_state *dce = call->dce; + NTSTATUS status; + + if (!call->dce->auth_state.ntlmssp_state) { + return True; + } + + status = auth_ntlmssp_update(dce->auth_state.ntlmssp_state, + dce->auth_state.auth_info->credentials, + &dce->auth_state.auth_info->credentials); + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + return False; + } + + dce->auth_state.auth_info->auth_pad_length = 0; + dce->auth_state.auth_info->auth_reserved = 0; + + return True; +} + + +/* + process the final stage of a NTLMSSP auth request +*/ +BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) +{ + struct dcerpc_packet *pkt = &call->pkt; + struct dcesrv_state *dce = call->dce; + NTSTATUS status; + + if (!dce->auth_state.auth_info || + !dce->auth_state.ntlmssp_state || + pkt->u.auth.auth_info.length == 0) { + return False; + } + + status = ndr_pull_struct_blob(&pkt->u.auth.auth_info, + call->mem_ctx, + dce->auth_state.auth_info, + (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + if (dce->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { + return False; + } + if (dce->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && + dce->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + return False; + } + + status = auth_ntlmssp_update(dce->auth_state.ntlmssp_state, + dce->auth_state.auth_info->credentials, + &dce->auth_state.auth_info->credentials); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + switch (dce->auth_state.auth_info->auth_level) { + case DCERPC_AUTH_LEVEL_PRIVACY: + case DCERPC_AUTH_LEVEL_INTEGRITY: + /* setup for signing */ + status = ntlmssp_sign_init(dce->auth_state.ntlmssp_state->ntlmssp_state); + break; + } + + return True; +} + + +/* + check credentials on a request +*/ +BOOL dcesrv_auth_request(struct dcesrv_call_state *call) +{ + struct dcerpc_packet *pkt = &call->pkt; + struct dcesrv_state *dce = call->dce; + DATA_BLOB auth_blob; + struct dcerpc_auth auth; + struct ndr_pull *ndr; + NTSTATUS status; + + if (!dce->auth_state.auth_info || + !dce->auth_state.ntlmssp_state) { + return True; + } + + auth_blob.length = 8 + pkt->auth_length; + + /* check for a valid length */ + if (pkt->u.request.stub_and_verifier.length < auth_blob.length) { + return False; + } + + auth_blob.data = + pkt->u.request.stub_and_verifier.data + + pkt->u.request.stub_and_verifier.length - auth_blob.length; + pkt->u.request.stub_and_verifier.length -= auth_blob.length; + + /* pull the auth structure */ + ndr = ndr_pull_init_blob(&auth_blob, call->mem_ctx); + if (!ndr) { + return False; + } + + status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + /* check signature or unseal the packet */ + switch (dce->auth_state.auth_info->auth_level) { + case DCERPC_AUTH_LEVEL_PRIVACY: + status = ntlmssp_unseal_packet(dce->auth_state.ntlmssp_state->ntlmssp_state, + pkt->u.request.stub_and_verifier.data, + pkt->u.request.stub_and_verifier.length, + &auth.credentials); + break; + + case DCERPC_AUTH_LEVEL_INTEGRITY: + status = ntlmssp_check_packet(dce->auth_state.ntlmssp_state->ntlmssp_state, + pkt->u.request.stub_and_verifier.data, + pkt->u.request.stub_and_verifier.length, + &auth.credentials); + break; + + default: + status = NT_STATUS_INVALID_LEVEL; + break; + } + + /* remove the indicated amount of paddiing */ + if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) { + return False; + } + pkt->u.request.stub_and_verifier.length -= auth.auth_pad_length; + + return NT_STATUS_IS_OK(status); +} + + +/* + push a signed or sealed dcerpc request packet into a blob +*/ +BOOL dcesrv_auth_response(struct dcesrv_call_state *call, + DATA_BLOB *blob, struct dcerpc_packet *pkt) +{ + struct dcesrv_state *dce = call->dce; + NTSTATUS status; + struct ndr_push *ndr; + + /* non-signed packets are simple */ + if (!dce->auth_state.auth_info || !dce->auth_state.ntlmssp_state) { + status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); + return NT_STATUS_IS_OK(status); + } + + ndr = ndr_push_init_ctx(call->mem_ctx); + if (!ndr) { + return False; + } + + status = ndr_push_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + /* pad to 8 byte multiple */ + dce->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8); + ndr_push_zero(ndr, dce->auth_state.auth_info->auth_pad_length); + + /* sign or seal the packet */ + switch (dce->auth_state.auth_info->auth_level) { + case DCERPC_AUTH_LEVEL_PRIVACY: + status = ntlmssp_seal_packet(dce->auth_state.ntlmssp_state->ntlmssp_state, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + &dce->auth_state.auth_info->credentials); + break; + + case DCERPC_AUTH_LEVEL_INTEGRITY: + status = ntlmssp_sign_packet(dce->auth_state.ntlmssp_state->ntlmssp_state, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + &dce->auth_state.auth_info->credentials); + break; + default: + status = NT_STATUS_INVALID_LEVEL; + break; + } + + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + /* add the auth verifier */ + status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce->auth_state.auth_info); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + /* extract the whole packet as a blob */ + *blob = ndr_push_blob(ndr); + + /* fill in the fragment length and auth_length, we can't fill + in these earlier as we don't know the signature length (it + could be variable length) */ + SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, blob->length); + SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, dce->auth_state.auth_info->credentials.length); + + data_blob_free(&dce->auth_state.auth_info->credentials); + return True; } -- cgit From 24c22aef90d8534ee2d016b37b2b302f1367d106 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 16 Dec 2003 09:02:58 +0000 Subject: a fairly large commit! This adds support for bigendian rpc in the client. I have installed SUN pcnetlink locally and am using it to test the samba4 rpc code. This allows us to easily find places where we have stuffed up the types (such as 2 uint16 versus a uint32), as testing both big-endian and little-endian easily shows which is correct. I have now used this to fix several bugs like that in the samba4 IDL. In order to make this work I also had to redefine a GUID as a true structure, not a blob. From the pcnetlink wire it is clear that it is indeed defined as a structure (the byte order changes). This required changing lots of Samba code to use a GUID as a structure. I also had to fix the if_version code in dcerpc syntax IDs, as it turns out they are a single uint32 not two uint16s. The big-endian support is a bit ugly at the moment, and breaks the layering in some places. More work is needed, especially on the server side. (This used to be commit bb1af644a5a7b188290ce36232f255da0e5d66d2) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index f290c741cb..0f4b22ee3d 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -232,7 +232,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* non-signed packets are simple */ if (!dce->auth_state.auth_info || !dce->auth_state.ntlmssp_state) { - status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); + status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL, 0); return NT_STATUS_IS_OK(status); } -- cgit From 7efa19cd2285617dcb39d67a81a821b5119c3748 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 17 Dec 2003 02:06:44 +0000 Subject: added a smb.conf flag "rpc big endian" that tells our rpc server to send packets in bigendian format. (This used to be commit 44df662960e662a55a9f27627f838771503a7a59) --- source4/rpc_server/dcesrv_auth.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 0f4b22ee3d..776d394e99 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -184,6 +184,10 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) return False; } + if (!(pkt->drep[0] & DCERPC_DREP_LE)) { + ndr->flags |= LIBNDR_FLAG_BIGENDIAN; + } + status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth); if (!NT_STATUS_IS_OK(status)) { return False; @@ -232,7 +236,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* non-signed packets are simple */ if (!dce->auth_state.auth_info || !dce->auth_state.ntlmssp_state) { - status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL, 0); + status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); return NT_STATUS_IS_OK(status); } @@ -241,6 +245,10 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, return False; } + if (pkt->drep[0] & DCERPC_DREP_LE) { + ndr->flags |= LIBNDR_FLAG_BIGENDIAN; + } + status = ndr_push_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); if (!NT_STATUS_IS_OK(status)) { return False; @@ -286,8 +294,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* fill in the fragment length and auth_length, we can't fill in these earlier as we don't know the signature length (it could be variable length) */ - SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, blob->length); - SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, dce->auth_state.auth_info->credentials.length); + dcerpc_set_frag_length(blob, blob->length); + dcerpc_set_auth_length(blob, dce->auth_state.auth_info->credentials.length); data_blob_free(&dce->auth_state.auth_info->credentials); -- cgit From 7e6cf43756b7643e2f0ee7ada5076f36f3a24bb7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 8 Jan 2004 22:55:27 +0000 Subject: This patch adds a better dcerpc server infastructure. 1.) We now register endpoint servers add startup via register_backend() and later use the smb.conf 'dcerpc endpoint servers' parameter to setup the dcesrv_context 2.) each endpoint server can register at context creation time as much interfaces as it wants (multiple interfaces on one endpoint are supported!) (NOTE: there's a difference between 'endpoint server' and 'endpoint'! for details look at rpc_server/dcesrv_server.h) 3.) one endpoint can have a security descriptor registered to it self this will be checked in the future when a client wants to connect to an smb pipe endpoint. 4.) we now have a 'remote' endpoint server, which works like the ntvfs_cifs module it takes this options in the [globals] section: dcerpc remote:interfaces = srvsvc, winreg, w32time, epmapper dcerpc remote:binding = ... dcerpc remote:user = ... dcerpc remote:password = ... 5.) we currently have tree endpoint servers: epmapper, rpcecho and remote the default for the 'dcerpc endpiont servers = epmapper, rpcecho' for testing you can also do dcerpc endpoint servers = rpcecho, remote, epmapper dcerpc remote:interfaces = srvsvc, samr, netlogon 6,) please notice the the epmapper now only returns NO_ENTRIES (but I think we'll find a solution for this too:-) 7.) also there're some other stuff left, but step by step :-) This patch also includes updates for the register_subsystem() , ntvfs_init(), and some other funtions to check for duplicate subsystem registration metze (hmmm, my first large commit...I hope it works as supposed :-) (This used to be commit 917e45dafd5be4c2cd90ff425b8d6f8403122349) --- source4/rpc_server/dcesrv_auth.c | 98 ++++++++++++++++++++-------------------- 1 file changed, 49 insertions(+), 49 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 776d394e99..a117f08445 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -4,7 +4,7 @@ server side dcerpc authentication code Copyright (C) Andrew Tridgell 2003 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -31,40 +31,40 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) { struct dcerpc_packet *pkt = &call->pkt; - struct dcesrv_state *dce = call->dce; + struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; if (pkt->u.bind.auth_info.length == 0) { - dce->auth_state.auth_info = NULL; + dce_conn->auth_state.auth_info = NULL; return True; } - dce->auth_state.auth_info = talloc_p(dce->mem_ctx, struct dcerpc_auth); - if (!dce->auth_state.auth_info) { + dce_conn->auth_state.auth_info = talloc_p(dce_conn->mem_ctx, struct dcerpc_auth); + if (!dce_conn->auth_state.auth_info) { return False; } status = ndr_pull_struct_blob(&pkt->u.bind.auth_info, call->mem_ctx, - dce->auth_state.auth_info, + dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NT_STATUS_IS_OK(status)) { return False; } - if (dce->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { + if (dce_conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { /* only do NTLMSSP for now */ - DEBUG(2,("auth_type %d not supported\n", dce->auth_state.auth_info->auth_type)); + DEBUG(2,("auth_type %d not supported\n", dce_conn->auth_state.auth_info->auth_type)); return False; } - if (dce->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - dce->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { - DEBUG(2,("auth_level %d not supported\n", dce->auth_state.auth_info->auth_level)); + if (dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && + dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + DEBUG(2,("auth_level %d not supported\n", dce_conn->auth_state.auth_info->auth_level)); return False; } - status = auth_ntlmssp_start(&dce->auth_state.ntlmssp_state); + status = auth_ntlmssp_start(&dce_conn->auth_state.ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { return False; } @@ -77,23 +77,23 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) */ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt) { - struct dcesrv_state *dce = call->dce; + struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - if (!call->dce->auth_state.ntlmssp_state) { + if (!call->conn->auth_state.ntlmssp_state) { return True; } - status = auth_ntlmssp_update(dce->auth_state.ntlmssp_state, - dce->auth_state.auth_info->credentials, - &dce->auth_state.auth_info->credentials); + status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { return False; } - dce->auth_state.auth_info->auth_pad_length = 0; - dce->auth_state.auth_info->auth_reserved = 0; + dce_conn->auth_state.auth_info->auth_pad_length = 0; + dce_conn->auth_state.auth_info->auth_reserved = 0; return True; } @@ -105,43 +105,43 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) { struct dcerpc_packet *pkt = &call->pkt; - struct dcesrv_state *dce = call->dce; + struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - if (!dce->auth_state.auth_info || - !dce->auth_state.ntlmssp_state || + if (!dce_conn->auth_state.auth_info || + !dce_conn->auth_state.ntlmssp_state || pkt->u.auth.auth_info.length == 0) { return False; } status = ndr_pull_struct_blob(&pkt->u.auth.auth_info, call->mem_ctx, - dce->auth_state.auth_info, + dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NT_STATUS_IS_OK(status)) { return False; } - if (dce->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { + if (dce_conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { return False; } - if (dce->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - dce->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + if (dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && + dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { return False; } - status = auth_ntlmssp_update(dce->auth_state.ntlmssp_state, - dce->auth_state.auth_info->credentials, - &dce->auth_state.auth_info->credentials); + status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { return False; } - switch (dce->auth_state.auth_info->auth_level) { + switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_INTEGRITY: /* setup for signing */ - status = ntlmssp_sign_init(dce->auth_state.ntlmssp_state->ntlmssp_state); + status = ntlmssp_sign_init(dce_conn->auth_state.ntlmssp_state->ntlmssp_state); break; } @@ -155,14 +155,14 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) BOOL dcesrv_auth_request(struct dcesrv_call_state *call) { struct dcerpc_packet *pkt = &call->pkt; - struct dcesrv_state *dce = call->dce; + struct dcesrv_connection *dce_conn = call->conn; DATA_BLOB auth_blob; struct dcerpc_auth auth; struct ndr_pull *ndr; NTSTATUS status; - if (!dce->auth_state.auth_info || - !dce->auth_state.ntlmssp_state) { + if (!dce_conn->auth_state.auth_info || + !dce_conn->auth_state.ntlmssp_state) { return True; } @@ -194,16 +194,16 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) } /* check signature or unseal the packet */ - switch (dce->auth_state.auth_info->auth_level) { + switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = ntlmssp_unseal_packet(dce->auth_state.ntlmssp_state->ntlmssp_state, + status = ntlmssp_unseal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); break; case DCERPC_AUTH_LEVEL_INTEGRITY: - status = ntlmssp_check_packet(dce->auth_state.ntlmssp_state->ntlmssp_state, + status = ntlmssp_check_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); @@ -230,12 +230,12 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) BOOL dcesrv_auth_response(struct dcesrv_call_state *call, DATA_BLOB *blob, struct dcerpc_packet *pkt) { - struct dcesrv_state *dce = call->dce; + struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; struct ndr_push *ndr; /* non-signed packets are simple */ - if (!dce->auth_state.auth_info || !dce->auth_state.ntlmssp_state) { + if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.ntlmssp_state) { status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); return NT_STATUS_IS_OK(status); } @@ -255,23 +255,23 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, } /* pad to 8 byte multiple */ - dce->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8); - ndr_push_zero(ndr, dce->auth_state.auth_info->auth_pad_length); + dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8); + ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); /* sign or seal the packet */ - switch (dce->auth_state.auth_info->auth_level) { + switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = ntlmssp_seal_packet(dce->auth_state.ntlmssp_state->ntlmssp_state, + status = ntlmssp_seal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, - &dce->auth_state.auth_info->credentials); + &dce_conn->auth_state.auth_info->credentials); break; case DCERPC_AUTH_LEVEL_INTEGRITY: - status = ntlmssp_sign_packet(dce->auth_state.ntlmssp_state->ntlmssp_state, + status = ntlmssp_sign_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, - &dce->auth_state.auth_info->credentials); + &dce_conn->auth_state.auth_info->credentials); break; default: status = NT_STATUS_INVALID_LEVEL; @@ -283,7 +283,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, } /* add the auth verifier */ - status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce->auth_state.auth_info); + status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info); if (!NT_STATUS_IS_OK(status)) { return False; } @@ -295,9 +295,9 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, in these earlier as we don't know the signature length (it could be variable length) */ dcerpc_set_frag_length(blob, blob->length); - dcerpc_set_auth_length(blob, dce->auth_state.auth_info->credentials.length); + dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length); - data_blob_free(&dce->auth_state.auth_info->credentials); + data_blob_free(&dce_conn->auth_state.auth_info->credentials); return True; } -- cgit From 5b0ab386cb0fb74d78e6c68abe1b047ab515b7b3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 May 2004 14:06:28 +0000 Subject: r874: This patch is a pile of work on NTLMSSP: Samba's NTLMSSP code is now fully talloc based, which should go a long way to cleaning up the memory leaks in this code. This also avoids a lot of extra copies of data, as we now allocate the 'return' blobs on a caller-supplied context. I have also been doing a lot of work towards NTLM2 signing and sealing. I have this working for sealing, but not for the verifier (MD5 integrity check on the stream) which is still incorrect. (I can aim a rpcecho sinkdata from a Win2k3 box to my server, and the data arrives intact, but the signature check fails. It does however match the test values I have...). The new torture test is cludged in - when we get a unit test suite back, I'll happliy put it in the 'right' place.... Andrew Bartlett (This used to be commit 399e2e2b1149b8d1c070aa7f0d5131c0b577d2b9) --- source4/rpc_server/dcesrv_auth.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index a117f08445..48792180c6 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -66,6 +66,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) status = auth_ntlmssp_start(&dce_conn->auth_state.ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { + DEBUG(2, ("Failed to start NTLMSSP subsystem!\n")); return False; } @@ -85,10 +86,12 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * } status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, + call->mem_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DEBUG(2, ("Failed to start NTLMSSP process NTLMSSP negotiate: %s\n", nt_errstr(status))); return False; } @@ -131,20 +134,14 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) } status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, + call->mem_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { + DEBUG(4, ("User failed to authenticated with NTLMSSP: %s\n", nt_errstr(status))); return False; } - switch (dce_conn->auth_state.auth_info->auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - case DCERPC_AUTH_LEVEL_INTEGRITY: - /* setup for signing */ - status = ntlmssp_sign_init(dce_conn->auth_state.ntlmssp_state->ntlmssp_state); - break; - } - return True; } @@ -197,6 +194,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = ntlmssp_unseal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); @@ -204,6 +202,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) case DCERPC_AUTH_LEVEL_INTEGRITY: status = ntlmssp_check_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); @@ -262,6 +261,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = ntlmssp_seal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, &dce_conn->auth_state.auth_info->credentials); @@ -269,6 +269,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, case DCERPC_AUTH_LEVEL_INTEGRITY: status = ntlmssp_sign_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, &dce_conn->auth_state.auth_info->credentials); -- cgit From 8087d844ef59a82617be51f7c887b9bafe362f80 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 3 Jun 2004 23:15:16 +0000 Subject: r995: - renamed many of our crypto routines to use the industry standard names rather than our crazy naming scheme. So DES is now called des_crypt() rather than smbhash() - added the code from the solution of the ADS crypto challenge that allows Samba to correctly handle a 128 bit session key in all of the netr_ServerAuthenticateX() varients. A huge thanks to Luke Howard from PADL for solving this one! - restructured the server side rpc authentication to allow for other than NTLMSSP sign and seal. This commit just adds the structure, the next commit will add schannel server side support. - added 128 bit session key support to our client side code, and testing against w2k3 with smbtorture. Works well. (This used to be commit 729b2f41c924a0b435d44a14209e6dacc2304cee) --- source4/rpc_server/dcesrv_auth.c | 95 ++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 58 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 48792180c6..7aa296c245 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -22,7 +22,6 @@ #include "includes.h" - /* parse any auth information from a dcerpc bind request return False if we can't handle the auth request for some @@ -52,24 +51,11 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - if (dce_conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { - /* only do NTLMSSP for now */ - DEBUG(2,("auth_type %d not supported\n", dce_conn->auth_state.auth_info->auth_type)); - return False; - } - - if (dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { - DEBUG(2,("auth_level %d not supported\n", dce_conn->auth_state.auth_info->auth_level)); - return False; - } - - status = auth_ntlmssp_start(&dce_conn->auth_state.ntlmssp_state); + status = dcesrv_crypto_startup(dce_conn, &dce_conn->auth_state); if (!NT_STATUS_IS_OK(status)) { - DEBUG(2, ("Failed to start NTLMSSP subsystem!\n")); return False; } - + return True; } @@ -81,17 +67,17 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - if (!call->conn->auth_state.ntlmssp_state) { + if (!call->conn->auth_state.crypto_state) { return True; } - status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, - call->mem_ctx, - dce_conn->auth_state.auth_info->credentials, - &dce_conn->auth_state.auth_info->credentials); + status = dcesrv_crypto_update(&dce_conn->auth_state, + call->mem_ctx, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(2, ("Failed to start NTLMSSP process NTLMSSP negotiate: %s\n", nt_errstr(status))); + DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status))); return False; } @@ -103,7 +89,7 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * /* - process the final stage of a NTLMSSP auth request + process the final stage of a auth request */ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) { @@ -112,7 +98,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.ntlmssp_state || + !dce_conn->auth_state.crypto_state || pkt->u.auth.auth_info.length == 0) { return False; } @@ -125,20 +111,13 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return False; } - if (dce_conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_NTLMSSP) { - return False; - } - if (dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - dce_conn->auth_state.auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { - return False; - } - - status = auth_ntlmssp_update(dce_conn->auth_state.ntlmssp_state, - call->mem_ctx, - dce_conn->auth_state.auth_info->credentials, - &dce_conn->auth_state.auth_info->credentials); + status = dcesrv_crypto_update(&dce_conn->auth_state, + call->mem_ctx, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { - DEBUG(4, ("User failed to authenticated with NTLMSSP: %s\n", nt_errstr(status))); + DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", + nt_errstr(status))); return False; } @@ -159,7 +138,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.ntlmssp_state) { + !dce_conn->auth_state.crypto_state) { return True; } @@ -193,21 +172,21 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) /* check signature or unseal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = ntlmssp_unseal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, - call->mem_ctx, - pkt->u.request.stub_and_verifier.data, - pkt->u.request.stub_and_verifier.length, - &auth.credentials); - break; - - case DCERPC_AUTH_LEVEL_INTEGRITY: - status = ntlmssp_check_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, + status = dcesrv_crypto_unseal(&dce_conn->auth_state, call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, &auth.credentials); break; + case DCERPC_AUTH_LEVEL_INTEGRITY: + status = dcesrv_crypto_check_sig(&dce_conn->auth_state, + call->mem_ctx, + pkt->u.request.stub_and_verifier.data, + pkt->u.request.stub_and_verifier.length, + &auth.credentials); + break; + default: status = NT_STATUS_INVALID_LEVEL; break; @@ -234,7 +213,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, struct ndr_push *ndr; /* non-signed packets are simple */ - if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.ntlmssp_state) { + if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.crypto_state) { status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); return NT_STATUS_IS_OK(status); } @@ -260,19 +239,19 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* sign or seal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = ntlmssp_seal_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, - call->mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, - &dce_conn->auth_state.auth_info->credentials); + status = dcesrv_crypto_seal(&dce_conn->auth_state, + call->mem_ctx, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + &dce_conn->auth_state.auth_info->credentials); break; case DCERPC_AUTH_LEVEL_INTEGRITY: - status = ntlmssp_sign_packet(dce_conn->auth_state.ntlmssp_state->ntlmssp_state, - call->mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, - &dce_conn->auth_state.auth_info->credentials); + status = dcesrv_crypto_sign(&dce_conn->auth_state, + call->mem_ctx, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + &dce_conn->auth_state.auth_info->credentials); break; default: status = NT_STATUS_INVALID_LEVEL; -- cgit From 5165fec02e0e489ac63c3cb71bed31dea9fde644 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 4 Jun 2004 09:46:46 +0000 Subject: r1004: continue tridge's work on dcerpc server auth/crypto code I made it much more generic, and we should be able to add a module interface to this code, so that other DCERPC_AUTH types can be added via modules... metze (This used to be commit d09abeb686c43c62322205689273d1b417113004) --- source4/rpc_server/dcesrv_auth.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 7aa296c245..df1a820039 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -51,11 +51,16 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - status = dcesrv_crypto_startup(dce_conn, &dce_conn->auth_state); + status = dcesrv_crypto_select_type(dce_conn, &dce_conn->auth_state); if (!NT_STATUS_IS_OK(status)) { return False; } - + + status = dcesrv_crypto_start(&dce_conn->auth_state); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + return True; } @@ -67,7 +72,7 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - if (!call->conn->auth_state.crypto_state) { + if (!call->conn->auth_state.crypto_ctx.ops) { return True; } @@ -98,7 +103,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.crypto_state || + !dce_conn->auth_state.crypto_ctx.ops || pkt->u.auth.auth_info.length == 0) { return False; } @@ -138,7 +143,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.crypto_state) { + !dce_conn->auth_state.crypto_ctx.ops) { return True; } @@ -213,7 +218,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, struct ndr_push *ndr; /* non-signed packets are simple */ - if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.crypto_state) { + if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.crypto_ctx.ops) { status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); return NT_STATUS_IS_OK(status); } -- cgit From 5341ad20e1b8953c9256cd8e04a7e55ba9ef84b5 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 5 Jun 2004 05:01:38 +0000 Subject: r1030: added server side schannel support (This used to be commit 2ac79dfba0e64056a680f21d7dd0c007f79d4a70) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index df1a820039..6d08cca5fc 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -56,7 +56,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - status = dcesrv_crypto_start(&dce_conn->auth_state); + status = dcesrv_crypto_start(&dce_conn->auth_state, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { return False; } -- cgit From 2130a1bbe713f4377aa67361fe38deb9227367a9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 16 Jun 2004 12:44:15 +0000 Subject: r1168: fixed a little-endian/big-endian mixup in the rpc server code (This used to be commit 9b397356ae1daa7bc1984e196020ea62725f542c) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 6d08cca5fc..26053b47b9 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -228,7 +228,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, return False; } - if (pkt->drep[0] & DCERPC_DREP_LE) { + if (!(pkt->drep[0] & DCERPC_DREP_LE)) { ndr->flags |= LIBNDR_FLAG_BIGENDIAN; } -- cgit From dc9f55dbec5f892b39d924d5fd033b5eec1e14e4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 29 Jun 2004 09:40:10 +0000 Subject: r1294: A nice, large, commit... This implements gensec for Samba's server side, and brings gensec up to the standards of a full subsystem. This means that use of the subsystem is by gensec_* functions, not function pointers in structures (this is internal). This causes changes in all the existing gensec users. Our RPC server no longer contains it's own generalised security scheme, and now calls gensec directly. Gensec has also taken over the role of auth/auth_ntlmssp.c An important part of gensec, is the output of the 'session_info' struct. This is now reference counted, so that we can correctly free it when a pipe is closed, no matter if it was inherited, or created by per-pipe authentication. The schannel code is reworked, to be in the same file for client and server. ntlm_auth is reworked to use gensec. The major problem with this code is the way it relies on subsystem auto-initialisation. The primary reason for this commit now.is to allow these problems to be looked at, and fixed. There are problems with the new code: - I've tested it with smbtorture, but currently don't have VMware and valgrind working (this I'll fix soon). - The SPNEGO code is client-only at this point. - We still do not do kerberos. Andrew Bartlett (This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec) --- source4/rpc_server/dcesrv_auth.c | 130 +++++++++++++++++++++++++++------------ 1 file changed, 92 insertions(+), 38 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 26053b47b9..84a5460d68 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -4,6 +4,7 @@ server side dcerpc authentication code Copyright (C) Andrew Tridgell 2003 + Copyright (C) Stefan (metze) Metzmacher 2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,6 +23,48 @@ #include "includes.h" +/* + startup the cryptographic side of an authenticated dcerpc server +*/ +NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn, + struct dcesrv_auth *auth) +{ + NTSTATUS status; + if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && + auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + DEBUG(2,("auth_level %d not supported in dcesrv auth\n", + auth->auth_info->auth_level)); + return NT_STATUS_INVALID_PARAMETER; + } + + if (auth->gensec_security != NULL) { + /* TODO: + * this this function should not be called + * twice per dcesrv_connection! + * + * so we need to find out the right + * dcerpc error to return + */ + } + + status = gensec_server_start(&auth->gensec_security); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); + return status; + } + + status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", + (int)auth->auth_info->auth_type, + nt_errstr(status))); + return status; + } + + return status; +} + /* parse any auth information from a dcerpc bind request return False if we can't handle the auth request for some @@ -56,40 +99,43 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - status = dcesrv_crypto_start(&dce_conn->auth_state, &dce_conn->auth_state.auth_info->credentials); - if (!NT_STATUS_IS_OK(status)) { - return False; - } - return True; } /* - add any auth information needed in a bind ack + add any auth information needed in a bind ack, and process the authentication + information found in the bind. */ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - if (!call->conn->auth_state.crypto_ctx.ops) { + if (!call->conn->auth_state.gensec_security) { return True; } - status = dcesrv_crypto_update(&dce_conn->auth_state, - call->mem_ctx, - dce_conn->auth_state.auth_info->credentials, - &dce_conn->auth_state.auth_info->credentials); - if (!NT_STATUS_IS_OK(status) && - !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + status = gensec_update(dce_conn->auth_state.gensec_security, + call->mem_ctx, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); + + if (NT_STATUS_IS_OK(status)) { + status = gensec_session_info(dce_conn->auth_state.gensec_security, + &dce_conn->auth_state.session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); + return False; + } + return True; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + dce_conn->auth_state.auth_info->auth_pad_length = 0; + dce_conn->auth_state.auth_info->auth_reserved = 0; + return True; + } else { DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status))); return False; } - - dce_conn->auth_state.auth_info->auth_pad_length = 0; - dce_conn->auth_state.auth_info->auth_reserved = 0; - - return True; } @@ -103,7 +149,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.crypto_ctx.ops || + !dce_conn->auth_state.gensec_security || pkt->u.auth.auth_info.length == 0) { return False; } @@ -116,11 +162,19 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return False; } - status = dcesrv_crypto_update(&dce_conn->auth_state, - call->mem_ctx, - dce_conn->auth_state.auth_info->credentials, - &dce_conn->auth_state.auth_info->credentials); - if (!NT_STATUS_IS_OK(status)) { + status = gensec_update(dce_conn->auth_state.gensec_security, + call->mem_ctx, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); + if (NT_STATUS_IS_OK(status)) { + status = gensec_session_info(dce_conn->auth_state.gensec_security, + &dce_conn->auth_state.session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); + return False; + } + return True; + } else { DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", nt_errstr(status))); return False; @@ -143,7 +197,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) NTSTATUS status; if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.crypto_ctx.ops) { + !dce_conn->auth_state.gensec_security) { return True; } @@ -177,7 +231,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) /* check signature or unseal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = dcesrv_crypto_unseal(&dce_conn->auth_state, + status = gensec_unseal_packet(dce_conn->auth_state.gensec_security, call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, @@ -185,11 +239,11 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) break; case DCERPC_AUTH_LEVEL_INTEGRITY: - status = dcesrv_crypto_check_sig(&dce_conn->auth_state, - call->mem_ctx, - pkt->u.request.stub_and_verifier.data, - pkt->u.request.stub_and_verifier.length, - &auth.credentials); + status = gensec_check_packet(dce_conn->auth_state.gensec_security, + call->mem_ctx, + pkt->u.request.stub_and_verifier.data, + pkt->u.request.stub_and_verifier.length, + &auth.credentials); break; default: @@ -218,7 +272,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, struct ndr_push *ndr; /* non-signed packets are simple */ - if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.crypto_ctx.ops) { + if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); return NT_STATUS_IS_OK(status); } @@ -244,15 +298,15 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* sign or seal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: - status = dcesrv_crypto_seal(&dce_conn->auth_state, - call->mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, - &dce_conn->auth_state.auth_info->credentials); + status = gensec_seal_packet(dce_conn->auth_state.gensec_security, + call->mem_ctx, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + &dce_conn->auth_state.auth_info->credentials); break; case DCERPC_AUTH_LEVEL_INTEGRITY: - status = dcesrv_crypto_sign(&dce_conn->auth_state, + status = gensec_sign_packet(dce_conn->auth_state.gensec_security, call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, -- cgit From fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 25 Aug 2004 02:25:20 +0000 Subject: r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server. The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c) --- source4/rpc_server/dcesrv_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 84a5460d68..85c7916df7 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -53,7 +53,8 @@ NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn, return status; } - status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type); + status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, + auth->auth_info->auth_level); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", -- cgit From 30ea54c4ba99bd38198d86d4b28ad6a5c16b7fa3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 11 Sep 2004 12:48:27 +0000 Subject: r2281: Add a few comments. (This used to be commit 7be16e503616d9b339390a253357114c510729d0) --- source4/rpc_server/dcesrv_auth.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 85c7916df7..1197329753 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -149,6 +149,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; + /* We can't work without an existing gensec state, and an new blob to feed it */ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security || pkt->u.auth.auth_info.length == 0) { @@ -163,6 +164,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return False; } + /* Pass the extra data we got from the client down to gensec for processing */ status = gensec_update(dce_conn->auth_state.gensec_security, call->mem_ctx, dce_conn->auth_state.auth_info->credentials, -- cgit From 909c9b681a0718b8701e05addbad08c0aec87113 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 11 Sep 2004 15:11:36 +0000 Subject: r2284: Thanks to some great detective work by tridge, NTLM2 signing now works. This means that 'require NTLMv2 session security' now works for RPC pipe signing. We don't yet have sealing, but it can't be much further. This is almost all tridge's code, munged into a form that can work with the GENSEC API. This commit also includes more lsakey fixes - that key is used for all DCE-RPC level authenticated connections, even over CIFS/ncacn_np. No doubt I missed something, but I'm going to get some sleep :-) Andrew Bartlett (This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb) --- source4/rpc_server/dcesrv_auth.c | 58 +++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 21 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 1197329753..ea029d4d7d 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -186,11 +186,10 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return True; } - /* check credentials on a request */ -BOOL dcesrv_auth_request(struct dcesrv_call_state *call) +BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) { struct dcerpc_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; @@ -238,6 +237,8 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, + full_packet->data, + full_packet->length-auth.credentials.length, &auth.credentials); break; @@ -246,6 +247,8 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) call->mem_ctx, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, + full_packet->data, + full_packet->length-auth.credentials.length, &auth.credentials); break; @@ -254,7 +257,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call) break; } - /* remove the indicated amount of paddiing */ + /* remove the indicated amount of padding */ if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) { return False; } @@ -298,13 +301,35 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8); ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); + + dce_conn->auth_state.auth_info->credentials + = data_blob_talloc(call->mem_ctx, NULL, + gensec_sig_size(dce_conn->auth_state.gensec_security)); + + /* add the auth verifier */ + status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + /* extract the whole packet as a blob */ + *blob = ndr_push_blob(ndr); + + /* fill in the fragment length and auth_length, we can't fill + in these earlier as we don't know the signature length (it + could be variable length) */ + dcerpc_set_frag_length(blob, blob->length); + dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length); + /* sign or seal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_seal_packet(dce_conn->auth_state.gensec_security, - call->mem_ctx, - ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, + call->mem_ctx, + ndr->data + DCERPC_REQUEST_LENGTH, + ndr->offset - DCERPC_REQUEST_LENGTH, + blob->data, + blob->length - dce_conn->auth_state.auth_info->credentials.length, &dce_conn->auth_state.auth_info->credentials); break; @@ -313,7 +338,10 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, ndr->offset - DCERPC_REQUEST_LENGTH, + blob->data, + blob->length - dce_conn->auth_state.auth_info->credentials.length, &dce_conn->auth_state.auth_info->credentials); + break; default: status = NT_STATUS_INVALID_LEVEL; @@ -324,21 +352,9 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, return False; } - /* add the auth verifier */ - status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info); - if (!NT_STATUS_IS_OK(status)) { - return False; - } - - /* extract the whole packet as a blob */ - *blob = ndr_push_blob(ndr); - - /* fill in the fragment length and auth_length, we can't fill - in these earlier as we don't know the signature length (it - could be variable length) */ - dcerpc_set_frag_length(blob, blob->length); - dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length); - + memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, + dce_conn->auth_state.auth_info->credentials.data, dce_conn->auth_state.auth_info->credentials.length); + data_blob_free(&dce_conn->auth_state.auth_info->credentials); return True; -- cgit From 15a96c42985c9bb4778a16160290220a935d99bd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 12 Sep 2004 03:18:24 +0000 Subject: r2290: Fix 'lsakey' for the server-side, it is static for 'authenticated' connections. Fix kerberos session key issues - we need to call the routine for extracting the session key, not just read the cache. Andrew Bartlett (This used to be commit b80d849b6b586869fc7d3d4153db1a316f2867a9) --- source4/rpc_server/dcesrv_auth.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index ea029d4d7d..ace5da992d 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -128,6 +128,9 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); return False; } + + /* Now that we are authenticated, got back to the generic session key... */ + dce_conn->auth_state.session_key = dcesrv_generic_session_key; return True; } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { dce_conn->auth_state.auth_info->auth_pad_length = 0; @@ -176,6 +179,8 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); return False; } + /* Now that we are authenticated, got back to the generic session key... */ + dce_conn->auth_state.session_key = dcesrv_generic_session_key; return True; } else { DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", -- cgit From 350c12e5c98e13426710c16a2787dd1580e0a060 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 12 Sep 2004 06:04:03 +0000 Subject: r2293: fixed older NTLM sign/seal in the server (This used to be commit d8825b69aca5f4d0edf70945d64b4d1780e121c4) --- source4/rpc_server/dcesrv_auth.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index ace5da992d..20ed496d32 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -281,6 +281,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; struct ndr_push *ndr; + uint32_t payload_length; /* non-signed packets are simple */ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { @@ -306,6 +307,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8); ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); + payload_length = ndr->offset - DCERPC_REQUEST_LENGTH; dce_conn->auth_state.auth_info->credentials = data_blob_talloc(call->mem_ctx, NULL, @@ -332,7 +334,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, status = gensec_seal_packet(dce_conn->auth_state.gensec_security, call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, + payload_length, blob->data, blob->length - dce_conn->auth_state.auth_info->credentials.length, &dce_conn->auth_state.auth_info->credentials); @@ -342,7 +344,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, status = gensec_sign_packet(dce_conn->auth_state.gensec_security, call->mem_ctx, ndr->data + DCERPC_REQUEST_LENGTH, - ndr->offset - DCERPC_REQUEST_LENGTH, + payload_length, blob->data, blob->length - dce_conn->auth_state.auth_info->credentials.length, &dce_conn->auth_state.auth_info->credentials); -- cgit From f8f2630c0d65460435598f3b1db5672091df99e7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 12 Sep 2004 06:38:00 +0000 Subject: r2294: this fixes the NTLM2 sign+seal combination. I have now tested: NTLM sign NTLM sign+seal NTLM2 sign NTLM2 sign+seal and all of the above both with and without key exchange the NTLM2 seal case is ugly and involves an extra data copy, which some API changes in gensec or the ndr layer might avoid in future. (This used to be commit fce7a4218b3136d880dd1a123e8525e3091bbed8) --- source4/rpc_server/dcesrv_auth.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 20ed496d32..e2a798c1ae 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -240,11 +240,14 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_unseal_packet(dce_conn->auth_state.gensec_security, call->mem_ctx, - pkt->u.request.stub_and_verifier.data, + full_packet->data + DCERPC_REQUEST_LENGTH, pkt->u.request.stub_and_verifier.length, full_packet->data, full_packet->length-auth.credentials.length, &auth.credentials); + memcpy(pkt->u.request.stub_and_verifier.data, + full_packet->data + DCERPC_REQUEST_LENGTH, + pkt->u.request.stub_and_verifier.length); break; case DCERPC_AUTH_LEVEL_INTEGRITY: -- cgit From 642ba4bfeee9951957287647628fa82269a318b1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2004 07:25:51 +0000 Subject: r2614: support CONNECT level DCE/RPC security in both client and server. CONNECT security uses NTLMSSP, but does not do any signing or sealing (or equivalently, its like signing, but with a zero filled checksum). (This used to be commit f4660857bc708db7f5aa7487bf7ab04bffe68928) --- source4/rpc_server/dcesrv_auth.c | 43 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index e2a798c1ae..bfdf557bdf 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -31,7 +31,8 @@ NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn, { NTSTATUS status; if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { + auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY && + auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_CONNECT) { DEBUG(2,("auth_level %d not supported in dcesrv auth\n", auth->auth_info->auth_level)); return NT_STATUS_INVALID_PARAMETER; @@ -191,6 +192,34 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return True; } + +/* + generate a CONNECT level verifier +*/ +static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob) +{ + *blob = data_blob_talloc(mem_ctx, NULL, 16); + if (blob->data == NULL) { + return NT_STATUS_NO_MEMORY; + } + SIVAL(blob->data, 0, 1); + memset(blob->data+4, 0, 12); + return NT_STATUS_OK; +} + +/* + generate a CONNECT level verifier +*/ +static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob) +{ + if (blob->length != 16 || + IVAL(blob->data, 0) != 1) { + return NT_STATUS_ACCESS_DENIED; + } + return NT_STATUS_OK; +} + + /* check credentials on a request */ @@ -260,6 +289,10 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) &auth.credentials); break; + case DCERPC_AUTH_LEVEL_CONNECT: + status = dcesrv_check_connect_verifier(&auth.credentials); + break; + default: status = NT_STATUS_INVALID_LEVEL; break; @@ -340,7 +373,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, payload_length, blob->data, blob->length - dce_conn->auth_state.auth_info->credentials.length, - &dce_conn->auth_state.auth_info->credentials); + &dce_conn->auth_state.auth_info->credentials); break; case DCERPC_AUTH_LEVEL_INTEGRITY: @@ -353,6 +386,12 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, &dce_conn->auth_state.auth_info->credentials); break; + + case DCERPC_AUTH_LEVEL_CONNECT: + status = dcesrv_connect_verifier(call->mem_ctx, + &dce_conn->auth_state.auth_info->credentials); + break; + default: status = NT_STATUS_INVALID_LEVEL; break; -- cgit From e3e3e4577bf7d4c8570c23ed994c3f4e49c2b0c3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2004 08:04:54 +0000 Subject: r2615: fixed a bug in the server side support for CONNECT level security (This used to be commit fee98137ad6358195b80c97cd6cc8f82ac53f870) --- source4/rpc_server/dcesrv_auth.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index bfdf557bdf..08af686eff 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -344,10 +344,18 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); payload_length = ndr->offset - DCERPC_REQUEST_LENGTH; - - dce_conn->auth_state.auth_info->credentials - = data_blob_talloc(call->mem_ctx, NULL, - gensec_sig_size(dce_conn->auth_state.gensec_security)); + + if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) { + status = dcesrv_connect_verifier(call->mem_ctx, + &dce_conn->auth_state.auth_info->credentials); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + } else { + dce_conn->auth_state.auth_info->credentials + = data_blob_talloc(call->mem_ctx, NULL, + gensec_sig_size(dce_conn->auth_state.gensec_security)); + } /* add the auth verifier */ status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info); @@ -388,8 +396,6 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, break; case DCERPC_AUTH_LEVEL_CONNECT: - status = dcesrv_connect_verifier(call->mem_ctx, - &dce_conn->auth_state.auth_info->credentials); break; default: -- cgit From d79c7d41da373dea7f95506c178b18f0dd896043 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2004 11:24:10 +0000 Subject: r2627: use the new talloc capabilities in a bunch more places in the rpc server code. This fixes a number of memory leaks I found when testing with valgrind and smbtorture, as the cascading effect of a talloc_free() ensures that anything derived from the top level object is destroyed on disconnect. (This used to be commit 76d0b8206ce64d6ff4a192979c43dddbec726d6e) --- source4/rpc_server/dcesrv_auth.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 08af686eff..7065b3f259 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -83,13 +83,13 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return True; } - dce_conn->auth_state.auth_info = talloc_p(dce_conn->mem_ctx, struct dcerpc_auth); + dce_conn->auth_state.auth_info = talloc_p(dce_conn, struct dcerpc_auth); if (!dce_conn->auth_state.auth_info) { return False; } status = ndr_pull_struct_blob(&pkt->u.bind.auth_info, - call->mem_ctx, + call, dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NT_STATUS_IS_OK(status)) { @@ -118,7 +118,7 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * } status = gensec_update(dce_conn->auth_state.gensec_security, - call->mem_ctx, + call, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); @@ -161,7 +161,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) } status = ndr_pull_struct_blob(&pkt->u.auth.auth_info, - call->mem_ctx, + call, dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NT_STATUS_IS_OK(status)) { @@ -170,7 +170,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) /* Pass the extra data we got from the client down to gensec for processing */ status = gensec_update(dce_conn->auth_state.gensec_security, - call->mem_ctx, + call, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); if (NT_STATUS_IS_OK(status)) { @@ -250,7 +250,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) pkt->u.request.stub_and_verifier.length -= auth_blob.length; /* pull the auth structure */ - ndr = ndr_pull_init_blob(&auth_blob, call->mem_ctx); + ndr = ndr_pull_init_blob(&auth_blob, call); if (!ndr) { return False; } @@ -261,6 +261,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth); if (!NT_STATUS_IS_OK(status)) { + talloc_free(ndr); return False; } @@ -268,7 +269,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_unseal_packet(dce_conn->auth_state.gensec_security, - call->mem_ctx, + call, full_packet->data + DCERPC_REQUEST_LENGTH, pkt->u.request.stub_and_verifier.length, full_packet->data, @@ -281,7 +282,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) case DCERPC_AUTH_LEVEL_INTEGRITY: status = gensec_check_packet(dce_conn->auth_state.gensec_security, - call->mem_ctx, + call, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, full_packet->data, @@ -300,9 +301,11 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) /* remove the indicated amount of padding */ if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) { + talloc_free(ndr); return False; } pkt->u.request.stub_and_verifier.length -= auth.auth_pad_length; + talloc_free(ndr); return NT_STATUS_IS_OK(status); } @@ -321,11 +324,11 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* non-signed packets are simple */ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { - status = dcerpc_push_auth(blob, call->mem_ctx, pkt, NULL); + status = dcerpc_push_auth(blob, call, pkt, NULL); return NT_STATUS_IS_OK(status); } - ndr = ndr_push_init_ctx(call->mem_ctx); + ndr = ndr_push_init_ctx(call); if (!ndr) { return False; } @@ -346,14 +349,14 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, payload_length = ndr->offset - DCERPC_REQUEST_LENGTH; if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) { - status = dcesrv_connect_verifier(call->mem_ctx, + status = dcesrv_connect_verifier(call, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { return False; } } else { dce_conn->auth_state.auth_info->credentials - = data_blob_talloc(call->mem_ctx, NULL, + = data_blob_talloc(call, NULL, gensec_sig_size(dce_conn->auth_state.gensec_security)); } @@ -376,7 +379,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_seal_packet(dce_conn->auth_state.gensec_security, - call->mem_ctx, + call, ndr->data + DCERPC_REQUEST_LENGTH, payload_length, blob->data, @@ -386,7 +389,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, case DCERPC_AUTH_LEVEL_INTEGRITY: status = gensec_sign_packet(dce_conn->auth_state.gensec_security, - call->mem_ctx, + call, ndr->data + DCERPC_REQUEST_LENGTH, payload_length, blob->data, -- cgit From c5f4378361b9671e39fa83b043f28c972ab30b70 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2004 12:08:57 +0000 Subject: r2629: convert gensec to the new talloc model by making our gensec structures a talloc child of the open connection we can be sure that it will be destroyed when the connection is dropped. (This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 7065b3f259..bcf55d221d 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -48,7 +48,7 @@ NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn, */ } - status = gensec_server_start(&auth->gensec_security); + status = gensec_server_start(dce_conn, &auth->gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); return status; -- cgit From c051779a0a34a9c40a5425fb1eb821983b8dc852 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 07:42:47 +0000 Subject: r3468: split out dcerpc_server.h (This used to be commit 729e0026e4408f74f140375537d4fe48c1fc3242) --- source4/rpc_server/dcesrv_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index bcf55d221d..a753a7d519 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -22,6 +22,7 @@ */ #include "includes.h" +#include "rpc_server/dcerpc_server.h" /* startup the cryptographic side of an authenticated dcerpc server -- cgit From 37e2570632cd26dc087772254ccd1270b8f82610 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 6 Dec 2004 17:44:33 +0000 Subject: r4081: use clearer names metze (This used to be commit 5d7d6f02cf1aa731d371c97054480d83d85102cb) --- source4/rpc_server/dcesrv_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index a753a7d519..f546e8d6e1 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -157,11 +157,11 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) /* We can't work without an existing gensec state, and an new blob to feed it */ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security || - pkt->u.auth.auth_info.length == 0) { + pkt->u.auth3.auth_info.length == 0) { return False; } - status = ndr_pull_struct_blob(&pkt->u.auth.auth_info, + status = ndr_pull_struct_blob(&pkt->u.auth3.auth_info, call, dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); -- cgit From 10918b7b707eb922cb2641d4e9416fb334b1f7cb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 6 Dec 2004 17:48:51 +0000 Subject: r4082: support alter_context requests metze (This used to be commit ab6ec6b5f4e04322eb151b7bf9c530a0dc16bf89) --- source4/rpc_server/dcesrv_auth.c | 71 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index f546e8d6e1..71332b557d 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -193,6 +193,77 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) return True; } +/* + parse any auth information from a dcerpc alter request + return False if we can't handle the auth request for some + reason (in which case we send a bind_nak (is this true for here?)) +*/ +BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) +{ + struct dcerpc_packet *pkt = &call->pkt; + struct dcesrv_connection *dce_conn = call->conn; + NTSTATUS status; + + /* We can't work without an existing gensec state, and an new blob to feed it */ + if (!dce_conn->auth_state.gensec_security || + pkt->u.alter.auth_info.length == 0) { + return False; + } + + dce_conn->auth_state.auth_info = talloc_p(dce_conn, struct dcerpc_auth); + if (!dce_conn->auth_state.auth_info) { + return False; + } + + status = ndr_pull_struct_blob(&pkt->u.alter.auth_info, + call, + dce_conn->auth_state.auth_info, + (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + return True; +} + +/* + add any auth information needed in a alter ack, and process the authentication + information found in the alter. +*/ +BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt) +{ + struct dcesrv_connection *dce_conn = call->conn; + NTSTATUS status; + + if (!call->conn->auth_state.gensec_security) { + return False; + } + + status = gensec_update(dce_conn->auth_state.gensec_security, + call, + dce_conn->auth_state.auth_info->credentials, + &dce_conn->auth_state.auth_info->credentials); + + if (NT_STATUS_IS_OK(status)) { + status = gensec_session_info(dce_conn->auth_state.gensec_security, + &dce_conn->auth_state.session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); + return False; + } + + /* Now that we are authenticated, got back to the generic session key... */ + dce_conn->auth_state.session_key = dcesrv_generic_session_key; + return True; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + dce_conn->auth_state.auth_info->auth_pad_length = 0; + dce_conn->auth_state.auth_info->auth_reserved = 0; + return True; + } else { + DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status))); + return True; + } +} /* generate a CONNECT level verifier -- cgit From 34f6485dda4a48e7a70f11e7975c589981d27ca1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 10 Jan 2005 12:39:42 +0000 Subject: r4642: added support for alter_context in the server for adding new interfaces to an existing pipe (This used to be commit b6af57c86829aadc261cd7b79091cef17c15b967) --- source4/rpc_server/dcesrv_auth.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 71332b557d..91b579b9e4 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -204,9 +204,13 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - /* We can't work without an existing gensec state, and an new blob to feed it */ - if (!dce_conn->auth_state.gensec_security || - pkt->u.alter.auth_info.length == 0) { + /* on a pure interface change there is no auth blob */ + if (pkt->u.alter.auth_info.length == 0) { + return True; + } + + /* We can't work without an existing gensec state */ + if (!dce_conn->auth_state.gensec_security) { return False; } @@ -235,6 +239,11 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct dcerpc_packet struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; + /* on a pure interface change there is no auth blob */ + if (pkt->u.alter.auth_info.length == 0) { + return True; + } + if (!call->conn->auth_state.gensec_security) { return False; } -- cgit From 5423fd3b354398be5f031cbefb8d0c01f33e0a6a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 11 Jan 2005 01:53:14 +0000 Subject: r4663: fixed SPNEGO auth in the rpc server (This used to be commit 439cbb9ead2443513ecc84f5638924e056ebdc73) --- source4/rpc_server/dcesrv_auth.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 91b579b9e4..62c879408f 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -239,8 +239,9 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct dcerpc_packet struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; - /* on a pure interface change there is no auth blob */ - if (pkt->u.alter.auth_info.length == 0) { + /* on a pure interface change there is no auth_info structure + setup */ + if (!call->conn->auth_state.auth_info) { return True; } @@ -252,7 +253,7 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct dcerpc_packet call, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); - + if (NT_STATUS_IS_OK(status)) { status = gensec_session_info(dce_conn->auth_state.gensec_security, &dce_conn->auth_state.session_info); -- cgit From 759da3b915e2006d4c87b5ace47f399accd9ce91 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 27 Jan 2005 07:08:20 +0000 Subject: r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0) --- source4/rpc_server/dcesrv_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 62c879408f..f1cd916dcb 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -84,7 +84,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return True; } - dce_conn->auth_state.auth_info = talloc_p(dce_conn, struct dcerpc_auth); + dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth); if (!dce_conn->auth_state.auth_info) { return False; } @@ -214,7 +214,7 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) return False; } - dce_conn->auth_state.auth_info = talloc_p(dce_conn, struct dcerpc_auth); + dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth); if (!dce_conn->auth_state.auth_info) { return False; } -- cgit From 7fe68b16e6ca90d0b10fd9258c5443a23d798415 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 25 Apr 2005 04:06:59 +0000 Subject: r6457: Simply the RPC server code for the choice of GENSEC mech - it's just one function call now, so no need for a wrapper function. Andrew Bartlett (This used to be commit c023f5c5e8c0aec6317e49105b92bc9d186ce11e) --- source4/rpc_server/dcesrv_auth.c | 60 ++++++++++------------------------------ 1 file changed, 14 insertions(+), 46 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index f1cd916dcb..5c098a0b60 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -24,50 +24,6 @@ #include "includes.h" #include "rpc_server/dcerpc_server.h" -/* - startup the cryptographic side of an authenticated dcerpc server -*/ -NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn, - struct dcesrv_auth *auth) -{ - NTSTATUS status; - if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY && - auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY && - auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_CONNECT) { - DEBUG(2,("auth_level %d not supported in dcesrv auth\n", - auth->auth_info->auth_level)); - return NT_STATUS_INVALID_PARAMETER; - } - - if (auth->gensec_security != NULL) { - /* TODO: - * this this function should not be called - * twice per dcesrv_connection! - * - * so we need to find out the right - * dcerpc error to return - */ - } - - status = gensec_server_start(dce_conn, &auth->gensec_security); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); - return status; - } - - status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, - auth->auth_info->auth_level); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", - (int)auth->auth_info->auth_type, - nt_errstr(status))); - return status; - } - - return status; -} - /* parse any auth information from a dcerpc bind request return False if we can't handle the auth request for some @@ -77,6 +33,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) { struct dcerpc_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; + struct dcesrv_auth *auth = &dce_conn->auth_state; NTSTATUS status; if (pkt->u.bind.auth_info.length == 0) { @@ -97,8 +54,19 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - status = dcesrv_crypto_select_type(dce_conn, &dce_conn->auth_state); + status = gensec_server_start(dce_conn, &auth->gensec_security); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); + return False; + } + + status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, + auth->auth_info->auth_level); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", + (int)auth->auth_info->auth_type, + nt_errstr(status))); return False; } @@ -131,7 +99,7 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * return False; } - /* Now that we are authenticated, got back to the generic session key... */ + /* Now that we are authenticated, go back to the generic session key... */ dce_conn->auth_state.session_key = dcesrv_generic_session_key; return True; } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { -- cgit From 430dc36c1a456607826cedb9610d2a39cb923bd5 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 5 Jun 2005 23:05:37 +0000 Subject: r7312: Add IDL for ncadg packets. (This used to be commit 2009a430b03c685dd65bd573e70d3618f2e0dd0f) --- source4/rpc_server/dcesrv_auth.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 5c098a0b60..e12cccd770 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -31,7 +31,7 @@ */ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) { - struct dcerpc_packet *pkt = &call->pkt; + struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; struct dcesrv_auth *auth = &dce_conn->auth_state; NTSTATUS status; @@ -77,7 +77,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) add any auth information needed in a bind ack, and process the authentication information found in the bind. */ -BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt) +BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; @@ -118,7 +118,7 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet * */ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) { - struct dcerpc_packet *pkt = &call->pkt; + struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; @@ -168,7 +168,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) */ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) { - struct dcerpc_packet *pkt = &call->pkt; + struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; @@ -202,7 +202,7 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) add any auth information needed in a alter ack, and process the authentication information found in the alter. */ -BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt) +BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; @@ -275,7 +275,7 @@ static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob) */ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) { - struct dcerpc_packet *pkt = &call->pkt; + struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; DATA_BLOB auth_blob; struct dcerpc_auth auth; @@ -365,7 +365,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) push a signed or sealed dcerpc request packet into a blob */ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, - DATA_BLOB *blob, struct dcerpc_packet *pkt) + DATA_BLOB *blob, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; @@ -387,7 +387,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, ndr->flags |= LIBNDR_FLAG_BIGENDIAN; } - status = ndr_push_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); + status = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); if (!NT_STATUS_IS_OK(status)) { return False; } -- cgit From fcc74fc060ff6e721c78cde0ace517c3d91325f3 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 5 Jun 2005 23:39:00 +0000 Subject: r7313: Prefix a few functions with ncacn_ rather then dcerpc_ because they are ncacn_ specific (This used to be commit 875cce126878172eedb43b4ecab3970ea9d82e4a) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index e12cccd770..67eda312fd 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -374,7 +374,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, /* non-signed packets are simple */ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { - status = dcerpc_push_auth(blob, call, pkt, NULL); + status = ncacn_push_auth(blob, call, pkt, NULL); return NT_STATUS_IS_OK(status); } -- cgit From af237084ecd4f9928c6c282b9c5c73598d5c73d6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 16 Jun 2005 11:36:09 +0000 Subject: r7633: this patch started as an attempt to make the dcerpc code use a given event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 67eda312fd..f8b17701de 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -54,7 +54,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - status = gensec_server_start(dce_conn, &auth->gensec_security); + status = gensec_server_start(dce_conn, &auth->gensec_security, call->event_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); return False; -- cgit From 06348629b921adb6262e0f3d9a9c244568e2a78f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jul 2005 02:27:18 +0000 Subject: r8109: Try to print out more helpful debug messages on DCERPC server-side gensec failure to start. Andrew Bartlett (This used to be commit bc8f8d2dcfbcf06bb9c49981bc3811b252a4b9b0) --- source4/rpc_server/dcesrv_auth.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index f8b17701de..b8f86fb6df 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -56,7 +56,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) status = gensec_server_start(dce_conn, &auth->gensec_security, call->event_ctx); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); + DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status))); return False; } @@ -64,8 +64,9 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) auth->auth_info->auth_level); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", + DEBUG(1, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n", (int)auth->auth_info->auth_type, + (int)auth->auth_info->auth_level, nt_errstr(status))); return False; } -- cgit From 6553dd0c60e922f42de347a02c8f792f087c393c Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 28 Jul 2005 00:27:28 +0000 Subject: r8811: Fix the build.. (This used to be commit fac77f5fa267da57a55e88cad8993897e80741a0) --- source4/rpc_server/dcesrv_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index b8f86fb6df..a48b93a893 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -23,6 +23,7 @@ #include "includes.h" #include "rpc_server/dcerpc_server.h" +#include "librpc/gen_ndr/ndr_dcerpc.h" /* parse any auth information from a dcerpc bind request -- cgit From 115945facab217f0744413c65ae485c07ffb52dc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 22 Aug 2005 22:33:58 +0000 Subject: r9490: Fix typo Andrew Bartlett (This used to be commit 093b98b5b51d21cce9b2fdeab3d4113bfd96da41) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index a48b93a893..c8feec11bd 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -151,7 +151,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); return False; } - /* Now that we are authenticated, got back to the generic session key... */ + /* Now that we are authenticated, go back to the generic session key... */ dce_conn->auth_state.session_key = dcesrv_generic_session_key; return True; } else { -- cgit From 5edbeca14108a9b2c3badafce0b0b3447a8280f6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Sep 2005 11:19:02 +0000 Subject: r10153: This patch adds a new parameter to gensec_sig_size(), the size of the data to be signed/sealed. We can use this to split the data from the signature portion of the resultant wrapped packet. This required merging the gsskrb5_wrap_size patch from lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no longer use a static 45 byte value). This fixes one of the krb5 issues in my list. Andrew Bartlett (This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104) --- source4/rpc_server/dcesrv_auth.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index c8feec11bd..a2ba709f56 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -394,8 +394,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, return False; } - /* pad to 8 byte multiple */ - dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8); + /* pad to 16 byte multiple, match win2k3 */ + dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 16); ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); payload_length = ndr->offset - DCERPC_REQUEST_LENGTH; @@ -409,7 +409,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, } else { dce_conn->auth_state.auth_info->credentials = data_blob_talloc(call, NULL, - gensec_sig_size(dce_conn->auth_state.gensec_security)); + gensec_sig_size(dce_conn->auth_state.gensec_security, + payload_length)); } /* add the auth verifier */ -- cgit From 372ca26b2052e267711a45c8bf341f55505f3f8f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 03:47:55 +0000 Subject: r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5 authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b) --- source4/rpc_server/dcesrv_auth.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index a2ba709f56..6caef7424d 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -32,6 +32,7 @@ */ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) { + struct cli_credentials *server_credentials; struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; struct dcesrv_auth *auth = &dce_conn->auth_state; @@ -61,6 +62,23 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } + server_credentials + = cli_credentials_init(call); + if (!server_credentials) { + DEBUG(1, ("Failed to init server credentials\n")); + return False; + } + + cli_credentials_set_conf(server_credentials); + status = cli_credentials_set_machine_account(server_credentials); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status))); + talloc_free(server_credentials); + server_credentials = NULL; + } + + gensec_set_credentials(auth->gensec_security, server_credentials); + status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, auth->auth_info->auth_level); -- cgit From 2cd5ca7d25f12aa9198bf8c2deb6aea282f573ee Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 28 Dec 2005 15:38:36 +0000 Subject: r12542: Move some more prototypes out to seperate headers (This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2) --- source4/rpc_server/dcesrv_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 6caef7424d..d33b123f22 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -24,6 +24,7 @@ #include "includes.h" #include "rpc_server/dcerpc_server.h" #include "librpc/gen_ndr/ndr_dcerpc.h" +#include "auth/gensec/gensec.h" /* parse any auth information from a dcerpc bind request -- cgit From 302cab75c33c1fb3127161a930e63df18c05159c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 28 Dec 2005 22:47:22 +0000 Subject: r12554: get rid of the pesky NTLMSSP warnings about being called after processing is finished (This used to be commit ca6ae1afa0a8a105ab09199425f308c9ae85902f) --- source4/rpc_server/dcesrv_auth.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index d33b123f22..a054c5fad9 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -230,7 +230,8 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet * /* on a pure interface change there is no auth_info structure setup */ - if (!call->conn->auth_state.auth_info) { + if (!call->conn->auth_state.auth_info || + dce_conn->auth_state.auth_info->credentials.length == 0) { return True; } @@ -258,10 +259,10 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet * dce_conn->auth_state.auth_info->auth_pad_length = 0; dce_conn->auth_state.auth_info->auth_reserved = 0; return True; - } else { - DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status))); - return True; } + + DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status))); + return False; } /* -- cgit From 7a845bcb0141a895d5685afcef1ffe7f93428d0f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 31 Jul 2006 14:05:08 +0000 Subject: r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index a054c5fad9..3f848ca381 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -57,7 +57,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - status = gensec_server_start(dce_conn, &auth->gensec_security, call->event_ctx); + status = gensec_server_start(dce_conn, call->event_ctx, call->msg_ctx, &auth->gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status))); return False; -- cgit From 3c203ab927b0ec793ec431199526bb218cc6e2bc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 Oct 2006 06:08:25 +0000 Subject: r19465: Rather than use the non-standard API for determining the signature length, use the amount the wapped message expanded by. This works, because GSSAPI doesn't do AEAD (signing of headers), and so changing the signature length after the fact is valid. Andrew Bartlett (This used to be commit bd1e0f679c8f2b9755051b8d34114fa127a7cf26) --- source4/rpc_server/dcesrv_auth.c | 54 ++++++++++++++++++++++++++++++++++------ 1 file changed, 46 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 3f848ca381..e6e9bb7fc5 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -393,6 +393,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, NTSTATUS status; struct ndr_push *ndr; uint32_t payload_length; + DATA_BLOB creds2; /* non-signed packets are simple */ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { @@ -427,14 +428,20 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, return False; } } else { + + /* We hope this length is accruate. If must be if the + * GENSEC mech does AEAD signing of the packet + * headers */ dce_conn->auth_state.auth_info->credentials = data_blob_talloc(call, NULL, gensec_sig_size(dce_conn->auth_state.gensec_security, payload_length)); + data_blob_clear(&dce_conn->auth_state.auth_info->credentials); } /* add the auth verifier */ - status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info); + status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, + dce_conn->auth_state.auth_info); if (!NT_STATUS_IS_OK(status)) { return False; } @@ -446,6 +453,9 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, in these earlier as we don't know the signature length (it could be variable length) */ dcerpc_set_frag_length(blob, blob->length); + + /* We hope this value is accruate. If must be if the GENSEC + * mech does AEAD signing of the packet headers */ dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length); /* sign or seal the packet */ @@ -457,7 +467,23 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, payload_length, blob->data, blob->length - dce_conn->auth_state.auth_info->credentials.length, - &dce_conn->auth_state.auth_info->credentials); + &creds2); + + if (NT_STATUS_IS_OK(status)) { + status = data_blob_realloc(call, blob, + blob->length - dce_conn->auth_state.auth_info->credentials.length + + creds2.length); + } + + if (NT_STATUS_IS_OK(status)) { + memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, + creds2.data, creds2.length); + } + + /* If we did AEAD signing of the packet headers, then we hope + * this value didn't change... */ + dcerpc_set_auth_length(blob, creds2.length); + data_blob_free(&creds2); break; case DCERPC_AUTH_LEVEL_INTEGRITY: @@ -467,8 +493,23 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, payload_length, blob->data, blob->length - dce_conn->auth_state.auth_info->credentials.length, - &dce_conn->auth_state.auth_info->credentials); + &creds2); + if (NT_STATUS_IS_OK(status)) { + status = data_blob_realloc(call, blob, + blob->length - dce_conn->auth_state.auth_info->credentials.length + + creds2.length); + } + if (NT_STATUS_IS_OK(status)) { + memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, + creds2.data, creds2.length); + } + + /* If we did AEAD signing of the packet headers, then we hope + * this value didn't change... */ + dcerpc_set_auth_length(blob, creds2.length); + + data_blob_free(&creds2); break; case DCERPC_AUTH_LEVEL_CONNECT: @@ -479,14 +520,11 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, break; } + data_blob_free(&dce_conn->auth_state.auth_info->credentials); + if (!NT_STATUS_IS_OK(status)) { return False; } - memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, - dce_conn->auth_state.auth_info->credentials.data, dce_conn->auth_state.auth_info->credentials.length); - - data_blob_free(&dce_conn->auth_state.auth_info->credentials); - return True; } -- cgit From bb435cbd0313ec0ec6889181223929578603d73d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 28 Oct 2006 04:17:43 +0000 Subject: r19502: fixed the RPC-SECRETS test with kerberos. Andrew, can you look at this as well? The server side change is needed to fix a valgrind error, which was possibly exploitable if the client sent deliberately bad data (This used to be commit e3c04cf165fe15739197b2713e78046399aa7653) --- source4/rpc_server/dcesrv_auth.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index e6e9bb7fc5..b73143ce34 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -470,19 +470,14 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, &creds2); if (NT_STATUS_IS_OK(status)) { - status = data_blob_realloc(call, blob, - blob->length - dce_conn->auth_state.auth_info->credentials.length + - creds2.length); - } - - if (NT_STATUS_IS_OK(status)) { - memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, - creds2.data, creds2.length); + blob->length -= dce_conn->auth_state.auth_info->credentials.length; + status = data_blob_append(call, blob, creds2.data, creds2.length); } /* If we did AEAD signing of the packet headers, then we hope * this value didn't change... */ dcerpc_set_auth_length(blob, creds2.length); + dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length); data_blob_free(&creds2); break; @@ -495,20 +490,14 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, blob->length - dce_conn->auth_state.auth_info->credentials.length, &creds2); if (NT_STATUS_IS_OK(status)) { - status = data_blob_realloc(call, blob, - blob->length - dce_conn->auth_state.auth_info->credentials.length + - creds2.length); - } - - if (NT_STATUS_IS_OK(status)) { - memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, - creds2.data, creds2.length); + blob->length -= dce_conn->auth_state.auth_info->credentials.length; + status = data_blob_append(call, blob, creds2.data, creds2.length); } /* If we did AEAD signing of the packet headers, then we hope * this value didn't change... */ dcerpc_set_auth_length(blob, creds2.length); - + dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length); data_blob_free(&creds2); break; -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/rpc_server/dcesrv_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index b73143ce34..6be90f2ea0 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -24,6 +24,7 @@ #include "includes.h" #include "rpc_server/dcerpc_server.h" #include "librpc/gen_ndr/ndr_dcerpc.h" +#include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" /* -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/rpc_server/dcesrv_auth.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 6be90f2ea0..10405bb56f 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 85555742b109387f32ecc0e17c6b47681bdf8936 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 17 Aug 2007 05:28:39 +0000 Subject: r24504: Try to return more useful error information on why a bind failed. Note that the correct return for a failed alter_context is a fault, not a bind_nak. Andrew Bartlett (This used to be commit 52cce94532edf1dd7f26e39bf3377f0077ea6792) --- source4/rpc_server/dcesrv_auth.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 10405bb56f..627da844aa 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -98,13 +98,13 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) add any auth information needed in a bind ack, and process the authentication information found in the bind. */ -BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) +NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; if (!call->conn->auth_state.gensec_security) { - return True; + return NT_STATUS_OK; } status = gensec_update(dce_conn->auth_state.gensec_security, @@ -117,19 +117,19 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *p &dce_conn->auth_state.session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); - return False; + return status; } /* Now that we are authenticated, go back to the generic session key... */ dce_conn->auth_state.session_key = dcesrv_generic_session_key; - return True; + return NT_STATUS_OK; } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { dce_conn->auth_state.auth_info->auth_pad_length = 0; dce_conn->auth_state.auth_info->auth_reserved = 0; - return True; + return NT_STATUS_OK; } else { DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status))); - return False; + return status; } } @@ -223,7 +223,7 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) add any auth information needed in a alter ack, and process the authentication information found in the alter. */ -BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) +NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; @@ -232,11 +232,11 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet * setup */ if (!call->conn->auth_state.auth_info || dce_conn->auth_state.auth_info->credentials.length == 0) { - return True; + return NT_STATUS_OK; } if (!call->conn->auth_state.gensec_security) { - return False; + return NT_STATUS_INVALID_PARAMETER; } status = gensec_update(dce_conn->auth_state.gensec_security, @@ -249,20 +249,20 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet * &dce_conn->auth_state.session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); - return False; + return status; } /* Now that we are authenticated, got back to the generic session key... */ dce_conn->auth_state.session_key = dcesrv_generic_session_key; - return True; + return NT_STATUS_OK; } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { dce_conn->auth_state.auth_info->auth_pad_length = 0; dce_conn->auth_state.auth_info->auth_reserved = 0; - return True; + return NT_STATUS_OK; } DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status))); - return False; + return status; } /* -- cgit From 0b91f3916430d0271eab867675d44c5439de40c2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 29 Aug 2007 13:07:03 +0000 Subject: r24780: More work allowing libutil to be used by external users. (This used to be commit 31993cf67b816a184a4a4e92ef8ca2532c797190) --- source4/rpc_server/dcesrv_auth.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 627da844aa..49a4c3de13 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -471,7 +471,10 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, if (NT_STATUS_IS_OK(status)) { blob->length -= dce_conn->auth_state.auth_info->credentials.length; - status = data_blob_append(call, blob, creds2.data, creds2.length); + if (!data_blob_append(call, blob, creds2.data, creds2.length)) + status = NT_STATUS_NO_MEMORY; + else + status = NT_STATUS_OK; } /* If we did AEAD signing of the packet headers, then we hope @@ -491,7 +494,10 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, &creds2); if (NT_STATUS_IS_OK(status)) { blob->length -= dce_conn->auth_state.auth_info->credentials.length; - status = data_blob_append(call, blob, creds2.data, creds2.length); + if (!data_blob_append(call, blob, creds2.data, creds2.length)) + status = NT_STATUS_NO_MEMORY; + else + status = NT_STATUS_OK; } /* If we did AEAD signing of the packet headers, then we hope -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/rpc_server/dcesrv_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 49a4c3de13..0843a43761 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -25,6 +25,7 @@ #include "librpc/gen_ndr/ndr_dcerpc.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" +#include "param/param.h" /* parse any auth information from a dcerpc bind request @@ -70,7 +71,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) return False; } - cli_credentials_set_conf(server_credentials); + cli_credentials_set_conf(server_credentials, global_loadparm); status = cli_credentials_set_machine_account(server_credentials); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status))); -- cgit From 05e7c481465e3065effaf21b43636d6605d7c313 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:25:41 +0000 Subject: r25553: Convert to standard bool type. (This used to be commit b7371f1a191fb86834c0d586d094f39f0b04544b) --- source4/rpc_server/dcesrv_auth.c | 72 ++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 36 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 0843a43761..911cfe4799 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -29,10 +29,10 @@ /* parse any auth information from a dcerpc bind request - return False if we can't handle the auth request for some + return false if we can't handle the auth request for some reason (in which case we send a bind_nak) */ -BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) +bool dcesrv_auth_bind(struct dcesrv_call_state *call) { struct cli_credentials *server_credentials; struct ncacn_packet *pkt = &call->pkt; @@ -42,12 +42,12 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) if (pkt->u.bind.auth_info.length == 0) { dce_conn->auth_state.auth_info = NULL; - return True; + return true; } dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth); if (!dce_conn->auth_state.auth_info) { - return False; + return false; } status = ndr_pull_struct_blob(&pkt->u.bind.auth_info, @@ -55,20 +55,20 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } status = gensec_server_start(dce_conn, call->event_ctx, call->msg_ctx, &auth->gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status))); - return False; + return false; } server_credentials = cli_credentials_init(call); if (!server_credentials) { DEBUG(1, ("Failed to init server credentials\n")); - return False; + return false; } cli_credentials_set_conf(server_credentials, global_loadparm); @@ -89,10 +89,10 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) (int)auth->auth_info->auth_type, (int)auth->auth_info->auth_level, nt_errstr(status))); - return False; + return false; } - return True; + return true; } /* @@ -138,7 +138,7 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe /* process the final stage of a auth request */ -BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) +bool dcesrv_auth_auth3(struct dcesrv_call_state *call) { struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; @@ -148,7 +148,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security || pkt->u.auth3.auth_info.length == 0) { - return False; + return false; } status = ndr_pull_struct_blob(&pkt->u.auth3.auth_info, @@ -156,7 +156,7 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } /* Pass the extra data we got from the client down to gensec for processing */ @@ -169,26 +169,26 @@ BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call) &dce_conn->auth_state.session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); - return False; + return false; } /* Now that we are authenticated, go back to the generic session key... */ dce_conn->auth_state.session_key = dcesrv_generic_session_key; - return True; + return true; } else { DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", nt_errstr(status))); - return False; + return false; } - return True; + return true; } /* parse any auth information from a dcerpc alter request - return False if we can't handle the auth request for some + return false if we can't handle the auth request for some reason (in which case we send a bind_nak (is this true for here?)) */ -BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) +bool dcesrv_auth_alter(struct dcesrv_call_state *call) { struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; @@ -196,17 +196,17 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) /* on a pure interface change there is no auth blob */ if (pkt->u.alter.auth_info.length == 0) { - return True; + return true; } /* We can't work without an existing gensec state */ if (!dce_conn->auth_state.gensec_security) { - return False; + return false; } dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth); if (!dce_conn->auth_state.auth_info) { - return False; + return false; } status = ndr_pull_struct_blob(&pkt->u.alter.auth_info, @@ -214,10 +214,10 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } - return True; + return true; } /* @@ -296,7 +296,7 @@ static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob) /* check credentials on a request */ -BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) +bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) { struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; @@ -307,14 +307,14 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { - return True; + return true; } auth_blob.length = 8 + pkt->auth_length; /* check for a valid length */ if (pkt->u.request.stub_and_verifier.length < auth_blob.length) { - return False; + return false; } auth_blob.data = @@ -325,7 +325,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) /* pull the auth structure */ ndr = ndr_pull_init_blob(&auth_blob, call); if (!ndr) { - return False; + return false; } if (!(pkt->drep[0] & DCERPC_DREP_LE)) { @@ -335,7 +335,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth); if (!NT_STATUS_IS_OK(status)) { talloc_free(ndr); - return False; + return false; } /* check signature or unseal the packet */ @@ -375,7 +375,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) /* remove the indicated amount of padding */ if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) { talloc_free(ndr); - return False; + return false; } pkt->u.request.stub_and_verifier.length -= auth.auth_pad_length; talloc_free(ndr); @@ -387,7 +387,7 @@ BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) /* push a signed or sealed dcerpc request packet into a blob */ -BOOL dcesrv_auth_response(struct dcesrv_call_state *call, +bool dcesrv_auth_response(struct dcesrv_call_state *call, DATA_BLOB *blob, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; @@ -404,7 +404,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, ndr = ndr_push_init_ctx(call); if (!ndr) { - return False; + return false; } if (!(pkt->drep[0] & DCERPC_DREP_LE)) { @@ -413,7 +413,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, status = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } /* pad to 16 byte multiple, match win2k3 */ @@ -426,7 +426,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, status = dcesrv_connect_verifier(call, &dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } } else { @@ -444,7 +444,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } /* extract the whole packet as a blob */ @@ -519,8 +519,8 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, data_blob_free(&dce_conn->auth_state.auth_info->credentials); if (!NT_STATUS_IS_OK(status)) { - return False; + return false; } - return True; + return true; } -- cgit From 529763a9aa192a6785ba878aceeb1683c2510913 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 9 Nov 2007 19:24:51 +0100 Subject: r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers) lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435) --- source4/rpc_server/dcesrv_auth.c | 48 ++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 22 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 911cfe4799..0ce55dd069 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -39,6 +39,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) struct dcesrv_connection *dce_conn = call->conn; struct dcesrv_auth *auth = &dce_conn->auth_state; NTSTATUS status; + enum ndr_err_code ndr_err; if (pkt->u.bind.auth_info.length == 0) { dce_conn->auth_state.auth_info = NULL; @@ -50,11 +51,11 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } - status = ndr_pull_struct_blob(&pkt->u.bind.auth_info, - call, - dce_conn->auth_state.auth_info, - (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); - if (!NT_STATUS_IS_OK(status)) { + ndr_err = ndr_pull_struct_blob(&pkt->u.bind.auth_info, + call, + dce_conn->auth_state.auth_info, + (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } @@ -143,6 +144,7 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call) struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; + enum ndr_err_code ndr_err; /* We can't work without an existing gensec state, and an new blob to feed it */ if (!dce_conn->auth_state.auth_info || @@ -151,11 +153,11 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call) return false; } - status = ndr_pull_struct_blob(&pkt->u.auth3.auth_info, - call, - dce_conn->auth_state.auth_info, - (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); - if (!NT_STATUS_IS_OK(status)) { + ndr_err = ndr_pull_struct_blob(&pkt->u.auth3.auth_info, + call, + dce_conn->auth_state.auth_info, + (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } @@ -192,7 +194,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call) { struct ncacn_packet *pkt = &call->pkt; struct dcesrv_connection *dce_conn = call->conn; - NTSTATUS status; + enum ndr_err_code ndr_err; /* on a pure interface change there is no auth blob */ if (pkt->u.alter.auth_info.length == 0) { @@ -209,11 +211,11 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call) return false; } - status = ndr_pull_struct_blob(&pkt->u.alter.auth_info, - call, - dce_conn->auth_state.auth_info, - (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); - if (!NT_STATUS_IS_OK(status)) { + ndr_err = ndr_pull_struct_blob(&pkt->u.alter.auth_info, + call, + dce_conn->auth_state.auth_info, + (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } @@ -304,6 +306,7 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) struct dcerpc_auth auth; struct ndr_pull *ndr; NTSTATUS status; + enum ndr_err_code ndr_err; if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { @@ -332,8 +335,8 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) ndr->flags |= LIBNDR_FLAG_BIGENDIAN; } - status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth); - if (!NT_STATUS_IS_OK(status)) { + ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { talloc_free(ndr); return false; } @@ -392,6 +395,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; + enum ndr_err_code ndr_err; struct ndr_push *ndr; uint32_t payload_length; DATA_BLOB creds2; @@ -411,8 +415,8 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, ndr->flags |= LIBNDR_FLAG_BIGENDIAN; } - status = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); - if (!NT_STATUS_IS_OK(status)) { + ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } @@ -441,9 +445,9 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, } /* add the auth verifier */ - status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, + ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info); - if (!NT_STATUS_IS_OK(status)) { + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } -- cgit From ecea5ce24553989103d4a06296b24f4d29f30a36 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 17:41:50 +0100 Subject: r26260: Store loadparm context in gensec context. (This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 0ce55dd069..4656b1d49c 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -59,7 +59,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } - status = gensec_server_start(dce_conn, call->event_ctx, call->msg_ctx, &auth->gensec_security); + status = gensec_server_start(dce_conn, call->event_ctx, global_loadparm, call->msg_ctx, &auth->gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status))); return false; -- cgit From 57f20ccd242e45ff91850341594aa040d113c19e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 4 Dec 2007 20:05:00 +0100 Subject: r26296: Store loadparm context in DCE/RPC server context. (This used to be commit fc1f4d2d65d4c983cba5421e7ffb64dd75482860) --- source4/rpc_server/dcesrv_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 4656b1d49c..fa724a0726 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -59,7 +59,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } - status = gensec_server_start(dce_conn, call->event_ctx, global_loadparm, call->msg_ctx, &auth->gensec_security); + status = gensec_server_start(dce_conn, call->event_ctx, call->conn->dce_ctx->lp_ctx, call->msg_ctx, &auth->gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status))); return false; @@ -72,7 +72,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } - cli_credentials_set_conf(server_credentials, global_loadparm); + cli_credentials_set_conf(server_credentials, call->conn->dce_ctx->lp_ctx); status = cli_credentials_set_machine_account(server_credentials); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status))); -- cgit From a2cea02584256e2cf59da5420e8e080e70c66939 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 13 Dec 2007 22:46:17 +0100 Subject: r26430: require explicit specification of loadparm context. (This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index fa724a0726..319dc0788a 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -73,7 +73,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) } cli_credentials_set_conf(server_credentials, call->conn->dce_ctx->lp_ctx); - status = cli_credentials_set_machine_account(server_credentials); + status = cli_credentials_set_machine_account(server_credentials, call->conn->dce_ctx->lp_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status))); talloc_free(server_credentials); -- cgit From 61873ce94c172c801a4831de5550a8e0fe54c5f5 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 13 Dec 2007 22:46:23 +0100 Subject: r26431: Require ndr_push creators to specify a iconv_convenience context. (This used to be commit 7352206f4450fdf881b95bda064cedd9d2477e4c) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 319dc0788a..b7c0e2a833 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -406,7 +406,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, return NT_STATUS_IS_OK(status); } - ndr = ndr_push_init_ctx(call); + ndr = ndr_push_init_ctx(call, lp_iconv_convenience(global_loadparm)); if (!ndr) { return false; } -- cgit From d1e716cf4331bf09cfe15a6634bc5887aff81d20 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 13 Dec 2007 22:46:27 +0100 Subject: r26432: Require ndr_pull users to specify iconv_convenience. (This used to be commit 28b1d36551b75241c1cf9fca5d74f45a6dc884ab) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index b7c0e2a833..b32481a1b7 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -326,7 +326,7 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) pkt->u.request.stub_and_verifier.length -= auth_blob.length; /* pull the auth structure */ - ndr = ndr_pull_init_blob(&auth_blob, call); + ndr = ndr_pull_init_blob(&auth_blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx)); if (!ndr) { return false; } -- cgit From e31abef15f7696cf39e9e81307f153da93568e02 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 13 Dec 2007 22:46:55 +0100 Subject: r26440: Remove more uses of global_loadparm. (This used to be commit 8858cf39722f192865e531164c72039fd18d7a8d) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index b32481a1b7..aa37de2826 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -406,7 +406,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, return NT_STATUS_IS_OK(status); } - ndr = ndr_push_init_ctx(call, lp_iconv_convenience(global_loadparm)); + ndr = ndr_push_init_ctx(call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx)); if (!ndr) { return false; } -- cgit From 7d5f0e0893d42b56145a3ffa34e3b4b9906cbd91 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 1 Jan 2008 22:05:13 -0600 Subject: r26639: librpc: Pass iconv convenience on from RPC connection to NDR library, so it can be overridden by OpenChange. (This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce) --- source4/rpc_server/dcesrv_auth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index aa37de2826..dce775591b 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -52,7 +52,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) } ndr_err = ndr_pull_struct_blob(&pkt->u.bind.auth_info, - call, + call, NULL, dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { @@ -154,7 +154,7 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call) } ndr_err = ndr_pull_struct_blob(&pkt->u.auth3.auth_info, - call, + call, NULL, dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { @@ -212,7 +212,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call) } ndr_err = ndr_pull_struct_blob(&pkt->u.alter.auth_info, - call, + call, NULL, dce_conn->auth_state.auth_info, (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- cgit From 10169a203019445e6d325a5c1559de3c73782237 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 21 Feb 2008 17:54:24 +0100 Subject: Remove more global_loadparm instance.s (This used to be commit a1280252ce924df69d911e597b7f65d8038abef9) --- source4/rpc_server/dcesrv_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index dce775591b..75b13bb824 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -402,7 +402,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, /* non-signed packets are simple */ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { - status = ncacn_push_auth(blob, call, pkt, NULL); + status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL); return NT_STATUS_IS_OK(status); } -- cgit From afe3e8172ddaa5e4aa811faceecda4f943d6e2ef Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Apr 2008 04:53:27 +0200 Subject: Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343) --- source4/rpc_server/dcesrv_auth.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 75b13bb824..1d89441170 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -22,6 +22,8 @@ #include "includes.h" #include "rpc_server/dcerpc_server.h" +#include "rpc_server/dcerpc_server_proto.h" +#include "librpc/rpc/dcerpc_proto.h" #include "librpc/gen_ndr/ndr_dcerpc.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" -- cgit From 746d3c8ff9ce9b1ff55fa7953d29802714866c72 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 6 Aug 2008 22:28:04 +0200 Subject: rpc_server: add support for DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN you need "dcesrv:header signing=yes" to enable it. metze (This used to be commit bde2496e6b7034c99243b22434a97aebeb8f75b9) --- source4/rpc_server/dcesrv_auth.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 1d89441170..64f42eea25 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -124,6 +124,11 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe return status; } + if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) { + gensec_want_feature(dce_conn->auth_state.gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER); + } + /* Now that we are authenticated, go back to the generic session key... */ dce_conn->auth_state.session_key = dcesrv_generic_session_key; return NT_STATUS_OK; -- cgit From 97f59cb1902eec0fba610da6c13d7089ea7d7576 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 11 Aug 2008 18:12:54 +0200 Subject: rpc_server: correct the chunk_size depending on the signature size metze (This used to be commit 20fc0d7bfdaa60d6a8ac939dc64733a91652587e) --- source4/rpc_server/dcesrv_auth.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 64f42eea25..0aad3775d0 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -398,7 +398,8 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) push a signed or sealed dcerpc request packet into a blob */ bool dcesrv_auth_response(struct dcesrv_call_state *call, - DATA_BLOB *blob, struct ncacn_packet *pkt) + DATA_BLOB *blob, size_t sig_size, + struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; @@ -445,9 +446,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, * GENSEC mech does AEAD signing of the packet * headers */ dce_conn->auth_state.auth_info->credentials - = data_blob_talloc(call, NULL, - gensec_sig_size(dce_conn->auth_state.gensec_security, - payload_length)); + = data_blob_talloc(call, NULL, sig_size); data_blob_clear(&dce_conn->auth_state.auth_info->credentials); } -- cgit From de53ddee89a5068db3083e922b3e9652f261b239 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 13 Sep 2008 10:22:39 +0200 Subject: rpc_server: correctly calculate the auth padding metze (This used to be commit e82468a8f538aa0cf6d477fb54cc0178c0d64574) --- source4/rpc_server/dcesrv_auth.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 0aad3775d0..3a7f2420b3 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -429,10 +429,15 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, } /* pad to 16 byte multiple, match win2k3 */ - dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 16); - ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); + dce_conn->auth_state.auth_info->auth_pad_length = + (16 - (pkt->u.response.stub_and_verifier.length & 15)) & 15; + ndr_err = ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return false; + } - payload_length = ndr->offset - DCERPC_REQUEST_LENGTH; + payload_length = pkt->u.response.stub_and_verifier.length + + dce_conn->auth_state.auth_info->auth_pad_length; if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) { status = dcesrv_connect_verifier(call, -- cgit From 9a222474bb891e0b1839ecad009e5d0420d4b308 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 12 Sep 2008 15:47:02 +0200 Subject: rpc_server: don't send auth trailers in level connect Also ignore auth trailers in level connect on receive. This fixes [krb5,connect] against windows. TODO: maybe the gensec mech need to decide if signatures are needed in level connect. metze (This used to be commit 2e3629719790e7631d9de383b565dc8a0997bcfb) --- source4/rpc_server/dcesrv_auth.c | 158 ++++++++++++++++++--------------------- 1 file changed, 73 insertions(+), 85 deletions(-) (limited to 'source4/rpc_server/dcesrv_auth.c') diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 3a7f2420b3..16bf4eb7ed 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -275,33 +275,6 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack return status; } -/* - generate a CONNECT level verifier -*/ -static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob) -{ - *blob = data_blob_talloc(mem_ctx, NULL, 16); - if (blob->data == NULL) { - return NT_STATUS_NO_MEMORY; - } - SIVAL(blob->data, 0, 1); - memset(blob->data+4, 0, 12); - return NT_STATUS_OK; -} - -/* - generate a CONNECT level verifier -*/ -static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob) -{ - if (blob->length != 16 || - IVAL(blob->data, 0) != 1) { - return NT_STATUS_ACCESS_DENIED; - } - return NT_STATUS_OK; -} - - /* check credentials on a request */ @@ -320,6 +293,26 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) return true; } + switch (dce_conn->auth_state.auth_info->auth_level) { + case DCERPC_AUTH_LEVEL_PRIVACY: + case DCERPC_AUTH_LEVEL_INTEGRITY: + break; + + case DCERPC_AUTH_LEVEL_CONNECT: + if (pkt->auth_length != 0) { + break; + } + return true; + case DCERPC_AUTH_LEVEL_NONE: + if (pkt->auth_length != 0) { + return false; + } + return true; + + default: + return false; + } + auth_blob.length = 8 + pkt->auth_length; /* check for a valid length */ @@ -374,7 +367,8 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) break; case DCERPC_AUTH_LEVEL_CONNECT: - status = dcesrv_check_connect_verifier(&auth.credentials); + /* for now we ignore possible signatures here */ + status = NT_STATUS_OK; break; default: @@ -409,9 +403,30 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, DATA_BLOB creds2; /* non-signed packets are simple */ - if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { + if (sig_size == 0) { + status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL); + return NT_STATUS_IS_OK(status); + } + + switch (dce_conn->auth_state.auth_info->auth_level) { + case DCERPC_AUTH_LEVEL_PRIVACY: + case DCERPC_AUTH_LEVEL_INTEGRITY: + break; + + case DCERPC_AUTH_LEVEL_CONNECT: + /* + * TODO: let the gensec mech decide if it wants to generate a signature + * that might be needed for schannel... + */ status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL); return NT_STATUS_IS_OK(status); + + case DCERPC_AUTH_LEVEL_NONE: + status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL); + return NT_STATUS_IS_OK(status); + + default: + return false; } ndr = ndr_push_init_ctx(call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx)); @@ -439,21 +454,8 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, payload_length = pkt->u.response.stub_and_verifier.length + dce_conn->auth_state.auth_info->auth_pad_length; - if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) { - status = dcesrv_connect_verifier(call, - &dce_conn->auth_state.auth_info->credentials); - if (!NT_STATUS_IS_OK(status)) { - return false; - } - } else { - - /* We hope this length is accruate. If must be if the - * GENSEC mech does AEAD signing of the packet - * headers */ - dce_conn->auth_state.auth_info->credentials - = data_blob_talloc(call, NULL, sig_size); - data_blob_clear(&dce_conn->auth_state.auth_info->credentials); - } + /* we start without signature, it will appended later */ + dce_conn->auth_state.auth_info->credentials = data_blob(NULL, 0); /* add the auth verifier */ ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, @@ -465,14 +467,14 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, /* extract the whole packet as a blob */ *blob = ndr_push_blob(ndr); - /* fill in the fragment length and auth_length, we can't fill - in these earlier as we don't know the signature length (it - could be variable length) */ - dcerpc_set_frag_length(blob, blob->length); - - /* We hope this value is accruate. If must be if the GENSEC - * mech does AEAD signing of the packet headers */ - dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length); + /* + * Setup the frag and auth length in the packet buffer. + * This is needed if the GENSEC mech does AEAD signing + * of the packet headers. The signature itself will be + * appended later. + */ + dcerpc_set_frag_length(blob, blob->length + sig_size); + dcerpc_set_auth_length(blob, sig_size); /* sign or seal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { @@ -482,22 +484,8 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, ndr->data + DCERPC_REQUEST_LENGTH, payload_length, blob->data, - blob->length - dce_conn->auth_state.auth_info->credentials.length, + blob->length, &creds2); - - if (NT_STATUS_IS_OK(status)) { - blob->length -= dce_conn->auth_state.auth_info->credentials.length; - if (!data_blob_append(call, blob, creds2.data, creds2.length)) - status = NT_STATUS_NO_MEMORY; - else - status = NT_STATUS_OK; - } - - /* If we did AEAD signing of the packet headers, then we hope - * this value didn't change... */ - dcerpc_set_auth_length(blob, creds2.length); - dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length); - data_blob_free(&creds2); break; case DCERPC_AUTH_LEVEL_INTEGRITY: @@ -506,24 +494,8 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, ndr->data + DCERPC_REQUEST_LENGTH, payload_length, blob->data, - blob->length - dce_conn->auth_state.auth_info->credentials.length, + blob->length, &creds2); - if (NT_STATUS_IS_OK(status)) { - blob->length -= dce_conn->auth_state.auth_info->credentials.length; - if (!data_blob_append(call, blob, creds2.data, creds2.length)) - status = NT_STATUS_NO_MEMORY; - else - status = NT_STATUS_OK; - } - - /* If we did AEAD signing of the packet headers, then we hope - * this value didn't change... */ - dcerpc_set_auth_length(blob, creds2.length); - dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length); - data_blob_free(&creds2); - break; - - case DCERPC_AUTH_LEVEL_CONNECT: break; default: @@ -531,7 +503,23 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, break; } - data_blob_free(&dce_conn->auth_state.auth_info->credentials); + if (NT_STATUS_IS_OK(status)) { + if (creds2.length != sig_size) { + DEBUG(0,("dcesrv_auth_response: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n", + creds2.length, (uint32_t)sig_size, + dce_conn->auth_state.auth_info->auth_pad_length, + pkt->u.response.stub_and_verifier.length)); + data_blob_free(&creds2); + status = NT_STATUS_INTERNAL_ERROR; + } + } + + if (NT_STATUS_IS_OK(status)) { + if (!data_blob_append(call, blob, creds2.data, creds2.length)) { + status = NT_STATUS_NO_MEMORY; + } + data_blob_free(&creds2); + } if (!NT_STATUS_IS_OK(status)) { return false; -- cgit