sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-09 17:49:29 +03:00
Code Activity

s3-dcerpc: Use dcerpc_AuthType in pipe_auth_data

Browse Source
This commit is contained in:
Simo Sorce
2010-07-20 13:26:36 -04:00
parent 1e915d231d
commit 2463a87177
11 changed files with 264 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
source3/include/ntdomain.h
View File

@ -93,8 +93,11 @@ typedef struct pipe_rpc_fns {
* Can't keep in sync with wire values as spnego wraps different auth methods.
*/
enum pipe_auth_type { PIPE_AUTH_TYPE_NONE = 0, PIPE_AUTH_TYPE_NTLMSSP, PIPE_AUTH_TYPE_SCHANNEL,
PIPE_AUTH_TYPE_SPNEGO_NTLMSSP, PIPE_AUTH_TYPE_KRB5, PIPE_AUTH_TYPE_SPNEGO_KRB5 };
enum pipe_auth_type_spnego {
PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
PIPE_AUTH_TYPE_SPNEGO_KRB5
};
/* auth state for krb5. */
struct kerberos_auth_struct {
@ -105,7 +108,8 @@ struct kerberos_auth_struct {
/* auth state for all bind types. */
struct pipe_auth_data {
enum pipe_auth_type auth_type; /* switch for union below. */
enum dcerpc_AuthType auth_type;
enum pipe_auth_type_spnego spnego_type;
enum dcerpc_AuthLevel auth_level;
union {

1
source3/include/proto.h
View File

@ -4752,7 +4752,6 @@ const struct ndr_interface_table *get_iface_from_syntax(
const struct ndr_syntax_id *syntax);
const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
const struct ndr_syntax_id *syntax);
enum dcerpc_AuthType map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type);
struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
struct event_context *ev,

33
source3/librpc/rpc/dcerpc_helpers.c
View File

@ -383,13 +383,12 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
size_t pad_len, DATA_BLOB *rpc_out)
{
enum dcerpc_AuthType auth_type;
char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
DATA_BLOB auth_info;
DATA_BLOB auth_blob;
NTSTATUS status;
if (auth->auth_type == PIPE_AUTH_TYPE_NONE) {
if (auth->auth_type == DCERPC_AUTH_TYPE_NONE) {
return NT_STATUS_OK;
}
@ -400,14 +399,12 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
}
}
auth_type = map_pipe_auth_type_to_rpc_auth_type(auth->auth_type);
/* marshall the dcerpc_auth with an actually empty auth_blob.
* This is needed because the ntmlssp signature includes the
* auth header. We will append the actual blob later. */
auth_blob = data_blob_null;
status = dcerpc_push_dcerpc_auth(rpc_out->data,
auth_type,
auth->auth_type,
auth->auth_level,
pad_len,
1 /* context id. */,
@ -428,16 +425,20 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
/* Generate any auth sign/seal and add the auth footer. */
switch (auth->auth_type) {
case PIPE_AUTH_TYPE_NONE:
case DCERPC_AUTH_TYPE_NONE:
status = NT_STATUS_OK;
break;
case PIPE_AUTH_TYPE_NTLMSSP:
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case DCERPC_AUTH_TYPE_SPNEGO:
if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
return NT_STATUS_INVALID_PARAMETER;
}
/* fall thorugh */
case DCERPC_AUTH_TYPE_NTLMSSP:
status = add_ntlmssp_auth_footer(auth->a_u.auth_ntlmssp_state,
auth->auth_level,
rpc_out);
break;
case PIPE_AUTH_TYPE_SCHANNEL:
case DCERPC_AUTH_TYPE_SCHANNEL:
status = add_schannel_auth_footer(auth->a_u.schannel_auth,
auth->auth_level,
rpc_out);
@ -530,11 +531,17 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
raw_pkt->length - auth_info.credentials.length);
switch (auth->auth_type) {
case PIPE_AUTH_TYPE_NONE:
case DCERPC_AUTH_TYPE_NONE:
return NT_STATUS_OK;
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case PIPE_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_SPNEGO:
if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
DEBUG(0, ("Currently only NTLMSSP is supported "
"with SPNEGO\n"));
return NT_STATUS_INVALID_PARAMETER;
}
/* fall through */
case DCERPC_AUTH_TYPE_NTLMSSP:
DEBUG(10, ("NTLMSSP auth\n"));
@ -575,7 +582,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
}
break;
case PIPE_AUTH_TYPE_SCHANNEL:
case DCERPC_AUTH_TYPE_SCHANNEL:
DEBUG(10, ("SCHANNEL auth\n"));

33
source3/librpc/rpc/rpc_common.c
View File

@ -203,36 +203,3 @@ const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
return result;
}
/********************************************************************
Map internal value to wire value.
********************************************************************/
enum dcerpc_AuthType map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type)
{
switch (auth_type) {
case PIPE_AUTH_TYPE_NONE:
return DCERPC_AUTH_TYPE_NONE;
case PIPE_AUTH_TYPE_NTLMSSP:
return DCERPC_AUTH_TYPE_NTLMSSP;
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case PIPE_AUTH_TYPE_SPNEGO_KRB5:
return DCERPC_AUTH_TYPE_SPNEGO;
case PIPE_AUTH_TYPE_SCHANNEL:
return DCERPC_AUTH_TYPE_SCHANNEL;
case PIPE_AUTH_TYPE_KRB5:
return DCERPC_AUTH_TYPE_KRB5;
default:
DEBUG(0,("map_pipe_auth_type_to_rpc_type: unknown pipe "
"auth type %u\n",
(unsigned int)auth_type ));
break;
}
return -1;
}

210
source3/rpc_client/cli_pipe.c
View File

@ -1208,7 +1208,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
NTSTATUS ret = NT_STATUS_OK;
switch (auth->auth_type) {
case PIPE_AUTH_TYPE_SCHANNEL:
case DCERPC_AUTH_TYPE_SCHANNEL:
ret = create_schannel_auth_rpc_bind_req(cli,
auth->auth_level,
&auth_info);
@ -1217,7 +1217,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
}
break;
case PIPE_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_NTLMSSP:
ret = create_ntlmssp_auth_rpc_bind_req(cli,
auth->auth_level,
&auth_info);
@ -1226,7 +1226,11 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
}
break;
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case DCERPC_AUTH_TYPE_SPNEGO:
if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
/* "Can't" happen. */
return NT_STATUS_INVALID_INFO_CLASS;
}
ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli,
auth->auth_level,
&auth_info);
@ -1235,7 +1239,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
}
break;
case PIPE_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_KRB5:
ret = create_krb5_auth_bind_req(cli,
auth->auth_level,
&auth_info);
@ -1244,7 +1248,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
}
break;
case PIPE_AUTH_TYPE_NONE:
case DCERPC_AUTH_TYPE_NONE:
break;
default:
@ -1282,51 +1286,59 @@ static uint32 calculate_data_len_tosend(struct rpc_pipe_client *cli,
#endif
switch (cli->auth->auth_level) {
case DCERPC_AUTH_LEVEL_NONE:
case DCERPC_AUTH_LEVEL_CONNECT:
data_space = cli->max_xmit_frag - DCERPC_REQUEST_LENGTH;
data_len = MIN(data_space, data_left);
*p_ss_padding = 0;
*p_auth_len = 0;
*p_frag_len = DCERPC_REQUEST_LENGTH + data_len;
return data_len;
case DCERPC_AUTH_LEVEL_NONE:
case DCERPC_AUTH_LEVEL_CONNECT:
data_space = cli->max_xmit_frag - DCERPC_REQUEST_LENGTH;
data_len = MIN(data_space, data_left);
*p_ss_padding = 0;
*p_auth_len = 0;
*p_frag_len = DCERPC_REQUEST_LENGTH + data_len;
return data_len;
case DCERPC_AUTH_LEVEL_INTEGRITY:
case DCERPC_AUTH_LEVEL_PRIVACY:
/* Treat the same for all authenticated rpc requests. */
switch(cli->auth->auth_type) {
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case PIPE_AUTH_TYPE_NTLMSSP:
*p_auth_len = NTLMSSP_SIG_SIZE;
break;
case PIPE_AUTH_TYPE_SCHANNEL:
*p_auth_len = NL_AUTH_SIGNATURE_SIZE;
break;
default:
smb_panic("bad auth type");
break;
case DCERPC_AUTH_LEVEL_INTEGRITY:
case DCERPC_AUTH_LEVEL_PRIVACY:
/* Treat the same for all authenticated rpc requests. */
switch(cli->auth->auth_type) {
case DCERPC_AUTH_TYPE_SPNEGO:
switch (cli->auth->spnego_type) {
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
*p_auth_len = NTLMSSP_SIG_SIZE;
break;
default:
smb_panic("bad auth type");
break;
}
data_space = cli->max_xmit_frag
- DCERPC_REQUEST_LENGTH
- DCERPC_AUTH_TRAILER_LENGTH
- *p_auth_len;
data_len = MIN(data_space, data_left);
*p_ss_padding = 0;
if (data_len % CLIENT_NDR_PADDING_SIZE) {
*p_ss_padding = CLIENT_NDR_PADDING_SIZE - (data_len % CLIENT_NDR_PADDING_SIZE);
}
*p_frag_len = DCERPC_REQUEST_LENGTH
+ data_len + *p_ss_padding
+ DCERPC_AUTH_TRAILER_LENGTH
+ *p_auth_len;
return data_len;
case DCERPC_AUTH_TYPE_NTLMSSP:
*p_auth_len = NTLMSSP_SIG_SIZE;
break;
case DCERPC_AUTH_TYPE_SCHANNEL:
*p_auth_len = NL_AUTH_SIGNATURE_SIZE;
break;
default:
smb_panic("bad auth level");
/* Notreached. */
return 0;
smb_panic("bad auth type");
break;
}
data_space = cli->max_xmit_frag
- DCERPC_REQUEST_LENGTH
- DCERPC_AUTH_TRAILER_LENGTH
- *p_auth_len;
data_len = MIN(data_space, data_left);
*p_ss_padding = 0;
if (data_len % CLIENT_NDR_PADDING_SIZE) {
*p_ss_padding = CLIENT_NDR_PADDING_SIZE - (data_len % CLIENT_NDR_PADDING_SIZE);
}
*p_frag_len = DCERPC_REQUEST_LENGTH
+ data_len + *p_ss_padding
+ DCERPC_AUTH_TRAILER_LENGTH
+ *p_auth_len;
return data_len;
default:
smb_panic("bad auth level");
/* Notreached. */
return 0;
}
}
@ -1662,7 +1674,7 @@ static bool check_bind_response(const struct dcerpc_bind_ack *r,
static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli,
uint32 rpc_call_id,
enum pipe_auth_type auth_type,
enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
DATA_BLOB *pauth_blob,
DATA_BLOB *rpc_out)
@ -1673,7 +1685,7 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
u.auth3._pad = 0;
status = dcerpc_push_dcerpc_auth(mem_ctx,
map_pipe_auth_type_to_rpc_auth_type(auth_type),
auth_type,
auth_level,
0, /* auth_pad_length */
1, /* auth_context_id */
@ -1774,9 +1786,10 @@ struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
return NULL;
}
DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
DEBUG(5,("Bind RPC Pipe: %s auth_type %u(%u), auth_level %u\n",
rpccli_pipe_txt(talloc_tos(), cli),
(unsigned int)auth->auth_type,
(unsigned int)auth->spnego_type,
(unsigned int)auth->auth_level ));
state->ev = ev;
@ -1788,7 +1801,7 @@ struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
/* Marshall the outgoing data. */
status = create_rpc_bind_req(state, cli,
&cli->auth,
cli->auth,
state->rpc_call_id,
&cli->abstract_syntax,
&cli->transfer_syntax,
@ -1849,37 +1862,45 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
switch(state->cli->auth->auth_type) {
case PIPE_AUTH_TYPE_NONE:
case PIPE_AUTH_TYPE_SCHANNEL:
case DCERPC_AUTH_TYPE_NONE:
case DCERPC_AUTH_TYPE_SCHANNEL:
/* Bind complete. */
tevent_req_done(req);
break;
return;
case PIPE_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_NTLMSSP:
/* Need to send AUTH3 packet - no reply. */
status = rpc_finish_auth3_bind_send(req, state, pkt);
if (!NT_STATUS_IS_OK(status)) {
tevent_req_nterror(req, status);
}
break;
return;
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case DCERPC_AUTH_TYPE_SPNEGO:
if (state->cli->auth->spnego_type !=
PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
break;
}
/* Need to send alter context request and reply. */
status = rpc_finish_spnego_ntlmssp_bind_send(req, state, pkt,
&reply_pdu);
if (!NT_STATUS_IS_OK(status)) {
tevent_req_nterror(req, status);
}
return;
case DCERPC_AUTH_TYPE_KRB5:
/* */
break;
case PIPE_AUTH_TYPE_KRB5:
/* */
default:
DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
(unsigned int)state->cli->auth->auth_type));
tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
break;
}
DEBUG(0,("cli_finish_bind_auth: unknown auth type %u(%u)\n",
(unsigned int)state->cli->auth->auth_type,
(unsigned int)state->cli->auth->spnego_type));
tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
}
static NTSTATUS rpc_finish_auth3_bind_send(struct tevent_req *req,
@ -2163,8 +2184,9 @@ bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
{
struct cli_state *cli;
if ((rpc_cli->auth->auth_type == PIPE_AUTH_TYPE_NTLMSSP)
|| (rpc_cli->auth->auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)) {
if ((rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP)
|| ((rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO
&& rpc_cli->auth->spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
memcpy(nt_hash, auth_ntlmssp_get_nt_hash(rpc_cli->auth->a_u.auth_ntlmssp_state), 16);
return true;
}
@ -2187,7 +2209,8 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
result->auth_type = PIPE_AUTH_TYPE_NONE;
result->auth_type = DCERPC_AUTH_TYPE_NONE;
result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
result->auth_level = DCERPC_AUTH_LEVEL_NONE;
result->user_name = talloc_strdup(result, "");
@ -2208,7 +2231,8 @@ static int cli_auth_ntlmssp_data_destructor(struct pipe_auth_data *auth)
}
static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
enum pipe_auth_type auth_type,
enum dcerpc_AuthType auth_type,
enum pipe_auth_type_spnego spnego_type,
enum dcerpc_AuthLevel auth_level,
const char *domain,
const char *username,
@ -2224,6 +2248,7 @@ static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
}
result->auth_type = auth_type;
result->spnego_type = spnego_type;
result->auth_level = auth_level;
result->user_name = talloc_strdup(result, username);
@ -2298,7 +2323,8 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
return NT_STATUS_NO_MEMORY;
}
result->auth_type = PIPE_AUTH_TYPE_SCHANNEL;
result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
result->auth_level = auth_level;
result->user_name = talloc_strdup(result, "");
@ -2355,7 +2381,8 @@ static NTSTATUS rpccli_kerberos_bind_data(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
result->auth_type = PIPE_AUTH_TYPE_KRB5;
result->auth_type = DCERPC_AUTH_TYPE_KRB5;
result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
result->auth_level = auth_level;
/*
@ -2924,7 +2951,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
const struct ndr_syntax_id *interface,
enum dcerpc_transport_t transport,
enum pipe_auth_type auth_type,
bool use_spnego,
enum dcerpc_AuthLevel auth_level,
const char *domain,
const char *username,
@ -2933,6 +2960,8 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
{
struct rpc_pipe_client *result;
struct pipe_auth_data *auth;
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
enum pipe_auth_type_spnego spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
NTSTATUS status;
status = cli_rpc_pipe_open(cli, transport, interface, &result);
@ -2940,9 +2969,15 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
return status;
}
status = rpccli_ntlmssp_bind_data(
result, auth_type, auth_level, domain, username,
password, &auth);
if (use_spnego) {
auth_type = DCERPC_AUTH_TYPE_SPNEGO;
spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
}
status = rpccli_ntlmssp_bind_data(result,
auth_type, spnego_type, auth_level,
domain, username, password,
&auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
nt_errstr(status)));
@ -2987,7 +3022,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
return cli_rpc_pipe_open_ntlmssp_internal(cli,
interface,
transport,
PIPE_AUTH_TYPE_NTLMSSP,
false,
auth_level,
domain,
username,
@ -3012,7 +3047,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
return cli_rpc_pipe_open_ntlmssp_internal(cli,
interface,
transport,
PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
true,
auth_level,
domain,
username,
@ -3341,20 +3376,33 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
}
switch (cli->auth->auth_type) {
case PIPE_AUTH_TYPE_SCHANNEL:
case DCERPC_AUTH_TYPE_SCHANNEL:
sk = data_blob_const(a->a_u.schannel_auth->creds->session_key,
16);
break;
case PIPE_AUTH_TYPE_NTLMSSP:
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case DCERPC_AUTH_TYPE_SPNEGO:
switch (cli->auth->spnego_type) {
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
sk = auth_ntlmssp_get_session_key(
a->a_u.auth_ntlmssp_state);
break;
case PIPE_AUTH_TYPE_SPNEGO_KRB5:
sk = data_blob_const(
a->a_u.kerberos_auth->session_key.data,
a->a_u.kerberos_auth->session_key.length);
break;
default:
return NT_STATUS_NO_USER_SESSION_KEY;
}
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
sk = auth_ntlmssp_get_session_key(a->a_u.auth_ntlmssp_state);
break;
case PIPE_AUTH_TYPE_KRB5:
case PIPE_AUTH_TYPE_SPNEGO_KRB5:
case DCERPC_AUTH_TYPE_KRB5:
sk = data_blob_const(a->a_u.kerberos_auth->session_key.data,
a->a_u.kerberos_auth->session_key.length);
break;
case PIPE_AUTH_TYPE_NONE:
case DCERPC_AUTH_TYPE_NONE:
sk = data_blob_const(a->user_session_key.data,
a->user_session_key.length);
break;

3
source3/rpc_server/rpc_handles.c
View File

@ -321,7 +321,8 @@ bool pipe_access_check(struct pipes_struct *p)
if (lp_restrict_anonymous() > 0) {
/* schannel, so we must be ok */
if (p->pipe_bound && (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL)) {
if (p->pipe_bound &&
(p->auth.auth_type == DCERPC_AUTH_TYPE_SCHANNEL)) {
return True;
}

4
source3/rpc_server/srv_lsa_nt.c
View File

@ -1040,7 +1040,7 @@ NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
struct lsa_LookupSids2 q;
/* No policy handle on this call. Restrict to crypto connections. */
if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
@ -1323,7 +1323,7 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
struct lsa_LookupNames3 q;
/* No policy handle on this call. Restrict to crypto connections. */
if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;

6
source3/rpc_server/srv_netlog_nt.c
View File

@ -961,7 +961,7 @@ static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
const char *computer_name,
bool integrity, bool privacy)
{
if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
if (!privacy && !integrity) {
return NT_STATUS_OK;
}
@ -1419,7 +1419,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
memcpy(pipe_session_key, creds->session_key, 16);
} else {
/* Get the pipe session key from the schannel. */
if ((p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL)
if ((p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL)
|| (p->auth.a_u.schannel_auth == NULL)) {
return NT_STATUS_INVALID_HANDLE;
}
@ -1535,7 +1535,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
}
/* Only allow this if the pipe is protected. */
if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;

47
source3/rpc_server/srv_pipe.c
View File

@ -112,8 +112,6 @@ static DATA_BLOB generic_session_key(void)
********************************************************************/
static bool create_next_packet(struct pipes_struct *p,
enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
size_t auth_length,
size_t *_pad_len)
{
@ -225,8 +223,6 @@ static bool create_next_packet(struct pipes_struct *p,
bool create_next_pdu(struct pipes_struct *p)
{
enum dcerpc_AuthType auth_type =
map_pipe_auth_type_to_rpc_auth_type(p->auth.auth_type);
size_t auth_len = 0;
size_t pad_len = 0;
NTSTATUS status;
@ -255,12 +251,18 @@ bool create_next_pdu(struct pipes_struct *p)
case DCERPC_AUTH_LEVEL_PRIVACY:
switch(p->auth.auth_type) {
case PIPE_AUTH_TYPE_NTLMSSP:
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case DCERPC_AUTH_TYPE_NTLMSSP:
auth_len = NTLMSSP_SIG_SIZE;
break;
case DCERPC_AUTH_TYPE_SPNEGO:
if (p->auth.spnego_type !=
PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
goto err_out;
}
auth_len = NTLMSSP_SIG_SIZE;
break;
case PIPE_AUTH_TYPE_SCHANNEL:
case DCERPC_AUTH_TYPE_SCHANNEL:
auth_len = NL_AUTH_SIGNATURE_SIZE;
break;
@ -274,9 +276,7 @@ bool create_next_pdu(struct pipes_struct *p)
goto err_out;
}
ret = create_next_packet(p, auth_type,
p->auth.auth_level,
auth_len, &pad_len);
ret = create_next_packet(p, auth_len, &pad_len);
if (!ret) {
return false;
}
@ -506,7 +506,8 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
free_pipe_auth_data(&p->auth);
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
p->pipe_bound = False;
return True;
@ -709,10 +710,8 @@ static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p,
return ret;
}
if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
/* Free any previous auth type. */
free_pipe_auth_data(&p->auth);
}
/* Free any previous auth type. */
free_pipe_auth_data(&p->auth);
if (!got_kerberos_mechanism) {
/* Initialize the NTLM engine. */
@ -770,7 +769,8 @@ static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p,
p->auth.a_u.auth_ntlmssp_state = a;
p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
data_blob_free(&secblob);
data_blob_free(&chal);
@ -808,7 +808,8 @@ static bool pipe_spnego_auth_bind_continue(struct pipes_struct *p,
* NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
* fail here as 'a' == NULL.
*/
if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
if (p->auth.auth_type != DCERPC_AUTH_TYPE_SPNEGO ||
p->auth.spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
goto err;
}
@ -965,7 +966,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
/* We're finished with this bind - no more packets. */
p->auth.auth_data_free_func = &free_pipe_schannel_auth_data;
p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
p->pipe_bound = True;
@ -1026,7 +1027,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
p->auth.a_u.auth_ntlmssp_state = a;
p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
@ -1223,7 +1224,8 @@ bool api_pipe_bind_req(struct pipes_struct *p, struct ncacn_packet *pkt)
if (auth_type == DCERPC_AUTH_TYPE_NONE) {
/* Unauthenticated bind request. */
/* We're finished - no more packets. */
p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
/* We must set the pipe auth_level here also. */
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->pipe_bound = True;
@ -1571,8 +1573,9 @@ bool api_pipe_request(struct pipes_struct *p, struct ncacn_packet *pkt)
PIPE_RPC_FNS *pipe_fns;
if (p->pipe_bound &&
((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
(p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
((p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO) &&
(p->auth.spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)))) {
if(!become_authenticated_pipe_user(p)) {
data_blob_free(&p->out_data.rdata);
return False;

4
source3/rpc_server/srv_samr_nt.c
View File

@ -2770,7 +2770,9 @@ static NTSTATUS get_user_info_18(struct pipes_struct *p,
goto query;
}
if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
if ((p->auth.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) ||
((p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO) &&
(p->auth.spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
return NT_STATUS_ACCESS_DENIED;
}

130
source3/rpcclient/rpcclient.c
View File

@ -29,7 +29,8 @@
struct dom_sid domain_sid;
static enum pipe_auth_type pipe_default_auth_type = PIPE_AUTH_TYPE_NONE;
static enum dcerpc_AuthType pipe_default_auth_type = DCERPC_AUTH_TYPE_NONE;
static enum pipe_auth_type_spnego pipe_default_auth_spnego_type = 0;
static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
static unsigned int timeout = 0;
static enum dcerpc_transport_t default_transport = NCACN_NP;
@ -385,7 +386,7 @@ static NTSTATUS cmd_sign(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
const char *type = "NTLMSSP";
pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
if (argc > 2) {
printf("Usage: %s [NTLMSSP|NTLMSSP_SPNEGO|SCHANNEL]\n", argv[0]);
@ -395,11 +396,12 @@ static NTSTATUS cmd_sign(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
if (argc == 2) {
type = argv[1];
if (strequal(type, "NTLMSSP")) {
pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
} else if (strequal(type, "NTLMSSP_SPNEGO")) {
pipe_default_auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
} else if (strequal(type, "SCHANNEL")) {
pipe_default_auth_type = PIPE_AUTH_TYPE_SCHANNEL;
pipe_default_auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
} else {
printf("unknown type %s\n", type);
printf("Usage: %s [NTLMSSP|NTLMSSP_SPNEGO|SCHANNEL]\n", argv[0]);
@ -418,7 +420,7 @@ static NTSTATUS cmd_seal(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
const char *type = "NTLMSSP";
pipe_default_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
if (argc > 2) {
printf("Usage: %s [NTLMSSP|NTLMSSP_SPNEGO|SCHANNEL]\n", argv[0]);
@ -428,11 +430,12 @@ static NTSTATUS cmd_seal(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
if (argc == 2) {
type = argv[1];
if (strequal(type, "NTLMSSP")) {
pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
} else if (strequal(type, "NTLMSSP_SPNEGO")) {
pipe_default_auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
} else if (strequal(type, "SCHANNEL")) {
pipe_default_auth_type = PIPE_AUTH_TYPE_SCHANNEL;
pipe_default_auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
} else {
printf("unknown type %s\n", type);
printf("Usage: %s [NTLMSSP|NTLMSSP_SPNEGO|SCHANNEL]\n", argv[0]);
@ -482,7 +485,8 @@ static NTSTATUS cmd_none(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
int argc, const char **argv)
{
pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
pipe_default_auth_type = PIPE_AUTH_TYPE_NONE;
pipe_default_auth_type = DCERPC_AUTH_TYPE_NONE;
pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
return cmd_set_ss_level();
}
@ -492,7 +496,7 @@ static NTSTATUS cmd_schannel(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
{
d_printf("Setting schannel - sign and seal\n");
pipe_default_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
pipe_default_auth_type = PIPE_AUTH_TYPE_SCHANNEL;
pipe_default_auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
return cmd_set_ss_level();
}
@ -502,7 +506,7 @@ static NTSTATUS cmd_schannel_sign(struct rpc_pipe_client *cli, TALLOC_CTX *mem_c
{
d_printf("Setting schannel - sign only\n");
pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
pipe_default_auth_type = PIPE_AUTH_TYPE_SCHANNEL;
pipe_default_auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
return cmd_set_ss_level();
}
@ -647,48 +651,58 @@ static NTSTATUS do_cmd(struct cli_state *cli,
if ((cmd_entry->interface != NULL) && (cmd_entry->rpc_pipe == NULL)) {
switch (pipe_default_auth_type) {
case PIPE_AUTH_TYPE_NONE:
ntresult = cli_rpc_pipe_open_noauth_transport(
cli, default_transport,
cmd_entry->interface,
&cmd_entry->rpc_pipe);
break;
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
ntresult = cli_rpc_pipe_open_spnego_ntlmssp(
cli, cmd_entry->interface,
default_transport,
pipe_default_auth_level,
get_cmdline_auth_info_domain(auth_info),
get_cmdline_auth_info_username(auth_info),
get_cmdline_auth_info_password(auth_info),
&cmd_entry->rpc_pipe);
break;
case PIPE_AUTH_TYPE_NTLMSSP:
ntresult = cli_rpc_pipe_open_ntlmssp(
cli, cmd_entry->interface,
default_transport,
pipe_default_auth_level,
get_cmdline_auth_info_domain(auth_info),
get_cmdline_auth_info_username(auth_info),
get_cmdline_auth_info_password(auth_info),
&cmd_entry->rpc_pipe);
break;
case PIPE_AUTH_TYPE_SCHANNEL:
ntresult = cli_rpc_pipe_open_schannel(
cli, cmd_entry->interface,
default_transport,
pipe_default_auth_level,
get_cmdline_auth_info_domain(auth_info),
&cmd_entry->rpc_pipe);
break;
default:
DEBUG(0, ("Could not initialise %s. Invalid "
"auth type %u\n",
case DCERPC_AUTH_TYPE_NONE:
ntresult = cli_rpc_pipe_open_noauth_transport(
cli, default_transport,
cmd_entry->interface,
&cmd_entry->rpc_pipe);
break;
case DCERPC_AUTH_TYPE_SPNEGO:
if (pipe_default_auth_spnego_type !=
PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
DEBUG(0, ("Could not initialise %s. "
"Currently only NTLMSSP is "
"supported for SPNEGO\n",
get_pipe_name_from_syntax(
talloc_tos(),
cmd_entry->interface),
pipe_default_auth_type ));
talloc_tos(),
cmd_entry->interface)));
return NT_STATUS_UNSUCCESSFUL;
}
ntresult = cli_rpc_pipe_open_spnego_ntlmssp(
cli, cmd_entry->interface,
default_transport,
pipe_default_auth_level,
get_cmdline_auth_info_domain(auth_info),
get_cmdline_auth_info_username(auth_info),
get_cmdline_auth_info_password(auth_info),
&cmd_entry->rpc_pipe);
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
ntresult = cli_rpc_pipe_open_ntlmssp(
cli, cmd_entry->interface,
default_transport,
pipe_default_auth_level,
get_cmdline_auth_info_domain(auth_info),
get_cmdline_auth_info_username(auth_info),
get_cmdline_auth_info_password(auth_info),
&cmd_entry->rpc_pipe);
break;
case DCERPC_AUTH_TYPE_SCHANNEL:
ntresult = cli_rpc_pipe_open_schannel(
cli, cmd_entry->interface,
default_transport,
pipe_default_auth_level,
get_cmdline_auth_info_domain(auth_info),
&cmd_entry->rpc_pipe);
break;
default:
DEBUG(0, ("Could not initialise %s. Invalid "
"auth type %u\n",
get_pipe_name_from_syntax(
talloc_tos(),
cmd_entry->interface),
pipe_default_auth_type ));
return NT_STATUS_UNSUCCESSFUL;
}
if (!NT_STATUS_IS_OK(ntresult)) {
DEBUG(0, ("Could not initialise %s. Error was %s\n",
@ -973,20 +987,22 @@ out_free:
if (binding->flags & DCERPC_SIGN) {
pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
if (binding->flags & DCERPC_SEAL) {
pipe_default_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
if (binding->flags & DCERPC_AUTH_SPNEGO) {
pipe_default_auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
}
if (binding->flags & DCERPC_AUTH_NTLM) {
pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
if (binding->flags & DCERPC_AUTH_KRB5) {
pipe_default_auth_type = PIPE_AUTH_TYPE_SPNEGO_KRB5;
pipe_default_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_KRB5;
}
if (get_cmdline_auth_info_use_kerberos(rpcclient_auth_info)) {