From 58f657baf0989ed7057a983feaa240d3eeddfd69 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 2 Oct 2024 18:54:05 +0200 Subject: [PATCH] libcli/auth: split out netlogon_creds_CredentialState_extra_info As server we are free to change the netlogon_creds_CredentialState database record format at will as it uses CLEAR_IF_FIRST. For now that format doesn't really changes, because we only move dom_sid into a wrapper structure. In order to avoid changing all callers in this commit, we maintain creds->sid as in memory pointer. In the following patches we'll also use it in order to store client related information... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall (cherry picked from commit 518f57b93bdb84900d3b58cd94bdf1046f82a5a6) --- libcli/auth/credentials.c | 22 +++++++++++++++++----- libcli/auth/schannel_state_tdb.c | 15 +++++++++++++++ librpc/idl/schannel.idl | 14 +++++++++++++- 3 files changed, 45 insertions(+), 6 deletions(-) diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 236cb6fc180..342dcd95154 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -701,11 +701,15 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me return NULL; } - creds->sid = dom_sid_dup(creds, client_sid); - if (creds->sid == NULL) { + creds->ex = talloc_zero(creds, + struct netlogon_creds_CredentialState_extra_info); + if (creds->ex == NULL) { talloc_free(creds); return NULL; } + creds->ex->client_sid = *client_sid; + + creds->sid = &creds->ex->client_sid; if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { status = netlogon_creds_init_hmac_sha256(creds, @@ -1193,12 +1197,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_copy( return NULL; } - if (creds_in->sid) { - creds->sid = dom_sid_dup(creds, creds_in->sid); - if (!creds->sid) { + if (creds_in->ex != NULL) { + creds->ex = talloc_zero(creds, + struct netlogon_creds_CredentialState_extra_info); + if (creds->ex == NULL) { talloc_free(creds); return NULL; } + *creds->ex = *creds_in->ex; + } + + if (creds->ex != NULL) { + creds->sid = &creds->ex->client_sid; + } else { + creds->sid = NULL; } memcpy(creds->session_key, creds_in->session_key, sizeof(creds->session_key)); diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c index 2454a433819..ee7ee546baf 100644 --- a/libcli/auth/schannel_state_tdb.c +++ b/libcli/auth/schannel_state_tdb.c @@ -88,6 +88,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc, char *name_upper; NTSTATUS status; + if (creds->ex == NULL) { + return NT_STATUS_INTERNAL_ERROR; + } + + if (creds->sid == NULL) { + return NT_STATUS_INTERNAL_ERROR; + } + if (strlen(creds->computer_name) > 15) { /* * We may want to check for a completely @@ -195,6 +203,13 @@ NTSTATUS schannel_fetch_session_key_tdb(struct db_context *db_sc, NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds); } + if (creds->ex == NULL) { + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + + creds->sid = &creds->ex->client_sid; + DEBUG(3,("schannel_fetch_session_key_tdb: restored schannel info key %s\n", keystr)); diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl index 3bc8a92c92f..76b0dfd4c55 100644 --- a/librpc/idl/schannel.idl +++ b/librpc/idl/schannel.idl @@ -14,6 +14,17 @@ interface schannel { /* this structure is used internally in the NETLOGON server */ + typedef [flag(NDR_PAHEX)] struct { + /* + * These were only used on the server part + * with a single dom_sid for the client_sid. + * + * On the server we use CLEAR_IF_FIRST, + * so db layout changes don't matter there. + */ + dom_sid client_sid; + } netlogon_creds_CredentialState_extra_info; + typedef [public,flag(NDR_PAHEX)] struct { netr_NegotiateFlags negotiate_flags; uint8 session_key[16]; @@ -24,7 +35,8 @@ interface schannel netr_SchannelType secure_channel_type; [string,charset(UTF8)] uint8 computer_name[]; [string,charset(UTF8)] uint8 account_name[]; - dom_sid *sid; + [skip] dom_sid *sid; + netlogon_creds_CredentialState_extra_info *ex; } netlogon_creds_CredentialState; /* This is used in the schannel_store.tdb */