mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
r4635: Fix NTLMSSP to return NT_STATUS_OK when it has constructed the auth
token in the client (the final token in the negotiation).
Consequential fixes in the SPNEGO code, which now uses the out.length
as the indicator of 'I need to send something to the other side'.
Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client.
Fix the RPC-MULTIBIND test consequent to this merge.
Andrew Bartlett
(This used to be commit 43e3516fc0
)
This commit is contained in:
parent
047d41cc49
commit
7db9de3ea9
@ -1257,13 +1257,14 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
|
||||
|
||||
ntlmssp_state->expected_state = NTLMSSP_DONE;
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
|
||||
nt_status = ntlmssp_sign_init(ntlmssp_state);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
|
||||
nt_errstr(nt_status)));
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
return NT_STATUS_MORE_PROCESSING_REQUIRED;
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state **ntlmssp_state)
|
||||
|
@ -685,24 +685,34 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
|
||||
}
|
||||
|
||||
if (spnego_state->no_response_expected) {
|
||||
nt_status = NT_STATUS_OK;
|
||||
if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
|
||||
DEBUG(1,("gensec_update ok but not accepted\n"));
|
||||
nt_status = NT_STATUS_INVALID_PARAMETER;
|
||||
} else {
|
||||
nt_status = NT_STATUS_OK;
|
||||
}
|
||||
} else {
|
||||
nt_status = gensec_update(spnego_state->sub_sec_security,
|
||||
out_mem_ctx,
|
||||
spnego.negTokenTarg.responseToken,
|
||||
&unwrapped_out);
|
||||
}
|
||||
|
||||
|
||||
if (NT_STATUS_IS_OK(nt_status)
|
||||
&& (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) {
|
||||
DEBUG(1,("gensec_update ok but not accepted\n"));
|
||||
nt_status = NT_STATUS_INVALID_PARAMETER;
|
||||
if (NT_STATUS_IS_OK(nt_status)) {
|
||||
spnego_state->no_response_expected = True;
|
||||
}
|
||||
}
|
||||
|
||||
spnego_free_data(&spnego);
|
||||
|
||||
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
|
||||
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
|
||||
&& !NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
|
||||
spnego_state->sub_sec_security->ops->name,
|
||||
nt_errstr(nt_status)));
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
if (unwrapped_out.length) {
|
||||
/* compose reply */
|
||||
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
|
||||
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
|
||||
@ -716,30 +726,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
|
||||
}
|
||||
|
||||
spnego_state->state_position = SPNEGO_CLIENT_TARG;
|
||||
} else if (NT_STATUS_IS_OK(nt_status)) {
|
||||
/* all done - server has accepted, and we agree */
|
||||
|
||||
if (unwrapped_out.length) {
|
||||
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
|
||||
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
|
||||
spnego_out.negTokenTarg.supportedMech = NULL;
|
||||
spnego_out.negTokenTarg.responseToken = unwrapped_out;
|
||||
spnego_out.negTokenTarg.mechListMIC = null_data_blob;
|
||||
|
||||
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
|
||||
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
} else {
|
||||
*out = null_data_blob;
|
||||
}
|
||||
|
||||
spnego_state->state_position = SPNEGO_DONE;
|
||||
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
|
||||
} else {
|
||||
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
|
||||
spnego_state->sub_sec_security->ops->name,
|
||||
nt_errstr(nt_status)));
|
||||
|
||||
/* all done - server has accepted, and we agree */
|
||||
*out = null_data_blob;
|
||||
|
||||
if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
|
||||
/* unless of course it did not accept */
|
||||
DEBUG(1,("gensec_update ok but not accepted\n"));
|
||||
nt_status = NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
}
|
||||
|
||||
spnego_state->state_position = SPNEGO_DONE;
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
case SPNEGO_DONE:
|
||||
|
@ -23,8 +23,6 @@ ADD_OBJ_FILES = \
|
||||
librpc/rpc/dcerpc_util.o \
|
||||
librpc/rpc/dcerpc_error.o \
|
||||
librpc/rpc/dcerpc_schannel.o \
|
||||
librpc/rpc/dcerpc_ntlm.o \
|
||||
librpc/rpc/dcerpc_spnego.o \
|
||||
librpc/rpc/dcerpc_smb.o \
|
||||
librpc/rpc/dcerpc_sock.o
|
||||
REQUIRED_SUBSYSTEMS = SOCKET
|
||||
|
@ -5,7 +5,7 @@
|
||||
|
||||
Copyright (C) Andrew Tridgell 2003
|
||||
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
|
||||
|
||||
Copyright (C) Stefan Metzmacher 2004
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
@ -86,27 +86,33 @@ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth
|
||||
goto done;
|
||||
}
|
||||
|
||||
status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
|
||||
p->conn->security_state.auth_info->credentials,
|
||||
&credentials);
|
||||
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
|
||||
goto done;
|
||||
}
|
||||
while (1) {
|
||||
status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
|
||||
p->conn->security_state.auth_info->credentials,
|
||||
&credentials);
|
||||
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
|
||||
break;
|
||||
}
|
||||
|
||||
if (!credentials.length) {
|
||||
break;
|
||||
}
|
||||
|
||||
do {
|
||||
p->conn->security_state.auth_info->credentials = credentials;
|
||||
|
||||
if (auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
|
||||
status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
|
||||
if (NT_STATUS_IS_OK(status)) {
|
||||
status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
|
||||
p->conn->security_state.auth_info->credentials,
|
||||
&credentials);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
break;
|
||||
}
|
||||
} else {
|
||||
status = dcerpc_auth3(p->conn, tmp_ctx);
|
||||
credentials = data_blob(NULL, 0);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
} while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
|
||||
};
|
||||
|
||||
done:
|
||||
talloc_free(tmp_ctx);
|
||||
@ -122,3 +128,74 @@ done:
|
||||
return status;
|
||||
}
|
||||
|
||||
/*
|
||||
setup GENSEC on a DCE-RPC pipe
|
||||
*/
|
||||
NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
|
||||
const char *uuid, uint_t version,
|
||||
const char *domain,
|
||||
const char *username,
|
||||
const char *password,
|
||||
uint8_t auth_type)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
|
||||
p->conn->flags |= DCERPC_CONNECT;
|
||||
}
|
||||
|
||||
status = gensec_client_start(p, &p->conn->security_state.generic_state);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_domain(p->conn->security_state.generic_state, domain);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
|
||||
domain, nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_username(p->conn->security_state.generic_state, username);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
|
||||
username, nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_password(p->conn->security_state.generic_state, password);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
|
||||
nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_target_hostname(p->conn->security_state.generic_state,
|
||||
p->conn->transport.peer_name(p->conn));
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
|
||||
nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
|
||||
auth_type,
|
||||
dcerpc_auth_level(p->conn));
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
|
||||
gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = dcerpc_bind_auth(p, auth_type,
|
||||
dcerpc_auth_level(p->conn),
|
||||
uuid, version);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(2, ("Failed to bind to pipe with %s: %s\n",
|
||||
gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
@ -1,85 +0,0 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
dcerpc authentication operations
|
||||
|
||||
Copyright (C) Andrew Tridgell 2003
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
/*
|
||||
do ntlm style authentication on a gensec pipe
|
||||
*/
|
||||
NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
|
||||
const char *uuid, uint_t version,
|
||||
const char *domain,
|
||||
const char *username,
|
||||
const char *password)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
|
||||
p->conn->flags |= DCERPC_CONNECT;
|
||||
}
|
||||
|
||||
status = gensec_client_start(p, &p->conn->security_state.generic_state);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_domain(p->conn->security_state.generic_state, domain);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
|
||||
domain, nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_username(p->conn->security_state.generic_state, username);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
|
||||
username, nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_password(p->conn->security_state.generic_state, password);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
|
||||
nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
|
||||
DCERPC_AUTH_TYPE_NTLMSSP, dcerpc_auth_level(p->conn));
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client NTLMSSP mechanism: %s\n",
|
||||
nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_NTLMSSP,
|
||||
dcerpc_auth_level(p->conn),
|
||||
uuid, version);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(2, ("Failed to bind to pipe with NTLMSSP: %s\n", nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
@ -1,95 +0,0 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
dcerpc authentication operations
|
||||
|
||||
Copyright (C) Stefan Metzmacher 2004
|
||||
Copyright (C) Andrew Tridgell 2003-2005
|
||||
Copyright (C) Andrew Bartlett 2004
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
/*
|
||||
do spnego style authentication on a gensec pipe
|
||||
*/
|
||||
NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p,
|
||||
const char *uuid, uint_t version,
|
||||
const char *domain,
|
||||
const char *username,
|
||||
const char *password)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
|
||||
p->conn->flags |= DCERPC_CONNECT;
|
||||
}
|
||||
|
||||
status = gensec_client_start(p, &p->conn->security_state.generic_state);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_domain(p->conn->security_state.generic_state, domain);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
|
||||
domain, nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_username(p->conn->security_state.generic_state, username);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
|
||||
username, nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_password(p->conn->security_state.generic_state, password);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
|
||||
nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_set_target_hostname(p->conn->security_state.generic_state,
|
||||
p->conn->transport.peer_name(p->conn));
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
|
||||
nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
|
||||
DCERPC_AUTH_TYPE_SPNEGO,
|
||||
dcerpc_auth_level(p->conn));
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n",
|
||||
nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SPNEGO,
|
||||
dcerpc_auth_level(p->conn),
|
||||
uuid, version);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(2, ("Failed to bind to pipe with SPNEGO: %s\n", nt_errstr(status)));
|
||||
return status;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
@ -785,7 +785,6 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
|
||||
const char *password)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
p->conn->flags = binding->flags;
|
||||
|
||||
/* remember the binding string for possible secondary connections */
|
||||
@ -794,10 +793,17 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
|
||||
if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
|
||||
status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
|
||||
domain, username, password);
|
||||
} else if (username && username[0] && (binding->flags & DCERPC_AUTH_SPNEGO)) {
|
||||
status = dcerpc_bind_auth_spnego(p, pipe_uuid, pipe_version, domain, username, password);
|
||||
} else if (username && username[0]) {
|
||||
status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
|
||||
uint8_t auth_type;
|
||||
if (binding->flags & DCERPC_AUTH_SPNEGO) {
|
||||
auth_type = DCERPC_AUTH_TYPE_SPNEGO;
|
||||
} else {
|
||||
auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
|
||||
}
|
||||
|
||||
status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version,
|
||||
domain, username, password,
|
||||
auth_type);
|
||||
} else {
|
||||
status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
|
||||
}
|
||||
|
@ -72,8 +72,17 @@ BOOL torture_multi_bind(void)
|
||||
if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
|
||||
status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
|
||||
domain, username, password);
|
||||
} else if (username && username[0] && (binding->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
|
||||
status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
|
||||
} else if (username && username[0]) {
|
||||
uint8_t auth_type;
|
||||
if (binding->flags & DCERPC_AUTH_SPNEGO) {
|
||||
auth_type = DCERPC_AUTH_TYPE_SPNEGO;
|
||||
} else {
|
||||
auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
|
||||
}
|
||||
|
||||
status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version,
|
||||
domain, username, password,
|
||||
auth_type);
|
||||
} else {
|
||||
status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user