1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

r4635: Fix NTLMSSP to return NT_STATUS_OK when it has constructed the auth

token in the client (the final token in the negotiation).

Consequential fixes in the SPNEGO code, which now uses the out.length
as the indicator of 'I need to send something to the other side'.

Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client.

Fix the RPC-MULTIBIND test consequent to this merge.

Andrew Bartlett
(This used to be commit 43e3516fc0)
This commit is contained in:
Andrew Bartlett 2005-01-10 10:48:19 +00:00 committed by Gerald (Jerry) Carter
parent 047d41cc49
commit 7db9de3ea9
8 changed files with 147 additions and 235 deletions

View File

@ -1257,13 +1257,14 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->expected_state = NTLMSSP_DONE;
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
nt_status = ntlmssp_sign_init(ntlmssp_state);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
nt_errstr(nt_status)));
return nt_status;
}
return NT_STATUS_MORE_PROCESSING_REQUIRED;
return nt_status;
}
NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state **ntlmssp_state)

View File

@ -685,24 +685,34 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego_state->no_response_expected) {
nt_status = NT_STATUS_OK;
if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
DEBUG(1,("gensec_update ok but not accepted\n"));
nt_status = NT_STATUS_INVALID_PARAMETER;
} else {
nt_status = NT_STATUS_OK;
}
} else {
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
}
if (NT_STATUS_IS_OK(nt_status)
&& (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) {
DEBUG(1,("gensec_update ok but not accepted\n"));
nt_status = NT_STATUS_INVALID_PARAMETER;
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->no_response_expected = True;
}
}
spnego_free_data(&spnego);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
return nt_status;
}
if (unwrapped_out.length) {
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
@ -716,30 +726,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
spnego_state->state_position = SPNEGO_CLIENT_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
/* all done - server has accepted, and we agree */
if (unwrapped_out.length) {
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
spnego_out.negTokenTarg.supportedMech = NULL;
spnego_out.negTokenTarg.responseToken = unwrapped_out;
spnego_out.negTokenTarg.mechListMIC = null_data_blob;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
return NT_STATUS_INVALID_PARAMETER;
}
} else {
*out = null_data_blob;
}
spnego_state->state_position = SPNEGO_DONE;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
/* all done - server has accepted, and we agree */
*out = null_data_blob;
if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
/* unless of course it did not accept */
DEBUG(1,("gensec_update ok but not accepted\n"));
nt_status = NT_STATUS_INVALID_PARAMETER;
}
}
spnego_state->state_position = SPNEGO_DONE;
return nt_status;
}
case SPNEGO_DONE:

View File

@ -23,8 +23,6 @@ ADD_OBJ_FILES = \
librpc/rpc/dcerpc_util.o \
librpc/rpc/dcerpc_error.o \
librpc/rpc/dcerpc_schannel.o \
librpc/rpc/dcerpc_ntlm.o \
librpc/rpc/dcerpc_spnego.o \
librpc/rpc/dcerpc_smb.o \
librpc/rpc/dcerpc_sock.o
REQUIRED_SUBSYSTEMS = SOCKET

View File

@ -5,7 +5,7 @@
Copyright (C) Andrew Tridgell 2003
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
Copyright (C) Stefan Metzmacher 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -86,27 +86,33 @@ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth
goto done;
}
status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
p->conn->security_state.auth_info->credentials,
&credentials);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
goto done;
}
while (1) {
status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
p->conn->security_state.auth_info->credentials,
&credentials);
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
break;
}
if (!credentials.length) {
break;
}
do {
p->conn->security_state.auth_info->credentials = credentials;
if (auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
if (NT_STATUS_IS_OK(status)) {
status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
p->conn->security_state.auth_info->credentials,
&credentials);
if (!NT_STATUS_IS_OK(status)) {
break;
}
} else {
status = dcerpc_auth3(p->conn, tmp_ctx);
credentials = data_blob(NULL, 0);
if (!NT_STATUS_IS_OK(status)) {
break;
}
}
} while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
};
done:
talloc_free(tmp_ctx);
@ -122,3 +128,74 @@ done:
return status;
}
/*
setup GENSEC on a DCE-RPC pipe
*/
NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
const char *uuid, uint_t version,
const char *domain,
const char *username,
const char *password,
uint8_t auth_type)
{
NTSTATUS status;
if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
p->conn->flags |= DCERPC_CONNECT;
}
status = gensec_client_start(p, &p->conn->security_state.generic_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
return status;
}
status = gensec_set_domain(p->conn->security_state.generic_state, domain);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
domain, nt_errstr(status)));
return status;
}
status = gensec_set_username(p->conn->security_state.generic_state, username);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
username, nt_errstr(status)));
return status;
}
status = gensec_set_password(p->conn->security_state.generic_state, password);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_set_target_hostname(p->conn->security_state.generic_state,
p->conn->transport.peer_name(p->conn));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
auth_type,
dcerpc_auth_level(p->conn));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
return status;
}
status = dcerpc_bind_auth(p, auth_type,
dcerpc_auth_level(p->conn),
uuid, version);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to bind to pipe with %s: %s\n",
gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
return status;
}
return status;
}

View File

@ -1,85 +0,0 @@
/*
Unix SMB/CIFS implementation.
dcerpc authentication operations
Copyright (C) Andrew Tridgell 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/*
do ntlm style authentication on a gensec pipe
*/
NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
const char *uuid, uint_t version,
const char *domain,
const char *username,
const char *password)
{
NTSTATUS status;
if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
p->conn->flags |= DCERPC_CONNECT;
}
status = gensec_client_start(p, &p->conn->security_state.generic_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
return status;
}
status = gensec_set_domain(p->conn->security_state.generic_state, domain);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
domain, nt_errstr(status)));
return status;
}
status = gensec_set_username(p->conn->security_state.generic_state, username);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
username, nt_errstr(status)));
return status;
}
status = gensec_set_password(p->conn->security_state.generic_state, password);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
DCERPC_AUTH_TYPE_NTLMSSP, dcerpc_auth_level(p->conn));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client NTLMSSP mechanism: %s\n",
nt_errstr(status)));
return status;
}
status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_NTLMSSP,
dcerpc_auth_level(p->conn),
uuid, version);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to bind to pipe with NTLMSSP: %s\n", nt_errstr(status)));
return status;
}
return status;
}

View File

@ -1,95 +0,0 @@
/*
Unix SMB/CIFS implementation.
dcerpc authentication operations
Copyright (C) Stefan Metzmacher 2004
Copyright (C) Andrew Tridgell 2003-2005
Copyright (C) Andrew Bartlett 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/*
do spnego style authentication on a gensec pipe
*/
NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p,
const char *uuid, uint_t version,
const char *domain,
const char *username,
const char *password)
{
NTSTATUS status;
if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
p->conn->flags |= DCERPC_CONNECT;
}
status = gensec_client_start(p, &p->conn->security_state.generic_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
return status;
}
status = gensec_set_domain(p->conn->security_state.generic_state, domain);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
domain, nt_errstr(status)));
return status;
}
status = gensec_set_username(p->conn->security_state.generic_state, username);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
username, nt_errstr(status)));
return status;
}
status = gensec_set_password(p->conn->security_state.generic_state, password);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_set_target_hostname(p->conn->security_state.generic_state,
p->conn->transport.peer_name(p->conn));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
DCERPC_AUTH_TYPE_SPNEGO,
dcerpc_auth_level(p->conn));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n",
nt_errstr(status)));
return status;
}
status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SPNEGO,
dcerpc_auth_level(p->conn),
uuid, version);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to bind to pipe with SPNEGO: %s\n", nt_errstr(status)));
return status;
}
return status;
}

View File

@ -785,7 +785,6 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
const char *password)
{
NTSTATUS status;
p->conn->flags = binding->flags;
/* remember the binding string for possible secondary connections */
@ -794,10 +793,17 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
domain, username, password);
} else if (username && username[0] && (binding->flags & DCERPC_AUTH_SPNEGO)) {
status = dcerpc_bind_auth_spnego(p, pipe_uuid, pipe_version, domain, username, password);
} else if (username && username[0]) {
status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
uint8_t auth_type;
if (binding->flags & DCERPC_AUTH_SPNEGO) {
auth_type = DCERPC_AUTH_TYPE_SPNEGO;
} else {
auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version,
domain, username, password,
auth_type);
} else {
status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
}

View File

@ -72,8 +72,17 @@ BOOL torture_multi_bind(void)
if (username && username[0] && (binding->flags & DCERPC_SCHANNEL_ANY)) {
status = dcerpc_bind_auth_schannel(p, pipe_uuid, pipe_version,
domain, username, password);
} else if (username && username[0] && (binding->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
status = dcerpc_bind_auth_ntlm(p, pipe_uuid, pipe_version, domain, username, password);
} else if (username && username[0]) {
uint8_t auth_type;
if (binding->flags & DCERPC_AUTH_SPNEGO) {
auth_type = DCERPC_AUTH_TYPE_SPNEGO;
} else {
auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version,
domain, username, password,
auth_type);
} else {
status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
}