1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00

87 Commits

Author SHA1 Message Date
Stefan Metzmacher
353af4b705 s4:librpc: make all but dcerpc_pipe->binding_handle internal struct members
We could use a dcerpc_internal.h for struct dcecli_security and
struct dcecli_connection, but in struct dcerpc_pipe we still
expose binding_handle and changing that would require way too
much work for now...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-09-26 15:22:46 +00:00
Joseph Sutton
9c880e868d s4:librpc: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Samuel Cabrero
83def9a945 s4:rpc_server: Split dcerpc_generic_session_key for server and client
Split the common bits of dcerpc_generic_session_key to librpc and rename
client the specific part to dcecli_generic_session_key.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-18 16:07:36 +00:00
Stefan Metzmacher
50c7112b00 s4:librpc: restore inhibit_timeout_processing = true during gensec_update_send/recv()
As not all gensec backends are fully async yet, we need the
inhibit_timeout_processing workarround in order to protect
against nested event loops.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Stefan Metzmacher
2c4e21cd6e s4:librpc: make use of gensec_update_send() in bind_auth_next_step()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
65655f2484 s4:librpc: use gensec_update_send() in dcerpc_bind_auth_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
278f220c7e s4:librpc: ask for GENSEC_FEATURE_SIGN_PKT_HEADER after the gensec_update() dance
Most features should be added before the update() dance, while
GENSEC_FEATURE_SIGN_PKT_HEADER needs to be after the dance on the client
side.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Stefan Metzmacher
b5abc7cadc s4:librpc/rpc: pass the object guid to the binding handle if required
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:18 +02:00
Günther Deschner
36f90c8f13 s4:librpc/rpc: add support for DCERPC_AUTH_LEVEL_PACKET
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:16 +02:00
Stefan Metzmacher
cdba091867 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Stefan Metzmacher
ace23643d1 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
We now avoid reusing the same auth_info structure for incoming and outgoing
values. We need to make sure that the remote server doesn't overwrite our own
values.

This will trigger some failures with our currently broken server,
which will be fixed in the next commits.

The broken server requires an dcerpc_auth structure with no credentials
in order to do an alter_context request that just creates a presentation
context without doing authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:28 +02:00
Stefan Metzmacher
8f6cffcb3c CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
In future we want to verify that the auth_context_id from the server
is what we expect.

As Samba (<= 4.2.3) use a hardcoded value of 1 in responses, we
need to use that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:28 +02:00
Stefan Metzmacher
27da35f8df CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
This will simplify the following commits and avoids dereferencing
dcecli_security->auth_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:28 +02:00
Stefan Metzmacher
0153c013fc s4:librpc: make use of gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Stefan Metzmacher
4afe367c08 s4:librpc/rpc: use dcerpc_binding_get_string_option("target_principal")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:18 +01:00
Stefan Metzmacher
2e093cc0cc s4:librpc/rpc: only propose header signing if we use sign or seal
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-11 16:02:14 +01:00
Gregor Beck
3193c27256 s4:librpc: remove server_name from transport
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:45 +01:00
Stefan Metzmacher
7db1dc13b0 s4:librpc: always try to negotiate DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
If the gensec backend supports it there's no reason not sign the header.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Andrew Bartlett
02a356ea77 s4-librpc: Ensure we do not call call the decrpc timeout handler during gensec_update()
This avoids a situation where we could destroy pointers on the stack due to
a nested event loop.

This is certainly not a final, generic solution, but it is a minimal change
while we work to make gensec and gensec_gssapi async.

Andrew Bartlett
2012-07-18 09:32:53 +02:00
Jelmer Vernooij
95ca5fbadd libndr: Rename ndr64_transfer_syntax and null_ndr_syntax_id so they have a ndr_ prefix.
This makes the NDR namespace a bit clearer, in preparation of ABI checking.
2012-03-20 13:54:07 +01:00
Stefan Metzmacher
198c5ace6f s4:librpc/rpc: convert dcerpc_alter_context_send/recv to tevent_req
Many thanks to Andrew Bartlett <abartlet@samba.org> for the
debugging, which lead to the following line:

       talloc_steal(state, raw_packet->data);

metze
2012-03-15 07:35:28 +01:00
Stefan Metzmacher
6b81d71f3e s4:librpc/rpc: convert dcerpc_bind_send/recv to tevent_req
Many thanks to Andrew Bartlett <abartlet@samba.org> for the
debugging, which lead to the following line:

       talloc_steal(state, raw_packet->data);

metze
2012-03-15 07:35:28 +01:00
Andrew Bartlett
e7d5f0a357 gensec: move event context from gensec_*_init() to gensec_update()
This avoids keeping the event context around on a the gensec_security
context structure long term.

In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Stefan Metzmacher
b0d54da746 s4:librpc/rpc: s/dcerpc_security/dcecli_security
We'll use 'dcerpc_security' for the generic dcerpc
client and server code.

metze
2011-03-13 16:33:06 +01:00
Andrew Tridgell
9bae4cd3d9 s4-rpc: added target_principal binding handle option
this allows you to specify a target SPN for a connection

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-01 22:31:57 -07:00
Andrew Tridgell
c9b0b89cc0 s4-rpc: added NDR64 support
This adds support for the nd464 binding string option
2009-09-17 15:19:27 -07:00
Jelmer Vernooij
b45caa44e1 Fix the build. 2008-11-02 23:58:49 +01:00
Jelmer Vernooij
b034c519f5 Add gensec_settings structure. This wraps loadparm_context for now, but
should in the future only contain some settings required for gensec.
2008-11-02 02:05:48 +01:00
Stefan Metzmacher
73ebb58f2d client free credentials when not needed anymore
(This used to be commit d982b69df638f17da6af398e2613986240031064)
2008-09-13 20:37:11 +02:00
Stefan Metzmacher
50f82609b5 librpc/rpc: add support DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
You can trigger it like this:

ncacn_ip_tcp:172.31.9.234[sign,hdrsign]

or

ncacn_ip_tcp:172.31.9.234[seal,hdrsign]

metze
(This used to be commit 54f1fca582b1474693b5ee11b7b847086d27f75f)
2008-08-07 15:40:20 +02:00
Stefan Metzmacher
b3573ce76e librpc/rpc: pass struct dcerpc_pipe to dcerpc_auth3()
metze
(This used to be commit 60b3523da485d845b1d930d990688d8434d39ef3)
2008-08-07 15:40:20 +02:00
Jelmer Vernooij
afe3e8172d Install public header files again and include required prototypes.
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 04:53:27 +02:00
Jelmer Vernooij
4c4323009f r26327: Explicit loadparm_context for RPC client functions.
(This used to be commit eeb2251d22b3d6e0379444a73af69d1014692b07)
2007-12-21 05:48:41 +01:00
Jelmer Vernooij
ecea5ce245 r26260: Store loadparm context in gensec context.
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
2007-12-21 05:47:34 +01:00
Jelmer Vernooij
fface33dd7 r26231: Spell check: credentails -> credentials.
(This used to be commit 4b46888bd0195ab12190f76868719fc018baafd6)
2007-12-21 05:47:09 +01:00
Jelmer Vernooij
7c30312c17 r25316: Remove last few instances of old BOOL type in librpc/.
(This used to be commit 80d1dd41d4b224c46ad545f0afd97a847b99860b)
2007-10-10 15:07:13 -05:00
Stefan Metzmacher
b8cdadced4 r24551: rename dcerpc_interface_table -> ndr_interface_table
rename dcerpc_interface_list  -> ndr_interface_list

and move them to libndr.h

metze
(This used to be commit 4adbebef5df2f833d2d4bfcdda72a34179d52f5c)
2007-10-10 15:02:12 -05:00
Stefan Metzmacher
ce84ab9a83 r24532: rename struct dcerpc_syntax_id into struct ndr_syntax_id
and move it into misc.idl

The goal is to get rid a all dcerpc specific stuff in the
generated ndr layer.

metze
(This used to be commit 2ed014cfb894cccab1654e3f7d5876393e2b52d7)
2007-10-10 15:02:11 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10 14:59:12 -05:00
Andrew Bartlett
2da96ebd7a r19479: Remove more unused functions. These are handled via authentication
abstractions now.

Andrew Bartlett
(This used to be commit df31237c0cac0213c4f32fc491bcec2ea9f885c3)
2007-10-10 14:21:40 -05:00
Stefan Metzmacher
daff55d64e r17324: make better usage of the composite api
metze
(This used to be commit 0fa97777107f5f65f8b48976b90f1ae52f1fe2a5)
2007-10-10 14:15:14 -05:00
Rafal Szczesniak
0240d4a875 r15021: Couple more comments and fixes in spirit of utility functions
for composite interface.

rafal
(This used to be commit 905ca5a3ecd1c4ed5b9f206cdc855d0ddb92a07a)
2007-10-10 14:04:01 -05:00
Andrew Bartlett
57589e3b67 r14714: On DCE/RPC, we need the name of the remote server used on the socket,
for Kerberos.  It must be the full name contacted, not the 'called
name' we might want to use for \\server things, so add another function.

Andrew Bartlett
(This used to be commit 6d57d1dbb76e7d1ca2fd4f1a6c0bacfa7a189e2b)
2007-10-10 13:59:12 -05:00
Jelmer Vernooij
35349a58df r14542: Remove librpc, libndr and libnbt from includes.h
(This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f)
2007-10-10 13:58:42 -05:00
Andrew Bartlett
f2d76bddd5 r13334: Add comments describing what these functions do.
We still need many more, but it is a start...

Andrew Bartlett
(This used to be commit b2bda127f681dc1e2003c86159a85fa613373f16)
2007-10-10 13:51:45 -05:00
Andrew Bartlett
a5a79e8b8c r12865: Upgrade the librpc and libnet code.
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous.  This should better
function with servers that set restrict anonymous.

There are too many parts of Samba that get, parse and modify the
binding parameters.  Avoid the extra work, and add a binding element
to the struct dcerpc_pipe

The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern.  Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.

To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.

Andrew Bartlett
(This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
2007-10-10 13:50:55 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10 13:47:55 -05:00
Jelmer Vernooij
acd6a086b3 r12510: Change the DCE/RPC interfaces to take a pointer to a
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.

This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).

This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.

I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
2007-10-10 13:47:48 -05:00
Andrew Tridgell
111a920fdb r12116: got rid of composite_trigger_done() and composite_trigger_error(), and
instead make the normal composite_done() and composite_error()
functions automatically trigger a delayed callback if the caller has
had no opportunity to setup a async callback

this removes one of the common mistakes in writing a composite function
(This used to be commit f9413ce792ded682e05134b66d433eeec293e6f1)
2007-10-10 13:47:11 -05:00
Volker Lendecke
35741ad8b1 r11835: Restore comments
(This used to be commit 94591bdb6542d4a3096074b672e19142c9236211)
2007-10-10 13:46:36 -05:00