[SCM] Samba Shared Repository - branch master updated
Simo Sorce
idra at samba.org
Fri Jul 30 13:10:48 MDT 2010
The branch, master has been updated
via 57bd974... s3-dcerpc: Use dcerpc_guess_sizes in the server code too.
via 4c64e4d... s3-dceprc: Improve dcerpc_guess_sizes() interface
via 3469fbc... s3-dcerpc: rationalize packet creation in the server code
via a9d3a59... s3-dcerpc: Make function to guess pdu sizes common.
via 9329a9f... s3-dceprc: consolidate use of dcerpc_push_dcerpc_auth()
via da6c246... s3-dcerpc: Remove unused functions
via 186f936... s3-dcerpc: use common spengo wrapper code for client SPNEGO/NTLMSSP
via 984438c... s3-dcerpc: add sign/seal support when using SPNEGO/KRB5
via 0b24e8e... s3-dcerpc: Add SPNEGO incapsulation for KRB5 auth
via e286b9c... rpcclient: Use DCERPC_AUTH_LEVEL_CONNECT if no sign/seal is set for ntlmssp
from fcdda8f... s3: Remove "cli" from "struct finfo"
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 57bd974e5865212641f6941dd875bc1bc4967ed9
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 14:01:01 2010 -0400
s3-dcerpc: Use dcerpc_guess_sizes in the server code too.
commit 4c64e4d4af3403559b370381d7f14a83a39adfa7
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 13:12:35 2010 -0400
s3-dceprc: Improve dcerpc_guess_sizes() interface
Make it possible to pass in the NDR padding size so that theoretically
client and server code can decide to use a different alignment.
Pass in the header length as a parameter so that this function can be used for
different type of packets.
Make sure padding size will not make the fragment exceed the maximum length.
Calculate padding taking in account the header length.
commit 3469fbc5e4098e798a03d14fece24fde2b60d9b9
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 12:19:20 2010 -0400
s3-dcerpc: rationalize packet creation in the server code
Move all related functions into create_next_packet, but make it transport
neutral (not pass in pipse_struct)
commit a9d3a596a7c4d7e5775751cbce74e2fb07ce2192
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 11:27:40 2010 -0400
s3-dcerpc: Make function to guess pdu sizes common.
commit 9329a9fe848761e2835ff58123d8f64d8bab35b2
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 20:20:49 2010 -0400
s3-dceprc: consolidate use of dcerpc_push_dcerpc_auth()
commit da6c246aacc298ec0c7536289afbd9e0d99ea130
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 20:21:53 2010 -0400
s3-dcerpc: Remove unused functions
commit 186f93633b4890c444115ac4eed109aa24f20b44
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 19:55:44 2010 -0400
s3-dcerpc: use common spengo wrapper code for client SPNEGO/NTLMSSP
commit 984438ca1522bfc2d882b2e3e7e8db187577e05a
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 16:34:39 2010 -0400
s3-dcerpc: add sign/seal support when using SPNEGO/KRB5
commit 0b24e8e869207dcb567b61272794daef48ee492a
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 28 17:06:51 2010 -0400
s3-dcerpc: Add SPNEGO incapsulation for KRB5 auth
commit e286b9c0bd7bf553f216d7c8288bb75a6b3dde95
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 20:07:19 2010 -0400
rpcclient: Use DCERPC_AUTH_LEVEL_CONNECT if no sign/seal is set for ntlmssp
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 5 +-
source3/include/ntdomain.h | 5 +-
source3/include/proto.h | 8 +
source3/librpc/rpc/dcerpc.h | 5 +
source3/librpc/rpc/dcerpc_helpers.c | 476 +++++++++++++++++++++-----
source3/librpc/rpc/dcerpc_spnego.c | 354 +++++++++++++++++++
source3/librpc/rpc/dcerpc_spnego.h | 53 +++
source3/rpc_client/cli_pipe.c | 638 +++++++++++++----------------------
source3/rpc_server/srv_pipe.c | 179 ++++-------
source3/rpcclient/rpcclient.c | 45 ++-
10 files changed, 1132 insertions(+), 636 deletions(-)
create mode 100644 source3/librpc/rpc/dcerpc_spnego.c
create mode 100644 source3/librpc/rpc/dcerpc_spnego.h
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 91856c2..bf2646d 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -676,7 +676,9 @@ RPC_SERVER_OBJ = @RPC_STATIC@ $(RPC_PIPE_OBJ) $(NPA_TSTREAM_OBJ)
RPC_PARSE_OBJ = $(RPC_PARSE_OBJ2)
-RPC_CLIENT_OBJ = rpc_client/cli_pipe.o librpc/rpc/dcerpc_gssapi.o \
+RPC_CLIENT_OBJ = rpc_client/cli_pipe.o \
+ librpc/rpc/dcerpc_gssapi.o \
+ librpc/rpc/dcerpc_spnego.o \
librpc/rpc/rpc_common.o \
rpc_client/rpc_transport_np.o \
rpc_client/rpc_transport_sock.o \
@@ -1355,6 +1357,7 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.o \
librpc/rpc/rpc_common.o \
rpc_client/cli_pipe.o \
librpc/rpc/dcerpc_gssapi.o \
+ librpc/rpc/dcerpc_spnego.o \
../librpc/rpc/binding.o \
$(LIBMSRPC_GEN_OBJ)
diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
index 0651381..f42ff58 100644
--- a/source3/include/ntdomain.h
+++ b/source3/include/ntdomain.h
@@ -105,13 +105,14 @@ struct gse_context;
struct pipe_auth_data {
enum dcerpc_AuthType auth_type;
- enum pipe_auth_type_spnego spnego_type;
+ enum pipe_auth_type_spnego spnego_type; /* used by server only */
enum dcerpc_AuthLevel auth_level;
union {
struct schannel_state *schannel_auth;
struct auth_ntlmssp_state *auth_ntlmssp_state;
- struct gse_context *gssapi_state; /* Client only for now */
+ struct gse_context *gssapi_state;
+ struct spnego_context *spnego_state;
} a_u;
/* Only the client code uses these 3 for now */
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 1af36dd..bf7a41e 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -4848,6 +4848,14 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
const char *username,
const char *password,
struct rpc_pipe_client **presult);
+NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
+ const struct ndr_syntax_id *interface,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *server,
+ const char *username,
+ const char *password,
+ struct rpc_pipe_client **presult);
NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli,
DATA_BLOB *session_key);
diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index d170daa..f07403a 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -139,6 +139,11 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
const DATA_BLOB *blob,
struct dcerpc_auth *r,
bool bigendian);
+NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
+ size_t header_len, size_t data_left,
+ size_t max_xmit_frag, size_t pad_alignment,
+ size_t *data_to_send, size_t *frag_len,
+ size_t *auth_len, size_t *pad_len);
NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
size_t pad_len, DATA_BLOB *rpc_out);
NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 4dc3d7f..84f7ce4 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -27,6 +27,7 @@
#include "../libcli/auth/ntlmssp.h"
#include "ntlmssp_wrap.h"
#include "librpc/rpc/dcerpc_gssapi.h"
+#include "librpc/rpc/dcerpc_spnego.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_PARSE
@@ -240,6 +241,136 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+/**
+* @brief Calculate how much data we can in a packet, including calculating
+* auth token and pad lengths.
+*
+* @param auth The pipe_auth_data structure for this pipe.
+* @param header_len The length of the packet header
+* @param data_left The data left in the send buffer
+* @param max_xmit_frag The max fragment size.
+* @param pad_alignment The NDR padding size.
+* @param data_to_send [out] The max data we will send in the pdu
+* @param frag_len [out] The total length of the fragment
+* @param auth_len [out] The length of the auth trailer
+* @param pad_len [out] The padding to be applied
+*
+* @return A NT Error status code.
+*/
+NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
+ size_t header_len, size_t data_left,
+ size_t max_xmit_frag, size_t pad_alignment,
+ size_t *data_to_send, size_t *frag_len,
+ size_t *auth_len, size_t *pad_len)
+{
+ size_t max_len;
+ size_t mod_len;
+ struct gse_context *gse_ctx;
+ enum dcerpc_AuthType auth_type;
+ void *auth_ctx;
+ bool seal = false;
+ NTSTATUS status;
+
+ /* no auth token cases first */
+ switch (auth->auth_level) {
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ case DCERPC_AUTH_LEVEL_PACKET:
+ max_len = max_xmit_frag - header_len;
+ *data_to_send = MIN(max_len, data_left);
+ *pad_len = 0;
+ *auth_len = 0;
+ *frag_len = header_len + *data_to_send;
+ return NT_STATUS_OK;
+
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ seal = true;
+ break;
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ break;
+
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+
+ /* Sign/seal case, calculate auth and pad lengths */
+
+ max_len = max_xmit_frag - header_len - DCERPC_AUTH_TRAILER_LENGTH;
+
+ /* Treat the same for all authenticated rpc requests. */
+ switch (auth->auth_type) {
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ /* compat for server code */
+ if (auth->spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ *auth_len = NTLMSSP_SIG_SIZE;
+ break;
+ }
+
+ status = spnego_get_negotiated_mech(auth->a_u.spnego_state,
+ &auth_type, &auth_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ switch (auth_type) {
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ *auth_len = NTLMSSP_SIG_SIZE;
+ break;
+
+ case DCERPC_AUTH_TYPE_KRB5:
+ gse_ctx = talloc_get_type(auth_ctx,
+ struct gse_context);
+ if (!gse_ctx) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ *auth_len = gse_get_signature_length(gse_ctx,
+ seal, max_len);
+ break;
+
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ break;
+
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ *auth_len = NTLMSSP_SIG_SIZE;
+ break;
+
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+ *auth_len = NL_AUTH_SIGNATURE_SIZE;
+ break;
+
+ case DCERPC_AUTH_TYPE_KRB5:
+ *auth_len = gse_get_signature_length(auth->a_u.gssapi_state,
+ seal, max_len);
+ break;
+
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ max_len -= *auth_len;
+
+ *data_to_send = MIN(max_len, data_left);
+
+ mod_len = (header_len + *data_to_send) % pad_alignment;
+ if (mod_len) {
+ *pad_len = pad_alignment - mod_len;
+ } else {
+ *pad_len = 0;
+ }
+
+ if (*data_to_send + *pad_len > max_len) {
+ *data_to_send -= pad_alignment;
+ }
+
+ *frag_len = header_len + *data_to_send + *pad_len
+ + DCERPC_AUTH_TRAILER_LENGTH + *auth_len;
+
+ return NT_STATUS_OK;
+}
+
/*******************************************************************
Create and add the NTLMSSP sign/seal auth data.
********************************************************************/
@@ -309,6 +440,39 @@ static NTSTATUS add_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
}
/*******************************************************************
+ Check/unseal the NTLMSSP auth data. (Unseal in place).
+ ********************************************************************/
+
+static NTSTATUS get_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
+ enum dcerpc_AuthLevel auth_level,
+ DATA_BLOB *data, DATA_BLOB *full_pkt,
+ DATA_BLOB *auth_token)
+{
+ switch (auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ /* Data portion is encrypted. */
+ return auth_ntlmssp_unseal_packet(auth_state,
+ data->data,
+ data->length,
+ full_pkt->data,
+ full_pkt->length,
+ auth_token);
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ /* Data is signed. */
+ return auth_ntlmssp_check_packet(auth_state,
+ data->data,
+ data->length,
+ full_pkt->data,
+ full_pkt->length,
+ auth_token);
+
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+}
+
+/*******************************************************************
Create and add the schannel sign/seal auth data.
********************************************************************/
@@ -373,6 +537,38 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
}
/*******************************************************************
+ Check/unseal the Schannel auth data. (Unseal in place).
+ ********************************************************************/
+
+static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
+ struct schannel_state *auth_state,
+ enum dcerpc_AuthLevel auth_level,
+ DATA_BLOB *data, DATA_BLOB *full_pkt,
+ DATA_BLOB *auth_token)
+{
+ switch (auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ /* Data portion is encrypted. */
+ return netsec_incoming_packet(auth_state,
+ mem_ctx, true,
+ data->data,
+ data->length,
+ auth_token);
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ /* Data is signed. */
+ return netsec_incoming_packet(auth_state,
+ mem_ctx, false,
+ data->data,
+ data->length,
+ auth_token);
+
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+}
+
+/*******************************************************************
Create and add the gssapi sign/seal auth data.
********************************************************************/
@@ -421,6 +617,136 @@ static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx,
return NT_STATUS_OK;
}
+/*******************************************************************
+ Check/unseal the gssapi auth data. (Unseal in place).
+ ********************************************************************/
+
+static NTSTATUS get_gssapi_auth_footer(TALLOC_CTX *mem_ctx,
+ struct gse_context *gse_ctx,
+ enum dcerpc_AuthLevel auth_level,
+ DATA_BLOB *data, DATA_BLOB *full_pkt,
+ DATA_BLOB *auth_token)
+{
+ /* TODO: pass in full_pkt when
+ * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */
+ switch (auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ /* Data portion is encrypted. */
+ return gse_unseal(mem_ctx, gse_ctx,
+ data, auth_token);
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ /* Data is signed. */
+ return gse_sigcheck(mem_ctx, gse_ctx,
+ data, auth_token);
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+}
+
+/*******************************************************************
+ Create and add the spnego-negotiated sign/seal auth data.
+ ********************************************************************/
+
+static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
+ enum dcerpc_AuthLevel auth_level,
+ DATA_BLOB *rpc_out)
+{
+ enum dcerpc_AuthType auth_type;
+ struct gse_context *gse_ctx;
+ struct auth_ntlmssp_state *ntlmssp_ctx;
+ void *auth_ctx;
+ NTSTATUS status;
+
+ if (!spnego_ctx) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = spnego_get_negotiated_mech(spnego_ctx,
+ &auth_type, &auth_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ switch (auth_type) {
+ case DCERPC_AUTH_TYPE_KRB5:
+ gse_ctx = talloc_get_type(auth_ctx, struct gse_context);
+ if (!gse_ctx) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ break;
+ }
+ status = add_gssapi_auth_footer(gse_ctx,
+ auth_level, rpc_out);
+ break;
+
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ ntlmssp_ctx = talloc_get_type(auth_ctx,
+ struct auth_ntlmssp_state);
+ if (!ntlmssp_ctx) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ break;
+ }
+ status = add_ntlmssp_auth_footer(ntlmssp_ctx,
+ auth_level, rpc_out);
+ break;
+
+ default:
+ status = NT_STATUS_INTERNAL_ERROR;
+ break;
+ }
+
+ return status;
+}
+
+static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
+ struct spnego_context *sp_ctx,
+ enum dcerpc_AuthLevel auth_level,
+ DATA_BLOB *data, DATA_BLOB *full_pkt,
+ DATA_BLOB *auth_token)
+{
+ enum dcerpc_AuthType auth_type;
+ struct auth_ntlmssp_state *ntlmssp_ctx;
+ struct gse_context *gse_ctx;
+ void *auth_ctx;
+ NTSTATUS status;
+
+ status = spnego_get_negotiated_mech(sp_ctx, &auth_type, &auth_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ switch (auth_type) {
+ case DCERPC_AUTH_TYPE_KRB5:
+ gse_ctx = talloc_get_type(auth_ctx,
+ struct gse_context);
+ if (!gse_ctx) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DEBUG(10, ("KRB5 auth\n"));
+
+ return get_gssapi_auth_footer(mem_ctx, gse_ctx,
+ auth_level,
+ data, full_pkt,
+ auth_token);
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ ntlmssp_ctx = talloc_get_type(auth_ctx,
+ struct auth_ntlmssp_state);
+ if (!ntlmssp_ctx) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DEBUG(10, ("NTLMSSP auth\n"));
+
+ return get_ntlmssp_auth_footer(ntlmssp_ctx,
+ auth_level,
+ data, full_pkt,
+ auth_token);
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+}
+
/**
* @brief Append an auth footer according to what is the current mechanism
*
@@ -479,10 +805,16 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
status = NT_STATUS_OK;
break;
case DCERPC_AUTH_TYPE_SPNEGO:
- if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
- return NT_STATUS_INVALID_PARAMETER;
+ if (auth->spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ /* compat for server code */
+ return add_ntlmssp_auth_footer(
+ auth->a_u.auth_ntlmssp_state,
+ auth->auth_level,
+ rpc_out);
}
- /* fall thorugh */
+ status = add_spnego_auth_footer(auth->a_u.spnego_state,
+ auth->auth_level, rpc_out);
+ break;
case DCERPC_AUTH_TYPE_NTLMSSP:
status = add_ntlmssp_auth_footer(auth->a_u.auth_ntlmssp_state,
auth->auth_level,
@@ -590,50 +922,40 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
return NT_STATUS_OK;
case DCERPC_AUTH_TYPE_SPNEGO:
- if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
- DEBUG(0, ("Currently only NTLMSSP is supported "
- "with SPNEGO\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- /* fall through */
- case DCERPC_AUTH_TYPE_NTLMSSP:
-
- DEBUG(10, ("NTLMSSP auth\n"));
+ if (auth->spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ /* compat for server code */
+ DEBUG(10, ("NTLMSSP auth\n"));
- if (!auth->a_u.auth_ntlmssp_state) {
- DEBUG(0, ("Invalid auth level, "
- "failed to process packet auth.\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- switch (auth->auth_level) {
- case DCERPC_AUTH_LEVEL_PRIVACY:
- status = auth_ntlmssp_unseal_packet(
- auth->a_u.auth_ntlmssp_state,
- data.data, data.length,
- full_pkt.data, full_pkt.length,
- &auth_info.credentials);
+ status = get_ntlmssp_auth_footer(
+ auth->a_u.auth_ntlmssp_state,
+ auth->auth_level,
+ &data, &full_pkt,
+ &auth_info.credentials);
if (!NT_STATUS_IS_OK(status)) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list