r25398: Parse loadparm context to all lp_*() functions.

[kai/samba.git] / source4 / rpc_server / dcesrv_auth.c

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 3f848ca38199ee25d001f569eb52b011118667e7..0843a4376151d84433f615940aa509d31208e2d0 100644 (file)
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -8,7 +8,7 @@
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
+   the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
@@ -17,14 +17,15 @@
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "includes.h"
 #include "rpc_server/dcerpc_server.h"
 #include "librpc/gen_ndr/ndr_dcerpc.h"
+#include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "param/param.h"
 
 /*
   parse any auth information from a dcerpc bind request
@@ -70,7 +71,7 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
                return False;
        }
        
-       cli_credentials_set_conf(server_credentials);
+       cli_credentials_set_conf(server_credentials, global_loadparm);
        status = cli_credentials_set_machine_account(server_credentials);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
@@ -98,13 +99,13 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
   add any auth information needed in a bind ack, and process the authentication
   information found in the bind.
 */
-BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
+NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
 {
        struct dcesrv_connection *dce_conn = call->conn;
        NTSTATUS status;
 
        if (!call->conn->auth_state.gensec_security) {
-               return True;
+               return NT_STATUS_OK;
        }
 
        status = gensec_update(dce_conn->auth_state.gensec_security,
@@ -117,19 +118,19 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *p
                                             &dce_conn->auth_state.session_info);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
-                       return False;
+                       return status;
                }
 
                /* Now that we are authenticated, go back to the generic session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
-               return True;
+               return NT_STATUS_OK;
        } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
                dce_conn->auth_state.auth_info->auth_pad_length = 0;
                dce_conn->auth_state.auth_info->auth_reserved = 0;
-               return True;
+               return NT_STATUS_OK;
        } else {
                DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status)));
-               return False;
+               return status;
        }
 }
 
@@ -223,7 +224,7 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call)
   add any auth information needed in a alter ack, and process the authentication
   information found in the alter.
 */
-BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
+NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
 {
        struct dcesrv_connection *dce_conn = call->conn;
        NTSTATUS status;
@@ -232,11 +233,11 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *
           setup */
        if (!call->conn->auth_state.auth_info ||
            dce_conn->auth_state.auth_info->credentials.length == 0) {
-               return True;
+               return NT_STATUS_OK;
        }
 
        if (!call->conn->auth_state.gensec_security) {
-               return False;
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
        status = gensec_update(dce_conn->auth_state.gensec_security,
@@ -249,20 +250,20 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *
                                             &dce_conn->auth_state.session_info);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
-                       return False;
+                       return status;
                }
 
                /* Now that we are authenticated, got back to the generic session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
-               return True;
+               return NT_STATUS_OK;
        } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
                dce_conn->auth_state.auth_info->auth_pad_length = 0;
                dce_conn->auth_state.auth_info->auth_reserved = 0;
-               return True;
+               return NT_STATUS_OK;
        }
 
        DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status)));
-       return False;
+       return status;
 }
 
 /*
@@ -393,6 +394,7 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
        NTSTATUS status;
        struct ndr_push *ndr;
        uint32_t payload_length;
+       DATA_BLOB creds2;
 
        /* non-signed packets are simple */
        if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) {
@@ -427,14 +429,20 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
                        return False;
                }
        } else {
+
+               /* We hope this length is accruate.  If must be if the
+                * GENSEC mech does AEAD signing of the packet
+                * headers */
                dce_conn->auth_state.auth_info->credentials
                        = data_blob_talloc(call, NULL, 
                                           gensec_sig_size(dce_conn->auth_state.gensec_security, 
                                                           payload_length));
+               data_blob_clear(&dce_conn->auth_state.auth_info->credentials);
        }
 
        /* add the auth verifier */
-       status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info);
+       status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, 
+                                     dce_conn->auth_state.auth_info);
        if (!NT_STATUS_IS_OK(status)) {
                return False;
        }
@@ -446,6 +454,9 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
           in these earlier as we don't know the signature length (it
           could be variable length) */
        dcerpc_set_frag_length(blob, blob->length);
+
+       /* We hope this value is accruate.  If must be if the GENSEC
+        * mech does AEAD signing of the packet headers */
        dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length);
 
        /* sign or seal the packet */
@@ -457,7 +468,21 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
                                            payload_length,
                                            blob->data,
                                            blob->length - dce_conn->auth_state.auth_info->credentials.length,
-                                           &dce_conn->auth_state.auth_info->credentials);
+                                           &creds2);
+
+               if (NT_STATUS_IS_OK(status)) {
+                       blob->length -= dce_conn->auth_state.auth_info->credentials.length;
+                       if (!data_blob_append(call, blob, creds2.data, creds2.length))
+                               status = NT_STATUS_NO_MEMORY;
+                       else
+                               status = NT_STATUS_OK;
+               }
+
+               /* If we did AEAD signing of the packet headers, then we hope
+                * this value didn't change... */
+               dcerpc_set_auth_length(blob, creds2.length);
+               dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length);
+               data_blob_free(&creds2);
                break;
 
        case DCERPC_AUTH_LEVEL_INTEGRITY:
@@ -467,8 +492,20 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
                                            payload_length,
                                            blob->data,
                                            blob->length - dce_conn->auth_state.auth_info->credentials.length,
-                                           &dce_conn->auth_state.auth_info->credentials);
+                                           &creds2);
+               if (NT_STATUS_IS_OK(status)) {
+                       blob->length -= dce_conn->auth_state.auth_info->credentials.length;
+                       if (!data_blob_append(call, blob, creds2.data, creds2.length))
+                               status = NT_STATUS_NO_MEMORY;
+                       else
+                               status = NT_STATUS_OK;
+               }
 
+               /* If we did AEAD signing of the packet headers, then we hope
+                * this value didn't change... */
+               dcerpc_set_auth_length(blob, creds2.length);
+               dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length);
+               data_blob_free(&creds2);
                break;
 
        case DCERPC_AUTH_LEVEL_CONNECT:
@@ -479,14 +516,11 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
                break;
        }
 
+       data_blob_free(&dce_conn->auth_state.auth_info->credentials);
+
        if (!NT_STATUS_IS_OK(status)) {
                return False;
        }       
 
-       memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, 
-              dce_conn->auth_state.auth_info->credentials.data, dce_conn->auth_state.auth_info->credentials.length);
-       
-       data_blob_free(&dce_conn->auth_state.auth_info->credentials);
-
        return True;
 }