s4:rpc_server: replace dce_conn->allow_auth3 with auth->auth_started
authorStefan Metzmacher <metze@samba.org>
Thu, 22 Nov 2018 09:30:47 +0000 (10:30 +0100)
committerJeremy Allison <jra@samba.org>
Sat, 12 Jan 2019 02:13:37 +0000 (03:13 +0100)
auth3 is allowed if auth_started is true and auth_finished is false.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source4/rpc_server/dcerpc_server.c
source4/rpc_server/dcerpc_server.h
source4/rpc_server/dcesrv_auth.c

index 7cb8e11..54ab2d0 100644 (file)
@@ -666,7 +666,6 @@ static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
 
        call->conn->allow_bind = false;
        call->conn->allow_alter = false;
-       call->conn->allow_auth3 = false;
        call->conn->allow_request = false;
 
        call->conn->default_auth_state->auth_invalid = true;
@@ -1298,7 +1297,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
        struct tevent_req *subreq = NULL;
        NTSTATUS status;
 
-       if (!call->conn->allow_auth3) {
+       if (!auth->auth_started) {
                return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
        }
 
@@ -2476,7 +2475,6 @@ static void dcesrv_terminate_connection(struct dcesrv_connection *dce_conn, cons
        dce_conn->wait_private = NULL;
 
        dce_conn->allow_bind = false;
-       dce_conn->allow_auth3 = false;
        dce_conn->allow_alter = false;
        dce_conn->allow_request = false;
 
index d3c0a08..c720816 100644 (file)
@@ -203,6 +203,7 @@ struct dcesrv_auth {
        NTSTATUS (*session_key_fn)(struct dcesrv_auth *, DATA_BLOB *session_key);
        bool client_hdr_signing;
        bool hdr_signing;
+       bool auth_started;
        bool auth_finished;
        bool auth_invalid;
 };
@@ -295,7 +296,6 @@ struct dcesrv_connection {
         * remember which pdu types are allowed
         */
        bool allow_bind;
-       bool allow_auth3;
        bool allow_alter;
        bool allow_request;
 
index c64aa20..392a25c 100644 (file)
@@ -40,6 +40,12 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
        bool want_header_signing = false;
        NTSTATUS status;
 
+       if (auth->auth_started) {
+               return false;
+       }
+
+       auth->auth_started = true;
+
        if (auth->auth_invalid) {
                return false;
        }
@@ -243,6 +249,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
                auth->auth_type = DCERPC_AUTH_TYPE_NONE;
                auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
                auth->auth_context_id = 0;
+               auth->auth_started = true;
 
                log_successful_dcesrv_authz_event(call);
 
@@ -338,7 +345,6 @@ NTSTATUS dcesrv_auth_prepare_bind_ack(struct dcesrv_call_state *call, struct nca
        struct dcesrv_auth *auth = call->auth_state;
 
        dce_conn->allow_alter = true;
-       dce_conn->allow_auth3 = true;
 
        if (call->pkt.auth_length == 0) {
                auth->auth_finished = true;