Changeset 740 for vendor/current/libcli/auth
- Timestamp:
- Nov 14, 2012, 12:59:34 PM (13 years ago)
- Location:
- vendor/current/libcli/auth
- Files:
-
- 10 added
- 3 deleted
- 14 edited
-
config.mk (deleted)
-
credentials.c (modified) (1 diff)
-
credentials.h (modified) (1 diff)
-
msrpc_parse.c (modified) (11 diffs)
-
msrpc_parse.h (modified) (2 diffs)
-
ntlm_check.c (modified) (20 diffs)
-
ntlmssp.c (added)
-
ntlmssp.h (added)
-
ntlmssp_ndr.c (added)
-
ntlmssp_ndr.h (added)
-
ntlmssp_private.h (added)
-
ntlmssp_server.c (added)
-
ntlmssp_sign.c (added)
-
pam_errors.c (added)
-
pam_errors.h (added)
-
proto.h (modified) (1 diff)
-
schannel_proto.h (modified) (2 diffs)
-
schannel_sign.c (modified) (1 diff)
-
schannel_state.h (modified) (2 diffs)
-
schannel_state_ldb.c (deleted)
-
schannel_state_proto.h (deleted)
-
schannel_state_tdb.c (modified) (9 diffs)
-
smbdes.c (modified) (2 diffs)
-
smbencrypt.c (modified) (4 diffs)
-
spnego.h (modified) (2 diffs)
-
spnego_parse.c (modified) (4 diffs)
-
wscript_build (added)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/libcli/auth/credentials.c
r587 r740 250 250 const uint8_t session_key[16]) 251 251 { 252 struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState); 253 252 struct netlogon_creds_CredentialState *creds; 253 254 creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); 254 255 if (!creds) { 255 256 return NULL; -
vendor/current/libcli/auth/credentials.h
r414 r740 69 69 #define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL) 70 70 71 #define NETLOGON_NEG_AUTH2_RODC_FLAGS (NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_RODC_PASSTHROUGH) 71 72 -
vendor/current/libcli/auth/msrpc_parse.c
r414 r740 41 41 C = constant ascii string 42 42 */ 43 boolmsrpc_gen(TALLOC_CTX *mem_ctx,43 NTSTATUS msrpc_gen(TALLOC_CTX *mem_ctx, 44 44 DATA_BLOB *blob, 45 45 const char *format, ...) … … 58 58 59 59 pointers = talloc_array(mem_ctx, DATA_BLOB, strlen(format)); 60 if (!pointers) { 61 return NT_STATUS_NO_MEMORY; 62 } 60 63 intargs = talloc_array(pointers, int, strlen(format)); 64 if (!intargs) { 65 return NT_STATUS_NO_MEMORY; 66 } 61 67 62 68 /* first scan the format to work out the header and body size */ … … 73 79 if (!ret) { 74 80 va_end(ap); 75 return false;81 return map_nt_error_from_unix(errno); 76 82 } 77 83 pointers[i].length = n; … … 87 93 if (!ret) { 88 94 va_end(ap); 89 return false;95 return map_nt_error_from_unix(errno); 90 96 } 91 97 pointers[i].length = n; … … 103 109 if (!ret) { 104 110 va_end(ap); 105 return false;111 return map_nt_error_from_unix(errno); 106 112 } 107 113 pointers[i].length = n; … … 133 139 head_size += pointers[i].length; 134 140 break; 141 default: 142 va_end(ap); 143 return NT_STATUS_INVALID_PARAMETER; 135 144 } 136 145 } 137 146 va_end(ap); 147 148 if (head_size + data_size == 0) { 149 return NT_STATUS_INVALID_PARAMETER; 150 } 138 151 139 152 /* allocate the space, then scan the format again to fill in the values */ 140 153 *blob = data_blob_talloc(mem_ctx, NULL, head_size + data_size); 141 154 if (!blob->data) { 155 return NT_STATUS_NO_MEMORY; 156 } 142 157 head_ofs = 0; 143 158 data_ofs = head_size; … … 175 190 case 'b': 176 191 n = pointers[i].length; 177 memcpy(blob->data + head_ofs, pointers[i].data, n); 192 if (pointers[i].data && n) { 193 /* don't follow null pointers... */ 194 memcpy(blob->data + head_ofs, pointers[i].data, n); 195 } 178 196 head_ofs += n; 179 197 break; … … 183 201 head_ofs += n; 184 202 break; 203 default: 204 va_end(ap); 205 return NT_STATUS_INVALID_PARAMETER; 185 206 } 186 207 } … … 189 210 talloc_free(pointers); 190 211 191 return true;212 return NT_STATUS_OK; 192 213 } 193 214 … … 229 250 bool ret = true; 230 251 252 if (!p) { 253 return false; 254 } 255 231 256 va_start(ap, format); 232 257 for (i=0; format[i]; i++) { … … 334 359 case 'b': 335 360 b = (DATA_BLOB *)va_arg(ap, void *); 336 len1 = va_arg(ap, u int_t);361 len1 = va_arg(ap, unsigned int); 337 362 /* make sure its in the right format - be strict */ 338 363 NEED_DATA(len1); -
vendor/current/libcli/auth/msrpc_parse.h
r414 r740 1 /* 2 Unix SMB/CIFS implementation. 3 simple kerberos5/SPNEGO routines 4 Copyright (C) Andrew Tridgell 2001 5 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 6 Copyright (C) Andrew Bartlett 2002-2003 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License as published by 10 the Free Software Foundation; either version 3 of the License, or 11 (at your option) any later version. 12 13 This program is distributed in the hope that it will be useful, 14 but WITHOUT ANY WARRANTY; without even the implied warranty of 15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 GNU General Public License for more details. 17 18 You should have received a copy of the GNU General Public License 19 along with this program. If not, see <http://www.gnu.org/licenses/>. 20 */ 21 1 22 #ifndef _LIBCLI_AUTH_MSRPC_PARSE_H__ 2 23 #define _LIBCLI_AUTH_MSRPC_PARSE_H__ … … 12 33 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/msrpc_parse.c */ 13 34 14 boolmsrpc_gen(TALLOC_CTX *mem_ctx,35 NTSTATUS msrpc_gen(TALLOC_CTX *mem_ctx, 15 36 DATA_BLOB *blob, 16 37 const char *format, ...); -
vendor/current/libcli/auth/ntlm_check.c
r414 r740 5 5 Copyright (C) Gerald Carter 2003 6 6 Copyright (C) Luke Kenneth Casson Leighton 1996-2000 7 7 8 8 This program is free software; you can redistribute it and/or modify 9 9 it under the terms of the GNU General Public License as published by 10 10 the Free Software Foundation; either version 3 of the License, or 11 11 (at your option) any later version. 12 12 13 13 This program is distributed in the hope that it will be useful, 14 14 but WITHOUT ANY WARRANTY; without even the implied warranty of 15 15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 16 GNU General Public License for more details. 17 17 18 18 You should have received a copy of the GNU General Public License 19 19 along with this program. If not, see <http://www.gnu.org/licenses/>. … … 37 37 /* Finish the encryption of part_passwd. */ 38 38 uint8_t p24[24]; 39 39 40 40 if (part_passwd == NULL) { 41 41 DEBUG(10,("No password set - DISALLOWING access\n")); … … 43 43 return false; 44 44 } 45 45 46 46 if (sec_blob->length != 8) { 47 47 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", … … 49 49 return false; 50 50 } 51 51 52 52 if (nt_response->length != 24) { 53 53 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", … … 57 57 58 58 SMBOWFencrypt(part_passwd, sec_blob->data, p24); 59 59 60 60 #if DEBUG_PASSWORD 61 61 DEBUG(100,("Part password (P16) was |\n")); … … 107 107 return false; 108 108 } 109 109 110 110 if (ntv2_response->length < 24) { 111 111 /* We MUST have more than 16 bytes, or the stuff below will go … … 181 181 return false; 182 182 } 183 183 184 184 if (ntv2_response->length < 24) { 185 185 /* We MUST have more than 16 bytes, or the stuff below will go … … 219 219 220 220 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, 221 221 bool lanman_auth, 222 222 const struct samr_Password *client_lanman, 223 223 const struct samr_Password *client_nt, … … 282 282 283 283 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, 284 285 284 bool lanman_auth, 285 bool ntlm_auth, 286 286 uint32_t logon_parameters, 287 287 const DATA_BLOB *challenge, … … 319 319 username)); 320 320 mdfour(client_nt.hash, nt_response->data, nt_response->length); 321 321 322 322 if (lm_response->length && 323 323 (convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, … … 344 344 (unsigned long)nt_response->length, username)); 345 345 } 346 346 347 347 if (nt_response->length > 24 && stored_nt) { 348 348 /* We have the NT MD4 hash challenge available - see if we can … … 362 362 return NT_STATUS_OK; 363 363 } 364 364 365 365 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain)); 366 366 if (smb_pwd_check_ntlmv2(mem_ctx, … … 376 376 return NT_STATUS_OK; 377 377 } 378 378 379 379 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n")); 380 380 if (smb_pwd_check_ntlmv2(mem_ctx, … … 404 404 /* The LM session key for this response is not very secure, 405 405 so use it only if we otherwise allow LM authentication */ 406 406 407 407 if (lanman_auth && stored_lanman) { 408 408 *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, MIN(8, user_sess_key->length)); … … 417 417 DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n", 418 418 username)); 419 /* no return, bec ouse we might pick up LMv2 in the LM field */420 } 421 } 422 419 /* no return, because we might pick up LMv2 in the LM field */ 420 } 421 } 422 423 423 if (lm_response->length == 0) { 424 424 DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n", … … 426 426 return NT_STATUS_WRONG_PASSWORD; 427 427 } 428 428 429 429 if (lm_response->length < 24) { 430 430 DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n", … … 432 432 return NT_STATUS_WRONG_PASSWORD; 433 433 } 434 434 435 435 if (!lanman_auth) { 436 436 DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n", … … 462 462 } 463 463 } 464 464 465 465 if (!stored_nt) { 466 466 DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username)); 467 467 return NT_STATUS_WRONG_PASSWORD; 468 468 } 469 469 470 470 /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. 471 471 - related to Win9X, legacy NAS pass-though authentication … … 500 500 return NT_STATUS_OK; 501 501 } 502 502 503 503 DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain)); 504 504 if (smb_pwd_check_ntlmv2(mem_ctx, … … 530 530 return NT_STATUS_OK; 531 531 } 532 532 533 533 DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n")); 534 534 if (smb_pwd_check_ntlmv2(mem_ctx, -
vendor/current/libcli/auth/proto.h
r587 r740 195 195 void des_crypt64(uint8_t out[8], const uint8_t in[8], const uint8_t key[8], int forw); 196 196 void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw); 197 void des_crypt112_16(uint8_t out[16], uint8_t in[16], const uint8_t key[14], int forw);198 void sam_rid_crypt(u int_t rid, const uint8_t *in, uint8_t *out, int forw);197 void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw); 198 void sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, int forw); 199 199 #undef _PRINTF_ATTRIBUTE 200 200 #define _PRINTF_ATTRIBUTE(a1, a2) -
vendor/current/libcli/auth/schannel_proto.h
r414 r740 24 24 #define _LIBCLI_AUTH_SCHANNEL_PROTO_H__ 25 25 26 struct schannel_state; 27 28 struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx, 29 const char *private_dir); 30 26 31 NTSTATUS netsec_incoming_packet(struct schannel_state *state, 27 32 TALLOC_CTX *mem_ctx, … … 29 34 uint8_t *data, size_t length, 30 35 const DATA_BLOB *sig); 36 uint32_t netsec_outgoing_sig_size(struct schannel_state *state); 31 37 NTSTATUS netsec_outgoing_packet(struct schannel_state *state, 32 38 TALLOC_CTX *mem_ctx, -
vendor/current/libcli/auth/schannel_sign.c
r414 r740 205 205 } 206 206 207 uint32_t netsec_outgoing_sig_size(struct schannel_state *state) 208 { 209 uint32_t sig_size = 0; 210 211 netsec_offset_and_sizes(state, 212 true, 213 NULL, 214 &sig_size, 215 NULL, 216 NULL); 217 218 return sig_size; 219 } 220 207 221 NTSTATUS netsec_outgoing_packet(struct schannel_state *state, 208 222 TALLOC_CTX *mem_ctx, -
vendor/current/libcli/auth/schannel_state.h
r414 r740 1 /* 1 /* 2 2 Unix SMB/CIFS implementation. 3 3 … … 11 11 the Free Software Foundation; either version 3 of the License, or 12 12 (at your option) any later version. 13 13 14 14 This program is distributed in the hope that it will be useful, 15 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 17 GNU General Public License for more details. 18 18 19 19 You should have received a copy of the GNU General Public License 20 20 along with this program. If not, see <http://www.gnu.org/licenses/>. 21 21 */ 22 22 23 struct ldb_context; 24 struct tdb_context; 25 #include "libcli/auth/schannel_state_proto.h" 23 #ifndef _LIBCLI_AUTH_SCHANNEL_STATE_H__ 24 #define _LIBCLI_AUTH_SCHANNEL_STATE_H__ 25 26 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx, 27 const char *db_priv_dir, 28 const char *computer_name, 29 struct netlogon_creds_CredentialState **creds); 30 31 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, 32 const char *db_priv_dir, 33 struct netlogon_creds_CredentialState *creds); 34 35 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, 36 const char *db_priv_dir, 37 const char *computer_name, 38 struct netr_Authenticator *received_authenticator, 39 struct netr_Authenticator *return_authenticator, 40 struct netlogon_creds_CredentialState **creds_out); 41 42 #endif -
vendor/current/libcli/auth/schannel_state_tdb.c
r414 r740 23 23 24 24 #include "includes.h" 25 #include "../libcli/auth/libcli_auth.h" 26 #include "../libcli/auth/schannel_state.h" 25 #include "system/filesys.h" 26 #include <tdb.h> 27 #include "../lib/util/util_tdb.h" 28 #include "../libcli/auth/schannel.h" 27 29 #include "../librpc/gen_ndr/ndr_schannel.h" 30 #include "lib/util/tdb_wrap.h" 31 32 #define SECRETS_SCHANNEL_STATE "SECRETS/SCHANNEL" 33 34 /****************************************************************************** 35 Open or create the schannel session store tdb. Non-static so it can 36 be called from parent processes to corectly handle TDB_CLEAR_IF_FIRST 37 *******************************************************************************/ 38 39 struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx, 40 const char *private_dir) 41 { 42 struct tdb_wrap *tdb_sc = NULL; 43 char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", private_dir); 44 45 if (!fname) { 46 return NULL; 47 } 48 49 tdb_sc = tdb_wrap_open(mem_ctx, fname, 0, TDB_CLEAR_IF_FIRST|TDB_NOSYNC, O_RDWR|O_CREAT, 0600); 50 51 if (!tdb_sc) { 52 DEBUG(0,("open_schannel_session_store: Failed to open %s - %s\n", 53 fname, strerror(errno))); 54 TALLOC_FREE(fname); 55 return NULL; 56 } 57 58 TALLOC_FREE(fname); 59 60 return tdb_sc; 61 } 28 62 29 63 /******************************************************************** 30 64 ********************************************************************/ 31 65 32 NTSTATUS schannel_store_session_key_tdb(struct tdb_context *tdb, 66 static 67 NTSTATUS schannel_store_session_key_tdb(struct tdb_wrap *tdb_sc, 33 68 TALLOC_CTX *mem_ctx, 34 69 struct netlogon_creds_CredentialState *creds) … … 39 74 int ret; 40 75 char *keystr; 41 42 keystr = talloc_asprintf_strupper_m(mem_ctx, "%s/%s", 43 SECRETS_SCHANNEL_STATE, 44 creds->computer_name); 76 char *name_upper; 77 78 name_upper = strupper_talloc(mem_ctx, creds->computer_name); 79 if (!name_upper) { 80 return NT_STATUS_NO_MEMORY; 81 } 82 83 keystr = talloc_asprintf(mem_ctx, "%s/%s", 84 SECRETS_SCHANNEL_STATE, name_upper); 85 TALLOC_FREE(name_upper); 45 86 if (!keystr) { 46 87 return NT_STATUS_NO_MEMORY; 47 88 } 48 89 49 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, NULL,creds,90 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, creds, 50 91 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState); 51 92 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { … … 57 98 value.dsize = blob.length; 58 99 59 ret = tdb_store_bystring(tdb , keystr, value, TDB_REPLACE);100 ret = tdb_store_bystring(tdb_sc->tdb, keystr, value, TDB_REPLACE); 60 101 if (ret != TDB_SUCCESS) { 61 102 DEBUG(0,("Unable to add %s to session key db - %s\n", 62 keystr, tdb_errorstr(tdb )));103 keystr, tdb_errorstr(tdb_sc->tdb))); 63 104 talloc_free(keystr); 64 105 return NT_STATUS_INTERNAL_DB_CORRUPTION; … … 80 121 ********************************************************************/ 81 122 82 NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb, 123 static 124 NTSTATUS schannel_fetch_session_key_tdb(struct tdb_wrap *tdb_sc, 83 125 TALLOC_CTX *mem_ctx, 84 126 const char *computer_name, … … 91 133 struct netlogon_creds_CredentialState *creds = NULL; 92 134 char *keystr = NULL; 135 char *name_upper; 93 136 94 137 *pcreds = NULL; 95 138 96 keystr = talloc_asprintf_strupper_m(mem_ctx, "%s/%s", 97 SECRETS_SCHANNEL_STATE, 98 computer_name); 139 name_upper = strupper_talloc(mem_ctx, computer_name); 140 if (!name_upper) { 141 return NT_STATUS_NO_MEMORY; 142 } 143 144 keystr = talloc_asprintf(mem_ctx, "%s/%s", 145 SECRETS_SCHANNEL_STATE, name_upper); 146 TALLOC_FREE(name_upper); 99 147 if (!keystr) { 100 status = NT_STATUS_NO_MEMORY; 101 goto done; 102 } 103 104 value = tdb_fetch_bystring(tdb, keystr); 148 return NT_STATUS_NO_MEMORY; 149 } 150 151 value = tdb_fetch_bystring(tdb_sc->tdb, keystr); 105 152 if (!value.dptr) { 106 DEBUG( 0,("schannel_fetch_session_key_tdb: Failed to find entry with key %s\n",153 DEBUG(10,("schannel_fetch_session_key_tdb: Failed to find entry with key %s\n", 107 154 keystr )); 108 155 status = NT_STATUS_OBJECT_NAME_NOT_FOUND; … … 118 165 blob = data_blob_const(value.dptr, value.dsize); 119 166 120 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, NULL, creds,167 ndr_err = ndr_pull_struct_blob(&blob, creds, creds, 121 168 (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState); 122 169 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { … … 137 184 138 185 talloc_free(keystr); 186 SAFE_FREE(value.dptr); 139 187 140 188 if (!NT_STATUS_IS_OK(status)) { … … 148 196 } 149 197 198 /****************************************************************************** 199 Wrapper around schannel_fetch_session_key_tdb() 200 Note we must be root here. 201 *******************************************************************************/ 202 203 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx, 204 const char *db_priv_dir, 205 const char *computer_name, 206 struct netlogon_creds_CredentialState **_creds) 207 { 208 TALLOC_CTX *tmpctx; 209 struct tdb_wrap *tdb_sc; 210 struct netlogon_creds_CredentialState *creds; 211 NTSTATUS status; 212 213 tmpctx = talloc_named(mem_ctx, 0, "schannel_get_creds_state"); 214 if (!tmpctx) { 215 return NT_STATUS_NO_MEMORY; 216 } 217 218 tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir); 219 if (!tdb_sc) { 220 return NT_STATUS_ACCESS_DENIED; 221 } 222 223 status = schannel_fetch_session_key_tdb(tdb_sc, tmpctx, 224 computer_name, &creds); 225 if (NT_STATUS_IS_OK(status)) { 226 *_creds = talloc_steal(mem_ctx, creds); 227 if (!*_creds) { 228 status = NT_STATUS_NO_MEMORY; 229 } 230 } 231 232 talloc_free(tmpctx); 233 return status; 234 } 235 236 /****************************************************************************** 237 Wrapper around schannel_store_session_key_tdb() 238 Note we must be root here. 239 *******************************************************************************/ 240 241 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, 242 const char *db_priv_dir, 243 struct netlogon_creds_CredentialState *creds) 244 { 245 TALLOC_CTX *tmpctx; 246 struct tdb_wrap *tdb_sc; 247 NTSTATUS status; 248 249 tmpctx = talloc_named(mem_ctx, 0, "schannel_save_creds_state"); 250 if (!tmpctx) { 251 return NT_STATUS_NO_MEMORY; 252 } 253 254 tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir); 255 if (!tdb_sc) { 256 return NT_STATUS_ACCESS_DENIED; 257 } 258 259 status = schannel_store_session_key_tdb(tdb_sc, tmpctx, creds); 260 261 talloc_free(tmpctx); 262 return status; 263 } 264 150 265 /******************************************************************** 151 152 Validate an incoming authenticator against the credentials for the remote 153 machine. 154 155 The credentials are (re)read and from the schannel database, and 156 written back after the caclulations are performed. 157 158 The creds_out parameter (if not NULL) returns the credentials, if 159 the caller needs some of that information. 160 266 Validate an incoming authenticator against the credentials for the 267 remote machine stored in the schannel database. 268 269 The credentials are (re)read and from the schannel database, and 270 written back after the caclulations are performed. 271 272 If the creds_out parameter is not NULL returns the credentials. 161 273 ********************************************************************/ 162 274 163 NTSTATUS schannel_c reds_server_step_check_tdb(struct tdb_context *tdb,164 TALLOC_CTX *mem_ctx,165 166 bool schannel_required_for_call,167 bool schannel_in_use,168 struct netr_Authenticator *received_authenticator,169 struct netr_Authenticator *return_authenticator, 170 struct netlogon_creds_CredentialState **creds_out)171 { 275 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, 276 const char *db_priv_dir, 277 const char *computer_name, 278 struct netr_Authenticator *received_authenticator, 279 struct netr_Authenticator *return_authenticator, 280 struct netlogon_creds_CredentialState **creds_out) 281 { 282 TALLOC_CTX *tmpctx; 283 struct tdb_wrap *tdb_sc; 172 284 struct netlogon_creds_CredentialState *creds; 173 285 NTSTATUS status; 174 286 int ret; 175 287 176 ret = tdb_transaction_start(tdb); 288 tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state"); 289 if (!tmpctx) { 290 return NT_STATUS_NO_MEMORY; 291 } 292 293 tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir); 294 if (!tdb_sc) { 295 status = NT_STATUS_ACCESS_DENIED; 296 goto done; 297 } 298 299 ret = tdb_transaction_start(tdb_sc->tdb); 177 300 if (ret != 0) { 178 return NT_STATUS_INTERNAL_DB_CORRUPTION; 301 status = NT_STATUS_INTERNAL_DB_CORRUPTION; 302 goto done; 179 303 } 180 304 … … 183 307 * update the structure */ 184 308 185 status = schannel_fetch_session_key_tdb(tdb, mem_ctx, computer_name, 186 &creds); 187 188 /* If we are flaged that schannel is required for a call, and 189 * it is not in use, then make this an error */ 190 191 /* It would be good to make this mandatory once schannel is 192 * negotiated, but this is not what windows does */ 193 if (schannel_required_for_call && !schannel_in_use) { 194 DEBUG(0,("schannel_creds_server_step_check_tdb: " 195 "client %s not using schannel for netlogon, despite negotiating it\n", 196 creds->computer_name )); 197 tdb_transaction_cancel(tdb); 198 return NT_STATUS_ACCESS_DENIED; 199 } 200 201 if (NT_STATUS_IS_OK(status)) { 202 status = netlogon_creds_server_step_check(creds, 203 received_authenticator, 204 return_authenticator); 205 } 206 207 if (NT_STATUS_IS_OK(status)) { 208 status = schannel_store_session_key_tdb(tdb, mem_ctx, creds); 209 } 210 211 if (NT_STATUS_IS_OK(status)) { 212 tdb_transaction_commit(tdb); 213 if (creds_out) { 214 *creds_out = creds; 215 talloc_steal(mem_ctx, creds); 309 status = schannel_fetch_session_key_tdb(tdb_sc, tmpctx, 310 computer_name, &creds); 311 if (!NT_STATUS_IS_OK(status)) { 312 tdb_transaction_cancel(tdb_sc->tdb); 313 goto done; 314 } 315 316 status = netlogon_creds_server_step_check(creds, 317 received_authenticator, 318 return_authenticator); 319 if (!NT_STATUS_IS_OK(status)) { 320 tdb_transaction_cancel(tdb_sc->tdb); 321 goto done; 322 } 323 324 status = schannel_store_session_key_tdb(tdb_sc, tmpctx, creds); 325 if (!NT_STATUS_IS_OK(status)) { 326 tdb_transaction_cancel(tdb_sc->tdb); 327 goto done; 328 } 329 330 tdb_transaction_commit(tdb_sc->tdb); 331 332 if (creds_out) { 333 *creds_out = talloc_steal(mem_ctx, creds); 334 if (!*creds_out) { 335 status = NT_STATUS_NO_MEMORY; 336 goto done; 216 337 } 217 } else { 218 tdb_transaction_cancel(tdb); 219 } 220 338 } 339 340 status = NT_STATUS_OK; 341 342 done: 343 talloc_free(tmpctx); 221 344 return status; 222 345 } 346 -
vendor/current/libcli/auth/smbdes.c
r414 r740 359 359 360 360 /* des encryption of a 16 byte lump of data with a 112 bit key */ 361 void des_crypt112_16(uint8_t out[16], uint8_t in[16], const uint8_t key[14], int forw)361 void des_crypt112_16(uint8_t out[16], const uint8_t in[16], const uint8_t key[14], int forw) 362 362 { 363 363 des_crypt56(out, in, key, forw); … … 368 368 same method used to store passwords in the NT registry. The DES key 369 369 used is based on the RID of the user. */ 370 void sam_rid_crypt(u int_t rid, const uint8_t *in, uint8_t *out, int forw)370 void sam_rid_crypt(unsigned int rid, const uint8_t *in, uint8_t *out, int forw) 371 371 { 372 372 uint8_t s[14]; -
vendor/current/libcli/auth/smbencrypt.c
r414 r740 364 364 DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0); 365 365 366 msrpc_gen(mem_ctx, &names_blob, 366 /* Deliberately ignore return here.. */ 367 (void)msrpc_gen(mem_ctx, &names_blob, 367 368 "aaa", 368 369 MsvAvNbDomainName, domain, … … 387 388 /* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */ 388 389 389 msrpc_gen(mem_ctx, &response, "ddbbdb", 390 /* Deliberately ignore return here.. */ 391 (void)msrpc_gen(mem_ctx, &response, "ddbbdb", 390 392 0x00000101, /* Header */ 391 393 0, /* 'Reserved' */ … … 530 532 { 531 533 uint8_t new_pw[512]; 532 s ize_t new_pw_len;534 ssize_t new_pw_len; 533 535 534 536 /* the incoming buffer can be any alignment. */ … … 538 540 password, 539 541 sizeof(new_pw), string_flags); 542 if (new_pw_len == -1) { 543 return false; 544 } 540 545 541 546 memcpy(&buffer[512 - new_pw_len], new_pw, new_pw_len); -
vendor/current/libcli/auth/spnego.h
r414 r740 26 26 #define OID_KERBEROS5 "1.2.840.113554.1.2.2" 27 27 28 #define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178@please_ignore" 29 28 30 #define SPNEGO_DELEG_FLAG 0x01 29 31 #define SPNEGO_MUTUAL_FLAG 0x02 … … 33 35 #define SPNEGO_CONF_FLAG 0x20 34 36 #define SPNEGO_INTEG_FLAG 0x40 37 38 #define TOK_ID_KRB_AP_REQ ((const uint8_t *)"\x01\x00") 39 #define TOK_ID_KRB_AP_REP ((const uint8_t *)"\x02\x00") 40 #define TOK_ID_KRB_ERROR ((const uint8_t *)"\x03\x00") 41 #define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01") 42 #define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01") 35 43 36 44 enum spnego_negResult { -
vendor/current/libcli/auth/spnego_parse.c
r478 r740 50 50 for (i = 0; !asn1->has_error && 51 51 0 < asn1_tag_remaining(asn1); i++) { 52 char *oid; 52 53 token->mechTypes = talloc_realloc(NULL, 53 54 token->mechTypes, 54 55 const char *, i+2); 55 asn1_read_OID(asn1, token->mechTypes, token->mechTypes + i); 56 asn1_read_OID(asn1, token->mechTypes, &oid); 57 token->mechTypes[i] = oid; 56 58 } 57 59 token->mechTypes[i] = NULL; … … 185 187 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { 186 188 uint8_t context; 189 char *oid; 187 190 if (!asn1_peek_uint8(asn1, &context)) { 188 191 asn1->has_error = true; … … 200 203 case ASN1_CONTEXT(1): 201 204 asn1_start_tag(asn1, ASN1_CONTEXT(1)); 202 asn1_read_OID(asn1, mem_ctx, &token->supportedMech); 205 asn1_read_OID(asn1, mem_ctx, &oid); 206 token->supportedMech = oid; 203 207 asn1_end_tag(asn1); 204 208 break; … … 381 385 struct asn1_data *asn1 = asn1_init(mem_ctx); 382 386 387 if (asn1 == NULL) { 388 return false; 389 } 390 383 391 /* Write mechTypes */ 384 392 if (mech_types && *mech_types) {
Note:
See TracChangeset
for help on using the changeset viewer.
