The branch, master has been updated
via 6dd117b s4:selftest: also run rpc.winreg with kerberos and all
possible auth options
via 5b917fd s4:selftest: run rpc.echo tests also with krb5 krb5,sign
krb5,seal
via 69c1b4b s4:rpc_server: fix padding caclucation in
dcesrv_auth_response()
via 1bf7ab4 s4:rpc_server: let dcesrv_auth_response() handle sig_size
== 0 with auth_info as error
via 16f3837 s4:rpc_server: let dcesrv_reply() use a sig_size for a
padded payload
via 3fbdb25 s4:rpc_server: let dcesrv_reply() use
DCERPC_AUTH_PAD_ALIGNMENT define
via 114c52e s4:librpc/rpc: fix padding caclucation in
ncacn_push_request_sign()
via 48f2c38 s4:librpc/rpc: let ncacn_push_request_sign() handle
sig_size == 0 with auth_info as internal error
via fc249d5 s4:librpc/rpc: let dcerpc_ship_next_request() use a
sig_size for a padded payload
via ef801ba s4:librpc/rpc: let dcerpc_ship_next_request() use
DCERPC_AUTH_PAD_ALIGNMENT define
via c726dd7 s3:include: remove used unused
{CLIENT,SERVER}_NDR_PADDING_SIZE
via a6a6795 s3:rpc_server: remove pad handling from
api_pipe_alter_context()
via b2e042a s3:librpc/rpc: fix padding calculation in
dcerpc_guess_sizes()
via 3e6e9e3 s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT
padding bytes in dcerpc_add_auth_footer()
via f1e3ad2 librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length) helper
macro
via 2cb3ec5 dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16)
via 756508c auth/gensec: make sure gensec_start_mech_by_authtype()
resets SIGN/SEAL before starting
via 3542d33 auth/gensec: gensec_[un]seal_packet() should only work with
GENSEC_FEATURE_DCE_STYLE
via 5757945 auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
instead of SAMBA4_USES_HEIMDAL
via 0149961 s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
from 408c965 s4:torture:vfs_fruit: copyfile
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6dd117b21ef06da68af67051f2822f71193d193a
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jun 23 10:27:27 2015 +0200
s4:selftest: also run rpc.winreg with kerberos and all possible auth options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Tue Jun 23 17:31:08 CEST 2015 on sn-devel-104
commit 5b917fd6226952a1f792d1ad921d2ae54ab6ab42
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 00:35:29 2015 +0200
s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 69c1b4b7c10dd5fd9cacaa3a76c47bc854ee3fed
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 20 17:49:02 2015 +0200
s4:rpc_server: fix padding caclucation in dcesrv_auth_response()
This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the
behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1bf7ab49b4459e81ab2b82d9668b3d7cb76372f4
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 20 17:47:14 2015 +0200
s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with
auth_info as error
Don't send plaintext on the wire because of an internal error...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 16f3837e026e4cae135bbdddf09b44a02af25b05
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 22:35:44 2015 +0200
s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload
The sig_size could differ depending on the aligment/padding.
So should use the same alignment as we use for the payload.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3fbdb255e3ac7ad5261c5fa3836e4a38a0d59221
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 22:35:44 2015 +0200
s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 114c52e73ed9e0adeac8ad1bc1dc014f3c10f4d6
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 20 17:49:02 2015 +0200
s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign()
This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the
behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 48f2c383e1d7f52114223cd2a54857426bf64025
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 20 17:47:14 2015 +0200
s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with
auth_info as internal error
Don't send plaintext on the wire because of an internal error...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fc249d542fcb8d043ae72eb7963d3a85eb79253a
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 22:35:44 2015 +0200
s4:librpc/rpc: let dcerpc_ship_next_request() use a sig_size for a padded
payload
The sig_size could differ depending on the aligment/padding.
So should use the same alignment as we use for the payload.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ef801bae95403e96042f5d8c87085bce21436013
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 22:35:44 2015 +0200
s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT
define
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c726dd7f8d7c8350807c0e41103beb1724262308
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 22:23:01 2015 +0200
s3:include: remove used unused {CLIENT,SERVER}_NDR_PADDING_SIZE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a6a6795826954eef6763a39b129a4db578edca01
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 22:09:57 2015 +0200
s3:rpc_server: remove pad handling from api_pipe_alter_context()
This is not needed and windows doesn't use it.
The padding is for the payload in request and response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit b2e042ad9652e2dfb39640de43e09030efc41d3d
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 15:52:11 2015 +0200
s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes()
The padding needs to be relative to the payload start not to the pdu start.
We also need align the padding to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3e6e9e3acd17531148457be59a32727fb87ae43d
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 16:55:39 2015 +0200
s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT padding bytes in
dcerpc_add_auth_footer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f1e3ad269ca8f76876afd8e3837c9c9b48688941
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 20 17:43:47 2015 +0200
librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length) helper macro
This calculates the required padding DCERPC_AUTH_PAD_ALIGNMENT
and the stub_length.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2cb3ec5856ab5b7edad8ffd67a5d0f927c161138
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 16:48:48 2015 +0200
dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16)
Windows pads the payload aligned to 16 bytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 756508c8c37b0370301a096e35abc171fe08d31c
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jun 20 16:19:31 2015 +0200
auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL
before starting
We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the
given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3542d33314e32279340f07f995c1dcbd16106352
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 19 14:46:53 2015 +0200
auth/gensec: gensec_[un]seal_packet() should only work with
GENSEC_FEATURE_DCE_STYLE
gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
GENSEC_FEATURE_SEAL is negotiated.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 57579453d12429adba08b80c1eb6936cc422a2fd
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Jun 22 15:17:33 2015 +0200
auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of
SAMBA4_USES_HEIMDAL
Newer MIT versions also have this.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 01499617bdd7f7b202ddd1e1c35e21b5c042ac65
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Jun 22 15:17:10 2015 +0200
s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 5 ++---
auth/gensec/gensec.c | 14 ++++++++++++++
auth/gensec/gensec_start.c | 6 ++++++
librpc/idl/dcerpc.idl | 1 +
librpc/rpc/rpc_common.h | 5 +++++
source3/include/local.h | 3 ---
source3/librpc/rpc/dcerpc.h | 2 +-
source3/librpc/rpc/dcerpc_helpers.c | 26 ++++++++++++--------------
source3/rpc_client/cli_pipe.c | 1 -
source3/rpc_server/srv_pipe.c | 28 ++--------------------------
source4/heimdal_build/wscript_configure | 1 +
source4/librpc/rpc/dcerpc.c | 16 ++++++++++++----
source4/rpc_server/common/reply.c | 9 +++++++--
source4/rpc_server/dcesrv_auth.c | 8 ++++++--
source4/selftest/tests.py | 9 ++++++++-
15 files changed, 77 insertions(+), 57 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c
b/auth/credentials/credentials_krb5.c
index 77dbcd2..d6aaae6 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -518,7 +518,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct
cli_credentials *cred,
OM_uint32 maj_stat, min_stat;
struct gssapi_creds_container *gcc;
struct ccache_container *ccache;
-#ifdef SAMBA4_USES_HEIMDAL
+#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
#endif
krb5_enctype *etypes = NULL;
@@ -634,8 +634,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct
cli_credentials *cred,
}
}
-#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
-
+#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
GSS_KRB5_CRED_NO_CI_FLAGS_X,
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index d9504f7..9fd5f25 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -41,9 +41,15 @@ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct
gensec_security *gensec_security,
if (!gensec_security->ops->unseal_packet) {
return NT_STATUS_NOT_IMPLEMENTED;
}
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
return NT_STATUS_INVALID_PARAMETER;
}
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
return gensec_security->ops->unseal_packet(gensec_security,
data, length,
@@ -81,6 +87,9 @@ _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security
*gensec_security,
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return NT_STATUS_INVALID_PARAMETER;
}
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
return gensec_security->ops->seal_packet(gensec_security, mem_ctx,
data, length, whole_pdu, pdu_length, sig);
}
@@ -109,6 +118,11 @@ _PUBLIC_ size_t gensec_sig_size(struct gensec_security
*gensec_security, size_t
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return 0;
}
+ if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+ if (!gensec_have_feature(gensec_security,
GENSEC_FEATURE_DCE_STYLE)) {
+ return 0;
+ }
+ }
return gensec_security->ops->sig_size(gensec_security, data_size);
}
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 955cc36..be31697 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -724,6 +724,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct
gensec_security *gensec_s
return NT_STATUS_INVALID_PARAMETER;
}
gensec_security->dcerpc_auth_level = auth_level;
+ /*
+ * We need to reset sign/seal in order to reset it.
+ * We may got some default features inherited by the credentials
+ */
+ gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
+ gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 4dad126..67f4b9d 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -259,6 +259,7 @@ interface dcerpc
} dcerpc_auth;
const uint8 DCERPC_AUTH_TRAILER_LENGTH = 8;
+ const uint8 DCERPC_AUTH_PAD_ALIGNMENT = 16;
typedef [public] struct {
[value(0)] uint32 _pad;
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index 1b54b80..61a8eab 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -372,4 +372,9 @@ bool dcerpc_sec_verification_trailer_check(
const struct dcerpc_sec_vt_pcontext *pcontext,
const struct dcerpc_sec_vt_header2 *header2);
+#define DCERPC_AUTH_PAD_LENGTH(stub_length) (\
+ (((stub_length) % DCERPC_AUTH_PAD_ALIGNMENT) > 0)?\
+ (DCERPC_AUTH_PAD_ALIGNMENT - (stub_length) %
DCERPC_AUTH_PAD_ALIGNMENT):\
+ 0)
+
#endif /* __DEFAULT_LIBRPC_RPCCOMMON_H__ */
diff --git a/source3/include/local.h b/source3/include/local.h
index 85f0861..5963eb0 100644
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -204,7 +204,4 @@
/* Maximum size of RPC data we will accept for one call. */
#define MAX_RPC_DATA_SIZE (15*1024*1024)
-#define CLIENT_NDR_PADDING_SIZE 8
-#define SERVER_NDR_PADDING_SIZE 8
-
#endif
diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index 42429a1..e7d66b7 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -75,7 +75,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
bool bigendian);
NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
size_t header_len, size_t data_left,
- size_t max_xmit_frag, size_t pad_alignment,
+ size_t max_xmit_frag,
size_t *data_to_send, size_t *frag_len,
size_t *auth_len, size_t *pad_len);
NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
diff --git a/source3/librpc/rpc/dcerpc_helpers.c
b/source3/librpc/rpc/dcerpc_helpers.c
index a9b24c8..1193baa 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -225,7 +225,6 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
* @param header_len The length of the packet header
* @param data_left The data left in the send buffer
* @param max_xmit_frag The max fragment size.
-* @param pad_alignment The NDR padding size.
* @param data_to_send [out] The max data we will send in the pdu
* @param frag_len [out] The total length of the fragment
* @param auth_len [out] The length of the auth trailer
@@ -235,7 +234,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
*/
NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
size_t header_len, size_t data_left,
- size_t max_xmit_frag, size_t pad_alignment,
+ size_t max_xmit_frag,
size_t *data_to_send, size_t *frag_len,
size_t *auth_len, size_t *pad_len)
{
@@ -277,26 +276,23 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
case DCERPC_AUTH_TYPE_KRB5:
case DCERPC_AUTH_TYPE_SCHANNEL:
gensec_security = auth->auth_ctx;
- *auth_len = gensec_sig_size(gensec_security, max_len);
+ mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT);
+ *auth_len = gensec_sig_size(gensec_security, max_len - mod_len);
+ if (*auth_len == 0) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
break;
default:
return NT_STATUS_INVALID_PARAMETER;
}
max_len -= *auth_len;
+ mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT);
+ max_len -= mod_len;
*data_to_send = MIN(max_len, data_left);
- mod_len = (header_len + *data_to_send) % pad_alignment;
- if (mod_len) {
- *pad_len = pad_alignment - mod_len;
- } else {
- *pad_len = 0;
- }
-
- if (*data_to_send + *pad_len > max_len) {
- *data_to_send -= pad_alignment;
- }
+ *pad_len = DCERPC_AUTH_PAD_LENGTH(*data_to_send);
*frag_len = header_len + *data_to_send + *pad_len
+ DCERPC_AUTH_TRAILER_LENGTH + *auth_len;
@@ -422,7 +418,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
size_t pad_len, DATA_BLOB *rpc_out)
{
struct gensec_security *gensec_security;
- char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
+ const char pad[DCERPC_AUTH_PAD_ALIGNMENT] = { 0, };
DATA_BLOB auth_info;
DATA_BLOB auth_blob;
NTSTATUS status;
@@ -432,6 +428,8 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
}
if (pad_len) {
+ SMB_ASSERT(pad_len <= ARRAY_SIZE(pad));
+
/* Copy the sign/seal padding data. */
if (!data_blob_append(NULL, rpc_out, pad, pad_len)) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index d0fb774..f642d30 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1398,7 +1398,6 @@ static NTSTATUS prepare_next_frag(struct
rpc_api_pipe_req_state *state,
status = dcerpc_guess_sizes(state->cli->auth,
DCERPC_REQUEST_LENGTH, total_left,
state->cli->max_xmit_frag,
- CLIENT_NDR_PADDING_SIZE,
&total_thistime,
&frag_len, &auth_len, &pad_len);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 63323f8..4ffaa0d 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -143,7 +143,6 @@ static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
DCERPC_RESPONSE_LENGTH,
data_left,
RPC_MAX_PDU_FRAG_LEN,
- SERVER_NDR_PADDING_SIZE,
&data_to_send, &frag_len,
&auth_len, &pad_len);
if (!NT_STATUS_IS_OK(status)) {
@@ -944,7 +943,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
struct dcerpc_ack_ctx bind_ack_ctx;
DATA_BLOB auth_resp = data_blob_null;
DATA_BLOB auth_blob = data_blob_null;
- int pad_len = 0;
struct gensec_security *gensec_security;
DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
@@ -1081,19 +1079,10 @@ static bool api_pipe_alter_context(struct pipes_struct
*p,
}
if (auth_resp.length) {
-
- /* Work out any padding needed before the auth footer. */
- pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
- if (pad_len) {
- pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
- DEBUG(10, ("auth pad_len = %u\n",
- (unsigned int)pad_len));
- }
-
status = dcerpc_push_dcerpc_auth(pkt,
auth_info.auth_type,
auth_info.auth_level,
- pad_len,
+ 0, /* pad_len */
1, /* auth_context_id */
&auth_resp,
&auth_blob);
@@ -1107,22 +1096,9 @@ static bool api_pipe_alter_context(struct pipes_struct
*p,
* the dcerpc header */
dcerpc_set_frag_length(&p->out_data.frag,
p->out_data.frag.length +
- pad_len + auth_blob.length);
+ auth_blob.length);
if (auth_resp.length) {
- if (pad_len) {
- char pad[SERVER_NDR_PADDING_SIZE];
- memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
- if (!data_blob_append(p->mem_ctx,
- &p->out_data.frag,
- pad, pad_len)) {
- DEBUG(0, ("api_pipe_bind_req: failed to add "
- "%u bytes of pad data.\n",
- (unsigned int)pad_len));
- goto err_exit;
- }
- }
-
if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
auth_blob.data, auth_blob.length)) {
DEBUG(0, ("Append of auth info failed.\n"));
diff --git a/source4/heimdal_build/wscript_configure
b/source4/heimdal_build/wscript_configure
index 236adcd..710a53d 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -93,6 +93,7 @@ conf.define('HAVE_GSSKRB5_GET_SUBKEY', 1)
conf.define('HAVE_GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT', 1)
conf.define('HAVE_GSS_IMPORT_CRED', 1)
conf.define('HAVE_GSS_EXPORT_CRED', 1)
+conf.define('HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X', 1)
conf.define('HAVE_GSSAPI', 1)
conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)
conf.define('HAVE_CHECKSUM_IN_KRB5_CHECKSUM', 1)
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index be9a44c..6e3410b 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -832,13 +832,16 @@ static NTSTATUS ncacn_push_request_sign(struct
dcecli_connection *c,
size_t hdr_size = DCERPC_REQUEST_LENGTH;
/* non-signed packets are simpler */
- if (sig_size == 0) {
+ if (c->security_state.auth_info == NULL) {
return ncacn_push_auth(blob, mem_ctx, pkt, NULL);
}
switch (c->security_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
case DCERPC_AUTH_LEVEL_INTEGRITY:
+ if (sig_size == 0) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
break;
case DCERPC_AUTH_LEVEL_CONNECT:
@@ -881,7 +884,7 @@ static NTSTATUS ncacn_push_request_sign(struct
dcecli_connection *c,
whole packet, whereas w2k8 wants it relative to the start
of the stub */
c->security_state.auth_info->auth_pad_length =
- (16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15;
+ DCERPC_AUTH_PAD_LENGTH(pkt->u.request.stub_and_verifier.length);
ndr_err = ndr_push_zero(ndr,
c->security_state.auth_info->auth_pad_length);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return ndr_map_error2ntstatus(ndr_err);
@@ -1681,14 +1684,19 @@ static void dcerpc_ship_next_request(struct
dcecli_connection *c)
chunk_size -= DCERPC_REQUEST_LENGTH;
if (c->security_state.auth_info &&
c->security_state.generic_state) {
+ size_t max_payload = chunk_size;
+
+ max_payload -= DCERPC_AUTH_TRAILER_LENGTH;
+ max_payload -= (max_payload % DCERPC_AUTH_PAD_ALIGNMENT);
+
sig_size = gensec_sig_size(c->security_state.generic_state,
- p->conn->srv_max_recv_frag);
+ max_payload);
if (sig_size) {
chunk_size -= DCERPC_AUTH_TRAILER_LENGTH;
chunk_size -= sig_size;
}
}
- chunk_size -= (chunk_size % 16);
+ chunk_size -= (chunk_size % DCERPC_AUTH_PAD_ALIGNMENT);
pkt.ptype = DCERPC_PKT_REQUEST;
pkt.call_id = req->call_id;
diff --git a/source4/rpc_server/common/reply.c
b/source4/rpc_server/common/reply.c
index 92bd552..007b680 100644
--- a/source4/rpc_server/common/reply.c
+++ b/source4/rpc_server/common/reply.c
@@ -187,14 +187,19 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state
*call)
chunk_size -= DCERPC_REQUEST_LENGTH;
if (call->conn->auth_state.auth_info &&
call->conn->auth_state.gensec_security) {
+ size_t max_payload = chunk_size;
+
+ max_payload -= DCERPC_AUTH_TRAILER_LENGTH;
+ max_payload -= (max_payload % DCERPC_AUTH_PAD_ALIGNMENT);
+
sig_size =
gensec_sig_size(call->conn->auth_state.gensec_security,
- call->conn->cli_max_recv_frag);
+ max_payload);
if (sig_size) {
chunk_size -= DCERPC_AUTH_TRAILER_LENGTH;
chunk_size -= sig_size;
}
}
- chunk_size -= (chunk_size % 16);
+ chunk_size -= (chunk_size % DCERPC_AUTH_PAD_ALIGNMENT);
do {
uint32_t length;
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index d5aef49..374c2e0 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -442,7 +442,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
DATA_BLOB creds2;
/* non-signed packets are simple */
- if (sig_size == 0) {
+ if (dce_conn->auth_state.auth_info == NULL) {
status = ncacn_push_auth(blob, call, pkt, NULL);
return NT_STATUS_IS_OK(status);
}
@@ -450,6 +450,10 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
switch (dce_conn->auth_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
case DCERPC_AUTH_LEVEL_INTEGRITY:
+ if (sig_size == 0) {
+ return false;
+ }
+
break;
case DCERPC_AUTH_LEVEL_CONNECT:
@@ -488,7 +492,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
whole packet, whereas w2k8 wants it relative to the start
of the stub */
dce_conn->auth_state.auth_info->auth_pad_length =
- (16 - (pkt->u.response.stub_and_verifier.length & 15)) & 15;
+
DCERPC_AUTH_PAD_LENGTH(pkt->u.response.stub_and_verifier.length);
ndr_err = ndr_push_zero(ndr,
dce_conn->auth_state.auth_info->auth_pad_length);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index da3cb98..b8d1ff5 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -183,11 +183,18 @@ for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc",
"fl2008r2dc", "ad_dc"]:
plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" %
(transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN',
"--option=clientusespnegoprincipal=yes",
'--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s
with Kerberos - use target principal" % (transport,))
plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" %
transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN',
"--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no',
'--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s
with Kerberos - use Samba3 style login" % transport)
plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" %
transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN',
"--option=clientusespnegoprincipal=yes",
'--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no',
'--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s
with Kerberos - use Samba3 style login, use target principal" % transport)
+
+ # Winreg tests test bulk Kerberos encryption of DCE/RPC
+ # We test rpc.winreg here too, because the winreg interface if
+ # handled by the source3/rpc_server code.
+ for bindoptions in ["connect", "krb5", "krb5,sign", "krb5,seal", "spnego",
"spnego,sign", "spnego,seal"]:
+ plansmbtorture4testsuite('rpc.winreg', env, ["%s:$SERVER[%s]" %
(transport, bindoptions), '-k', 'yes', '-U$USERNAME%$PASSWORD',
'--workgroup=$DOMAIN'], "samba4.rpc.winreg on %s with %s" % (transport,
bindoptions))
+
for transport in transports:
plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" %
(transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo
on %s" % (transport, ))
# Echo tests test bulk Kerberos encryption of DCE/RPC
- for bindoptions in ["connect", "spnego", "spnego,sign", "spnego,seal"]
+ validate_list + ["padcheck", "bigendian", "bigendian,seal"]:
+ for bindoptions in ["connect", "krb5", "krb5,sign", "krb5,seal",
"spnego", "spnego,sign", "spnego,seal"] + validate_list + ["padcheck",
"bigendian", "bigendian,seal"]:
echooptions = "--option=socket:testnonblock=True
--option=torture:quick=yes -k yes"
plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[%s]" %
(transport, bindoptions), echooptions, '-U$USERNAME%$PASSWORD',
'--workgroup=$DOMAIN'], "samba4.rpc.echo on %s with %s and %s" % (transport,
bindoptions, echooptions))
plansmbtorture4testsuite("net.api.become.dc", env, '$SERVER[%s]
-U$USERNAME%%$PASSWORD -W$DOMAIN' % validate)
--
Samba Shared Repository
