The branch, master has been updated via 6dd117b s4:selftest: also run rpc.winreg with kerberos and all possible auth options via 5b917fd s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal via 69c1b4b s4:rpc_server: fix padding caclucation in dcesrv_auth_response() via 1bf7ab4 s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error via 16f3837 s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload via 3fbdb25 s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define via 114c52e s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign() via 48f2c38 s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with auth_info as internal error via fc249d5 s4:librpc/rpc: let dcerpc_ship_next_request() use a sig_size for a padded payload via ef801ba s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT define via c726dd7 s3:include: remove used unused {CLIENT,SERVER}_NDR_PADDING_SIZE via a6a6795 s3:rpc_server: remove pad handling from api_pipe_alter_context() via b2e042a s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes() via 3e6e9e3 s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT padding bytes in dcerpc_add_auth_footer() via f1e3ad2 librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length) helper macro via 2cb3ec5 dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16) via 756508c auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting via 3542d33 auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE via 5757945 auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL via 0149961 s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X from 408c965 s4:torture:vfs_fruit: copyfile
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6dd117b21ef06da68af67051f2822f71193d193a Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jun 23 10:27:27 2015 +0200 s4:selftest: also run rpc.winreg with kerberos and all possible auth options BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Jun 23 17:31:08 CEST 2015 on sn-devel-104 commit 5b917fd6226952a1f792d1ad921d2ae54ab6ab42 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 00:35:29 2015 +0200 s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 69c1b4b7c10dd5fd9cacaa3a76c47bc854ee3fed Author: Stefan Metzmacher <me...@samba.org> Date: Sat Jun 20 17:49:02 2015 +0200 s4:rpc_server: fix padding caclucation in dcesrv_auth_response() This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour so that we will use no padding if the stub_length is already aligned to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1bf7ab49b4459e81ab2b82d9668b3d7cb76372f4 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Jun 20 17:47:14 2015 +0200 s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error Don't send plaintext on the wire because of an internal error... BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 16f3837e026e4cae135bbdddf09b44a02af25b05 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 22:35:44 2015 +0200 s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload The sig_size could differ depending on the aligment/padding. So should use the same alignment as we use for the payload. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3fbdb255e3ac7ad5261c5fa3836e4a38a0d59221 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 22:35:44 2015 +0200 s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 114c52e73ed9e0adeac8ad1bc1dc014f3c10f4d6 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Jun 20 17:49:02 2015 +0200 s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign() This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour so that we will use no padding if the stub_length is already aligned to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 48f2c383e1d7f52114223cd2a54857426bf64025 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Jun 20 17:47:14 2015 +0200 s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with auth_info as internal error Don't send plaintext on the wire because of an internal error... BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fc249d542fcb8d043ae72eb7963d3a85eb79253a Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 22:35:44 2015 +0200 s4:librpc/rpc: let dcerpc_ship_next_request() use a sig_size for a padded payload The sig_size could differ depending on the aligment/padding. So should use the same alignment as we use for the payload. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ef801bae95403e96042f5d8c87085bce21436013 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 22:35:44 2015 +0200 s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT define BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c726dd7f8d7c8350807c0e41103beb1724262308 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 22:23:01 2015 +0200 s3:include: remove used unused {CLIENT,SERVER}_NDR_PADDING_SIZE BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a6a6795826954eef6763a39b129a4db578edca01 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 22:09:57 2015 +0200 s3:rpc_server: remove pad handling from api_pipe_alter_context() This is not needed and windows doesn't use it. The padding is for the payload in request and response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b2e042ad9652e2dfb39640de43e09030efc41d3d Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 15:52:11 2015 +0200 s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes() The padding needs to be relative to the payload start not to the pdu start. We also need align the padding to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3e6e9e3acd17531148457be59a32727fb87ae43d Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 16:55:39 2015 +0200 s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT padding bytes in dcerpc_add_auth_footer() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f1e3ad269ca8f76876afd8e3837c9c9b48688941 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Jun 20 17:43:47 2015 +0200 librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length) helper macro This calculates the required padding DCERPC_AUTH_PAD_ALIGNMENT and the stub_length. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2cb3ec5856ab5b7edad8ffd67a5d0f927c161138 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 16:48:48 2015 +0200 dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16) Windows pads the payload aligned to 16 bytes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 756508c8c37b0370301a096e35abc171fe08d31c Author: Stefan Metzmacher <me...@samba.org> Date: Sat Jun 20 16:19:31 2015 +0200 auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given auth_level and should not have GENSEC_FEATURE_SEAL if DCERPC_AUTH_LEVEL_INTEGRITY is desired. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3542d33314e32279340f07f995c1dcbd16106352 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 19 14:46:53 2015 +0200 auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if GENSEC_FEATURE_SEAL is negotiated. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 57579453d12429adba08b80c1eb6936cc422a2fd Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jun 22 15:17:33 2015 +0200 auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL Newer MIT versions also have this. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 01499617bdd7f7b202ddd1e1c35e21b5c042ac65 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jun 22 15:17:10 2015 +0200 s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials_krb5.c | 5 ++--- auth/gensec/gensec.c | 14 ++++++++++++++ auth/gensec/gensec_start.c | 6 ++++++ librpc/idl/dcerpc.idl | 1 + librpc/rpc/rpc_common.h | 5 +++++ source3/include/local.h | 3 --- source3/librpc/rpc/dcerpc.h | 2 +- source3/librpc/rpc/dcerpc_helpers.c | 26 ++++++++++++-------------- source3/rpc_client/cli_pipe.c | 1 - source3/rpc_server/srv_pipe.c | 28 ++-------------------------- source4/heimdal_build/wscript_configure | 1 + source4/librpc/rpc/dcerpc.c | 16 ++++++++++++---- source4/rpc_server/common/reply.c | 9 +++++++-- source4/rpc_server/dcesrv_auth.c | 8 ++++++-- source4/selftest/tests.py | 9 ++++++++- 15 files changed, 77 insertions(+), 57 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 77dbcd2..d6aaae6 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -518,7 +518,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, OM_uint32 maj_stat, min_stat; struct gssapi_creds_container *gcc; struct ccache_container *ccache; -#ifdef SAMBA4_USES_HEIMDAL +#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; #endif krb5_enctype *etypes = NULL; @@ -634,8 +634,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, } } -#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */ - +#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X /* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */ maj_stat = gss_set_cred_option(&min_stat, &gcc->creds, GSS_KRB5_CRED_NO_CI_FLAGS_X, diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index d9504f7..9fd5f25 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -41,9 +41,15 @@ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, if (!gensec_security->ops->unseal_packet) { return NT_STATUS_NOT_IMPLEMENTED; } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + return NT_STATUS_INVALID_PARAMETER; + } if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { return NT_STATUS_INVALID_PARAMETER; } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { + return NT_STATUS_INVALID_PARAMETER; + } return gensec_security->ops->unseal_packet(gensec_security, data, length, @@ -81,6 +87,9 @@ _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { return NT_STATUS_INVALID_PARAMETER; } + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { + return NT_STATUS_INVALID_PARAMETER; + } return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); } @@ -109,6 +118,11 @@ _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { return 0; } + if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) { + return 0; + } + } return gensec_security->ops->sig_size(gensec_security, data_size); } diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 955cc36..be31697 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -724,6 +724,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s return NT_STATUS_INVALID_PARAMETER; } gensec_security->dcerpc_auth_level = auth_level; + /* + * We need to reset sign/seal in order to reset it. + * We may got some default features inherited by the credentials + */ + gensec_security->want_features &= ~GENSEC_FEATURE_SIGN; + gensec_security->want_features &= ~GENSEC_FEATURE_SEAL; gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE); gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES); if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl index 4dad126..67f4b9d 100644 --- a/librpc/idl/dcerpc.idl +++ b/librpc/idl/dcerpc.idl @@ -259,6 +259,7 @@ interface dcerpc } dcerpc_auth; const uint8 DCERPC_AUTH_TRAILER_LENGTH = 8; + const uint8 DCERPC_AUTH_PAD_ALIGNMENT = 16; typedef [public] struct { [value(0)] uint32 _pad; diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h index 1b54b80..61a8eab 100644 --- a/librpc/rpc/rpc_common.h +++ b/librpc/rpc/rpc_common.h @@ -372,4 +372,9 @@ bool dcerpc_sec_verification_trailer_check( const struct dcerpc_sec_vt_pcontext *pcontext, const struct dcerpc_sec_vt_header2 *header2); +#define DCERPC_AUTH_PAD_LENGTH(stub_length) (\ + (((stub_length) % DCERPC_AUTH_PAD_ALIGNMENT) > 0)?\ + (DCERPC_AUTH_PAD_ALIGNMENT - (stub_length) % DCERPC_AUTH_PAD_ALIGNMENT):\ + 0) + #endif /* __DEFAULT_LIBRPC_RPCCOMMON_H__ */ diff --git a/source3/include/local.h b/source3/include/local.h index 85f0861..5963eb0 100644 --- a/source3/include/local.h +++ b/source3/include/local.h @@ -204,7 +204,4 @@ /* Maximum size of RPC data we will accept for one call. */ #define MAX_RPC_DATA_SIZE (15*1024*1024) -#define CLIENT_NDR_PADDING_SIZE 8 -#define SERVER_NDR_PADDING_SIZE 8 - #endif diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h index 42429a1..e7d66b7 100644 --- a/source3/librpc/rpc/dcerpc.h +++ b/source3/librpc/rpc/dcerpc.h @@ -75,7 +75,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx, bool bigendian); NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, size_t header_len, size_t data_left, - size_t max_xmit_frag, size_t pad_alignment, + size_t max_xmit_frag, size_t *data_to_send, size_t *frag_len, size_t *auth_len, size_t *pad_len); NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index a9b24c8..1193baa 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -225,7 +225,6 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx, * @param header_len The length of the packet header * @param data_left The data left in the send buffer * @param max_xmit_frag The max fragment size. -* @param pad_alignment The NDR padding size. * @param data_to_send [out] The max data we will send in the pdu * @param frag_len [out] The total length of the fragment * @param auth_len [out] The length of the auth trailer @@ -235,7 +234,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx, */ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, size_t header_len, size_t data_left, - size_t max_xmit_frag, size_t pad_alignment, + size_t max_xmit_frag, size_t *data_to_send, size_t *frag_len, size_t *auth_len, size_t *pad_len) { @@ -277,26 +276,23 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, case DCERPC_AUTH_TYPE_KRB5: case DCERPC_AUTH_TYPE_SCHANNEL: gensec_security = auth->auth_ctx; - *auth_len = gensec_sig_size(gensec_security, max_len); + mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT); + *auth_len = gensec_sig_size(gensec_security, max_len - mod_len); + if (*auth_len == 0) { + return NT_STATUS_INTERNAL_ERROR; + } break; default: return NT_STATUS_INVALID_PARAMETER; } max_len -= *auth_len; + mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT); + max_len -= mod_len; *data_to_send = MIN(max_len, data_left); - mod_len = (header_len + *data_to_send) % pad_alignment; - if (mod_len) { - *pad_len = pad_alignment - mod_len; - } else { - *pad_len = 0; - } - - if (*data_to_send + *pad_len > max_len) { - *data_to_send -= pad_alignment; - } + *pad_len = DCERPC_AUTH_PAD_LENGTH(*data_to_send); *frag_len = header_len + *data_to_send + *pad_len + DCERPC_AUTH_TRAILER_LENGTH + *auth_len; @@ -422,7 +418,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, size_t pad_len, DATA_BLOB *rpc_out) { struct gensec_security *gensec_security; - char pad[CLIENT_NDR_PADDING_SIZE] = { 0, }; + const char pad[DCERPC_AUTH_PAD_ALIGNMENT] = { 0, }; DATA_BLOB auth_info; DATA_BLOB auth_blob; NTSTATUS status; @@ -432,6 +428,8 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, } if (pad_len) { + SMB_ASSERT(pad_len <= ARRAY_SIZE(pad)); + /* Copy the sign/seal padding data. */ if (!data_blob_append(NULL, rpc_out, pad, pad_len)) { return NT_STATUS_NO_MEMORY; diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index d0fb774..f642d30 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -1398,7 +1398,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state, status = dcerpc_guess_sizes(state->cli->auth, DCERPC_REQUEST_LENGTH, total_left, state->cli->max_xmit_frag, - CLIENT_NDR_PADDING_SIZE, &total_thistime, &frag_len, &auth_len, &pad_len); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 63323f8..4ffaa0d 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -143,7 +143,6 @@ static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx, DCERPC_RESPONSE_LENGTH, data_left, RPC_MAX_PDU_FRAG_LEN, - SERVER_NDR_PADDING_SIZE, &data_to_send, &frag_len, &auth_len, &pad_len); if (!NT_STATUS_IS_OK(status)) { @@ -944,7 +943,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p, struct dcerpc_ack_ctx bind_ack_ctx; DATA_BLOB auth_resp = data_blob_null; DATA_BLOB auth_blob = data_blob_null; - int pad_len = 0; struct gensec_security *gensec_security; DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__)); @@ -1081,19 +1079,10 @@ static bool api_pipe_alter_context(struct pipes_struct *p, } if (auth_resp.length) { - - /* Work out any padding needed before the auth footer. */ - pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE; - if (pad_len) { - pad_len = SERVER_NDR_PADDING_SIZE - pad_len; - DEBUG(10, ("auth pad_len = %u\n", - (unsigned int)pad_len)); - } - status = dcerpc_push_dcerpc_auth(pkt, auth_info.auth_type, auth_info.auth_level, - pad_len, + 0, /* pad_len */ 1, /* auth_context_id */ &auth_resp, &auth_blob); @@ -1107,22 +1096,9 @@ static bool api_pipe_alter_context(struct pipes_struct *p, * the dcerpc header */ dcerpc_set_frag_length(&p->out_data.frag, p->out_data.frag.length + - pad_len + auth_blob.length); + auth_blob.length); if (auth_resp.length) { - if (pad_len) { - char pad[SERVER_NDR_PADDING_SIZE]; - memset(pad, '\0', SERVER_NDR_PADDING_SIZE); - if (!data_blob_append(p->mem_ctx, - &p->out_data.frag, - pad, pad_len)) { - DEBUG(0, ("api_pipe_bind_req: failed to add " - "%u bytes of pad data.\n", - (unsigned int)pad_len)); - goto err_exit; - } - } - if (!data_blob_append(p->mem_ctx, &p->out_data.frag, auth_blob.data, auth_blob.length)) { DEBUG(0, ("Append of auth info failed.\n")); diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index 236adcd..710a53d 100755 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -93,6 +93,7 @@ conf.define('HAVE_GSSKRB5_GET_SUBKEY', 1) conf.define('HAVE_GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT', 1) conf.define('HAVE_GSS_IMPORT_CRED', 1) conf.define('HAVE_GSS_EXPORT_CRED', 1) +conf.define('HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X', 1) conf.define('HAVE_GSSAPI', 1) conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1) conf.define('HAVE_CHECKSUM_IN_KRB5_CHECKSUM', 1) diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index be9a44c..6e3410b 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -832,13 +832,16 @@ static NTSTATUS ncacn_push_request_sign(struct dcecli_connection *c, size_t hdr_size = DCERPC_REQUEST_LENGTH; /* non-signed packets are simpler */ - if (sig_size == 0) { + if (c->security_state.auth_info == NULL) { return ncacn_push_auth(blob, mem_ctx, pkt, NULL); } switch (c->security_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_INTEGRITY: + if (sig_size == 0) { + return NT_STATUS_INTERNAL_ERROR; + } break; case DCERPC_AUTH_LEVEL_CONNECT: @@ -881,7 +884,7 @@ static NTSTATUS ncacn_push_request_sign(struct dcecli_connection *c, whole packet, whereas w2k8 wants it relative to the start of the stub */ c->security_state.auth_info->auth_pad_length = - (16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15; + DCERPC_AUTH_PAD_LENGTH(pkt->u.request.stub_and_verifier.length); ndr_err = ndr_push_zero(ndr, c->security_state.auth_info->auth_pad_length); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return ndr_map_error2ntstatus(ndr_err); @@ -1681,14 +1684,19 @@ static void dcerpc_ship_next_request(struct dcecli_connection *c) chunk_size -= DCERPC_REQUEST_LENGTH; if (c->security_state.auth_info && c->security_state.generic_state) { + size_t max_payload = chunk_size; + + max_payload -= DCERPC_AUTH_TRAILER_LENGTH; + max_payload -= (max_payload % DCERPC_AUTH_PAD_ALIGNMENT); + sig_size = gensec_sig_size(c->security_state.generic_state, - p->conn->srv_max_recv_frag); + max_payload); if (sig_size) { chunk_size -= DCERPC_AUTH_TRAILER_LENGTH; chunk_size -= sig_size; } } - chunk_size -= (chunk_size % 16); + chunk_size -= (chunk_size % DCERPC_AUTH_PAD_ALIGNMENT); pkt.ptype = DCERPC_PKT_REQUEST; pkt.call_id = req->call_id; diff --git a/source4/rpc_server/common/reply.c b/source4/rpc_server/common/reply.c index 92bd552..007b680 100644 --- a/source4/rpc_server/common/reply.c +++ b/source4/rpc_server/common/reply.c @@ -187,14 +187,19 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call) chunk_size -= DCERPC_REQUEST_LENGTH; if (call->conn->auth_state.auth_info && call->conn->auth_state.gensec_security) { + size_t max_payload = chunk_size; + + max_payload -= DCERPC_AUTH_TRAILER_LENGTH; + max_payload -= (max_payload % DCERPC_AUTH_PAD_ALIGNMENT); + sig_size = gensec_sig_size(call->conn->auth_state.gensec_security, - call->conn->cli_max_recv_frag); + max_payload); if (sig_size) { chunk_size -= DCERPC_AUTH_TRAILER_LENGTH; chunk_size -= sig_size; } } - chunk_size -= (chunk_size % 16); + chunk_size -= (chunk_size % DCERPC_AUTH_PAD_ALIGNMENT); do { uint32_t length; diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index d5aef49..374c2e0 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -442,7 +442,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, DATA_BLOB creds2; /* non-signed packets are simple */ - if (sig_size == 0) { + if (dce_conn->auth_state.auth_info == NULL) { status = ncacn_push_auth(blob, call, pkt, NULL); return NT_STATUS_IS_OK(status); } @@ -450,6 +450,10 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_INTEGRITY: + if (sig_size == 0) { + return false; + } + break; case DCERPC_AUTH_LEVEL_CONNECT: @@ -488,7 +492,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, whole packet, whereas w2k8 wants it relative to the start of the stub */ dce_conn->auth_state.auth_info->auth_pad_length = - (16 - (pkt->u.response.stub_and_verifier.length & 15)) & 15; + DCERPC_AUTH_PAD_LENGTH(pkt->u.response.stub_and_verifier.length); ndr_err = ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index da3cb98..b8d1ff5 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -183,11 +183,18 @@ for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc", "fl2008r2dc", "ad_dc"]: plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,)) plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport) plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport) + + # Winreg tests test bulk Kerberos encryption of DCE/RPC + # We test rpc.winreg here too, because the winreg interface if + # handled by the source3/rpc_server code. + for bindoptions in ["connect", "krb5", "krb5,sign", "krb5,seal", "spnego", "spnego,sign", "spnego,seal"]: + plansmbtorture4testsuite('rpc.winreg', env, ["%s:$SERVER[%s]" % (transport, bindoptions), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.winreg on %s with %s" % (transport, bindoptions)) + for transport in transports: plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, )) # Echo tests test bulk Kerberos encryption of DCE/RPC - for bindoptions in ["connect", "spnego", "spnego,sign", "spnego,seal"] + validate_list + ["padcheck", "bigendian", "bigendian,seal"]: + for bindoptions in ["connect", "krb5", "krb5,sign", "krb5,seal", "spnego", "spnego,sign", "spnego,seal"] + validate_list + ["padcheck", "bigendian", "bigendian,seal"]: echooptions = "--option=socket:testnonblock=True --option=torture:quick=yes -k yes" plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[%s]" % (transport, bindoptions), echooptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s with %s and %s" % (transport, bindoptions, echooptions)) plansmbtorture4testsuite("net.api.become.dc", env, '$SERVER[%s] -U$USERNAME%%$PASSWORD -W$DOMAIN' % validate) -- Samba Shared Repository