libcli/auth: let schannel_check_creds_state() take an access_check callback

author Stefan Metzmacher <metze@samba.org>

Tue, 26 Nov 2024 11:54:02 +0000 (12:54 +0100)

committer Andreas Schneider <asn@cryptomilk.org>

Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 26 Nov 2024 11:54:02 +0000 (12:54 +0100)
committer Andreas Schneider <asn@cryptomilk.org>
Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
diff --git a/libcli/auth/schannel_state.h b/libcli/auth/schannel_state.h

index 5b33ba0ab23ee5512aa543ee23c4ce88a228ad38..de6efe345c425602981e581772575b37874a3638 100644 (file)
--- a/libcli/auth/schannel_state.h
+++ b/libcli/auth/schannel_state.h
@@ -39,6 +39,11 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
                                     struct netr_Authenticator *return_authenticator,
                                     enum dcerpc_AuthType auth_type,
                                     enum dcerpc_AuthLevel auth_level,
+                                   NTSTATUS (*access_check_cb)(struct netlogon_creds_CredentialState *creds,
+                                                               NTSTATUS step_status,
+                                                               bool *store,
+                                                               void *access_check_private),
+                                   void *access_check_private,
                                     struct netlogon_creds_CredentialState **creds_out);
  
  NTSTATUS schannel_get_challenge(struct loadparm_context *lp_ctx,
diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c

index 6deeff0828872a115e788a16331377c2a319fd84..c7f38dfbb91e000b552cd7bfeae917890f8bd003 100644 (file)
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -562,6 +562,11 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
                                     struct netr_Authenticator *return_authenticator,
                                     enum dcerpc_AuthType auth_type,
                                     enum dcerpc_AuthLevel auth_level,
+                                   NTSTATUS (*access_check_cb)(struct netlogon_creds_CredentialState *creds,
+                                                               NTSTATUS step_status,
+                                                               bool *store,
+                                                               void *access_check_private),
+                                   void *access_check_private,
                                     struct netlogon_creds_CredentialState **creds_out)
  {
         TALLOC_CTX *tmpctx;
@@ -572,6 +577,7 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
         char *keystr = NULL;
         struct db_record *record;
         TDB_DATA key;
+       bool store = true;
  
         if (creds_out != NULL) {
                 *creds_out = NULL;
@@ -624,13 +630,22 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
                                                   return_authenticator,
                                                   auth_type,
                                                   auth_level);
+       if (access_check_cb != NULL) {
+               NTSTATUS step_status = status;
+               status = access_check_cb(creds,
+                                        step_status,
+                                        &store,
+                                        access_check_private);
+       }
         if (!NT_STATUS_IS_OK(status)) {
                 goto done;
         }
  
-       status = schannel_store_session_key_tdb(db_sc, tmpctx, creds);
-       if (!NT_STATUS_IS_OK(status)) {
-               goto done;
+       if (store) {
+               status = schannel_store_session_key_tdb(db_sc, tmpctx, creds);
+               if (!NT_STATUS_IS_OK(status)) {
+                       goto done;
+               }
         }
  
         if (creds_out) {
diff --git a/librpc/rpc/server/netlogon/schannel_util.c b/librpc/rpc/server/netlogon/schannel_util.c

index 69773ea30e8e06c64e675797ec9bfb3e210c2630..cc1355670d619f6ee4217cf5977f25c9d07eebc3 100644 (file)
--- a/librpc/rpc/server/netlogon/schannel_util.c
+++ b/librpc/rpc/server/netlogon/schannel_util.c
@@ -600,6 +600,8 @@ NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
                                                return_authenticator,
                                                auth_type,
                                                auth_level,
+                                              NULL, /* access_check_cb */
+                                              NULL, /* access_check_private */
                                                &creds);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 ZERO_STRUCTP(return_authenticator);
author	Stefan Metzmacher <metze@samba.org>
	Tue, 26 Nov 2024 11:54:02 +0000 (12:54 +0100)
committer	Andreas Schneider <asn@cryptomilk.org>
	Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
libcli/auth/schannel_state.h		patch \| blob \| blame \| history
libcli/auth/schannel_state_tdb.c		patch \| blob \| blame \| history
librpc/rpc/server/netlogon/schannel_util.c		patch \| blob \| blame \| history