sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-24 10:50:22 +03:00
Code

s3-auth use gensec directly rather than via auth_generic_state

Browse Source 
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2011-12-26 14:23:15 +11:00 committed by Stefan Metzmacher
parent 0c0c23f3fe
commit 3042e38d51
12 changed files with 112 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
source3/auth/auth_generic.c
View File

@ -33,89 +33,73 @@
NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
struct auth_generic_state **auth_ntlmssp_state)
struct gensec_security **gensec_security_out)
{
struct gensec_security *gensec_security;
struct auth_context *auth_context;
struct auth_generic_state *ans;
NTSTATUS nt_status;
ans = talloc_zero(mem_ctx, struct auth_generic_state);
if (!ans) {
DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
return NT_STATUS_NO_MEMORY;
}
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
nt_status = make_auth_context_subsystem(tmp_ctx, &auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(ans);
TALLOC_FREE(tmp_ctx);
return nt_status;
}
ans->auth_context = talloc_steal(ans, auth_context);
if (auth_context->prepare_gensec) {
nt_status = auth_context->prepare_gensec(ans,
&ans->gensec_security);
nt_status = auth_context->prepare_gensec(tmp_ctx,
&gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(ans);
TALLOC_FREE(tmp_ctx);
return nt_status;
}
} else {
struct gensec_settings *gensec_settings;
struct loadparm_context *lp_ctx;
lp_ctx = loadparm_init_s3(ans, loadparm_s3_context());
lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_context());
if (lp_ctx == NULL) {
DEBUG(10, ("loadparm_init_s3 failed\n"));
TALLOC_FREE(ans);
TALLOC_FREE(tmp_ctx);
return NT_STATUS_INVALID_SERVER_STATE;
}
gensec_settings = lpcfg_gensec_settings(ans, lp_ctx);
gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx);
if (lp_ctx == NULL) {
DEBUG(10, ("lpcfg_gensec_settings failed\n"));
TALLOC_FREE(ans);
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
gensec_settings->backends = talloc_zero_array(gensec_settings, struct gensec_security_ops *, 2);
if (gensec_settings->backends == NULL) {
TALLOC_FREE(ans);
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
gensec_settings->backends[0] = &gensec_ntlmssp3_server_ops;
nt_status = gensec_server_start(ans, gensec_settings,
NULL, &ans->gensec_security);
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
NULL, &gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(ans);
TALLOC_FREE(tmp_ctx);
return nt_status;
}
talloc_unlink(ans, lp_ctx);
talloc_unlink(ans, gensec_settings);
talloc_unlink(tmp_ctx, lp_ctx);
talloc_unlink(tmp_ctx, gensec_settings);
}
nt_status = gensec_set_remote_address(ans->gensec_security,
nt_status = gensec_set_remote_address(gensec_security,
remote_address);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(ans);
TALLOC_FREE(tmp_ctx);
return nt_status;
}
*auth_ntlmssp_state = ans;
*gensec_security_out = talloc_steal(mem_ctx, gensec_security);
TALLOC_FREE(tmp_ctx);
return NT_STATUS_OK;
}
NTSTATUS auth_generic_start(struct auth_generic_state *auth_ntlmssp_state, const char *oid)
{
return gensec_start_mech_by_oid(auth_ntlmssp_state->gensec_security, oid);
}
NTSTATUS auth_generic_authtype_start(struct auth_generic_state *auth_ntlmssp_state,
uint8_t auth_type, uint8_t auth_level)
{
return gensec_start_mech_by_authtype(auth_ntlmssp_state->gensec_security,
auth_type, auth_level);
}

6
source3/auth/proto.h
View File

@ -70,11 +70,7 @@ NTSTATUS auth_netlogond_init(void);
/* The following definitions come from auth/auth_ntlmssp.c */
NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address,
struct auth_generic_state **auth_ntlmssp_state);
NTSTATUS auth_generic_start(struct auth_generic_state *auth_ntlmssp_state, const char *oid);
NTSTATUS auth_generic_authtype_start(struct auth_generic_state *auth_ntlmssp_state,
uint8_t auth_type, uint8_t auth_level);
struct gensec_security **gensec_security_out);
/* The following definitions come from auth/auth_sam.c */

2
source3/include/auth.h
View File

@ -128,7 +128,7 @@ struct auth_init_function_entry {
struct auth_init_function_entry *prev, *next;
};
struct auth_generic_state;
struct gensec_security;
/* Changed from 1 -> 2 to add the logon_parameters field. */
/* Changed from 2 -> 3 when we reworked many auth structures to use IDL or be in common with Samba4 */

3
source3/include/ntlmssp_wrap.h
View File

@ -26,9 +26,6 @@ struct gensec_security;
extern const struct gensec_security_ops gensec_ntlmssp3_server_ops;
struct auth_generic_state {
/* used only by server implementation */
struct auth_context *auth_context;
/* used only by the client implementation */
struct cli_credentials *credentials;

2
source3/include/smb.h
View File

@ -1215,7 +1215,7 @@ typedef struct user_struct {
struct auth_session_info *session_info;
struct auth_generic_state *auth_ntlmssp_state;
struct gensec_security *gensec_security;
} user_struct;
/*

56
source3/rpc_server/dcesrv_auth_generic.c
View File

@ -35,10 +35,10 @@ NTSTATUS auth_generic_server_start(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
struct gensec_security **ctx)
{
struct auth_generic_state *a = NULL;
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
status = auth_generic_prepare(talloc_tos(), remote_address, &a);
status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
nt_errstr(status)));
@ -46,40 +46,36 @@ NTSTATUS auth_generic_server_start(TALLOC_CTX *mem_ctx,
}
if (do_sign) {
gensec_want_feature(a->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
}
if (do_seal) {
gensec_want_feature(a->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(a->gensec_security, GENSEC_FEATURE_SEAL);
gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
}
if (is_dcerpc) {
gensec_want_feature(a->gensec_security, GENSEC_FEATURE_DCE_STYLE);
gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
}
status = auth_generic_start(a, oid);
status = gensec_start_mech_by_oid(gensec_security, oid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_start failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
status = gensec_update(a->gensec_security, mem_ctx, NULL, *token_in, token_out);
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(2, (__location__ ": gensec_update failed: %s\n",
nt_errstr(status)));
goto done;
TALLOC_FREE(gensec_security);
return status;
}
/* steal gensec context too */
*ctx = talloc_move(mem_ctx, &a->gensec_security);
status = NT_STATUS_OK;
done:
TALLOC_FREE(a);
return status;
/* steal gensec context to the caller */
*ctx = talloc_move(mem_ctx, &gensec_security);
return NT_STATUS_OK;
}
NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
@ -89,39 +85,35 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
struct gensec_security **ctx)
{
struct auth_generic_state *a = NULL;
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
status = auth_generic_prepare(talloc_tos(), remote_address, &a);
status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
nt_errstr(status)));
return status;
}
status = auth_generic_authtype_start(a, auth_type, auth_level);
status = gensec_start_mech_by_authtype(gensec_security, auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_start failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
status = gensec_update(a->gensec_security, mem_ctx, NULL, *token_in, token_out);
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(2, (__location__ ": gensec_update failed: %s\n",
nt_errstr(status)));
goto done;
TALLOC_FREE(gensec_security);
return status;
}
/* steal gensec context too */
*ctx = talloc_move(mem_ctx, &a->gensec_security);
status = NT_STATUS_OK;
done:
TALLOC_FREE(a);
return status;
/* steal gensec context to the caller */
*ctx = talloc_move(mem_ctx, &gensec_security);
return NT_STATUS_OK;
}
NTSTATUS auth_generic_server_step(struct gensec_security *gensec_security,

2
source3/smbd/globals.h
View File

@ -410,7 +410,7 @@ struct smbd_smb2_session {
struct smbd_server_connection *sconn;
NTSTATUS status;
uint64_t vuid;
struct auth_generic_state *auth_ntlmssp_state;
struct gensec_security *gensec_security;
struct auth_session_info *session_info;
DATA_BLOB session_key;
bool do_signing;

10
source3/smbd/negprot.c
View File

@ -199,18 +199,18 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
OID_NTLMSSP,
NULL};
const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL};
struct auth_generic_state *auth_ntlmssp_state;
struct gensec_security *gensec_security;
sconn->use_gensec_hook = false;
/* See if we can get an SPNEGO blob out of the gensec hook (if auth_samba4 is loaded) */
status = auth_generic_prepare(talloc_tos(),
sconn->remote_address,
&auth_ntlmssp_state);
&gensec_security);
if (NT_STATUS_IS_OK(status)) {
status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_SPNEGO);
status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
if (NT_STATUS_IS_OK(status)) {
status = gensec_update(auth_ntlmssp_state->gensec_security, ctx,
status = gensec_update(gensec_security, ctx,
NULL, data_blob_null, &blob);
/* If we get the list of OIDs, the 'OK' answer
* is NT_STATUS_MORE_PROCESSING_REQUIRED */
@ -218,7 +218,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
sconn->use_gensec_hook = true;
}
}
TALLOC_FREE(auth_ntlmssp_state);
TALLOC_FREE(gensec_security);
}
sconn->smb1.negprot.spnego = true;

4
source3/smbd/password.c
View File

@ -124,8 +124,8 @@ void invalidate_vuid(struct smbd_server_connection *sconn, uint16 vuid)
session_yield(vuser);
if (vuser->auth_ntlmssp_state) {
TALLOC_FREE(vuser->auth_ntlmssp_state);
if (vuser->gensec_security) {
TALLOC_FREE(vuser->gensec_security);
}
DLIST_REMOVE(sconn->smb1.sessions.validated_users, vuser);

15
source3/smbd/seal.c
View File

@ -73,33 +73,32 @@ bool is_encrypted_packet(struct smbd_server_connection *sconn,
}
/******************************************************************************
Create an auth_ntlmssp_state and ensure pointer copy is correct.
Create an gensec_security and ensure pointer copy is correct.
******************************************************************************/
static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
struct smb_trans_enc_state *es)
{
struct auth_generic_state *auth_ntlmssp_state;
struct gensec_security *gensec_security;
NTSTATUS status = auth_generic_prepare(NULL, remote_address,
&auth_ntlmssp_state);
&gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return nt_status_squash(status);
}
gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL);
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(auth_ntlmssp_state);
TALLOC_FREE(gensec_security);
return nt_status_squash(status);
}
/* We do not need the auth_ntlmssp layer any more, which was
* allocated on NULL, so promote gensec_security to the NULL
* context */
es->s.gensec_security = talloc_move(NULL, &auth_ntlmssp_state->gensec_security);
TALLOC_FREE(auth_ntlmssp_state);
es->s.gensec_security = gensec_security;
return status;
}

54
source3/smbd/sesssetup.c
View File

@ -420,7 +420,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
static void reply_spnego_ntlmssp(struct smb_request *req,
uint16 vuid,
struct auth_generic_state **auth_ntlmssp_state,
struct gensec_security **gensec_security,
DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status,
const char *OID,
bool wrap)
@ -431,7 +431,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
struct smbd_server_connection *sconn = req->sconn;
if (NT_STATUS_IS_OK(nt_status)) {
nt_status = gensec_session_info((*auth_ntlmssp_state)->gensec_security,
nt_status = gensec_session_info(*gensec_security,
talloc_tos(),
&session_info);
}
@ -452,7 +452,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
if (register_existing_vuid(sconn, vuid,
session_info, nullblob) !=
vuid) {
/* The problem is, *auth_ntlmssp_state points
/* The problem is, *gensec_security points
* into the vuser this will have
* talloc_free()'ed in
* register_existing_vuid() */
@ -492,7 +492,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* NB. This is *NOT* an error case. JRA */
if (do_invalidate) {
TALLOC_FREE(*auth_ntlmssp_state);
TALLOC_FREE(*gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@ -578,7 +578,7 @@ static void reply_spnego_downgrade_to_ntlmssp(struct smb_request *req,
static void reply_spnego_negotiate(struct smb_request *req,
uint16 vuid,
DATA_BLOB blob1,
struct auth_generic_state **auth_ntlmssp_state)
struct gensec_security **gensec_security)
{
DATA_BLOB secblob;
DATA_BLOB chal;
@ -614,7 +614,7 @@ static void reply_spnego_negotiate(struct smb_request *req,
}
#endif
TALLOC_FREE(*auth_ntlmssp_state);
TALLOC_FREE(*gensec_security);
if (kerb_mech) {
data_blob_free(&secblob);
@ -626,7 +626,7 @@ static void reply_spnego_negotiate(struct smb_request *req,
}
status = auth_generic_prepare(NULL, sconn->remote_address,
auth_ntlmssp_state);
gensec_security);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@ -634,9 +634,9 @@ static void reply_spnego_negotiate(struct smb_request *req,
return;
}
gensec_want_feature((*auth_ntlmssp_state)->gensec_security, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(*gensec_security, GENSEC_FEATURE_SESSION_KEY);
status = auth_generic_start(*auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
status = gensec_start_mech_by_oid(*gensec_security, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@ -644,12 +644,12 @@ static void reply_spnego_negotiate(struct smb_request *req,
return;
}
status = gensec_update((*auth_ntlmssp_state)->gensec_security, talloc_tos(),
status = gensec_update(*gensec_security, talloc_tos(),
NULL, secblob, &chal);
data_blob_free(&secblob);
reply_spnego_ntlmssp(req, vuid, auth_ntlmssp_state,
reply_spnego_ntlmssp(req, vuid, gensec_security,
&chal, status, OID_NTLMSSP, true);
data_blob_free(&chal);
@ -665,7 +665,7 @@ static void reply_spnego_negotiate(struct smb_request *req,
static void reply_spnego_auth(struct smb_request *req,
uint16 vuid,
DATA_BLOB blob1,
struct auth_generic_state **auth_ntlmssp_state)
struct gensec_security **gensec_security)
{
DATA_BLOB auth = data_blob_null;
DATA_BLOB auth_reply = data_blob_null;
@ -736,9 +736,9 @@ static void reply_spnego_auth(struct smb_request *req,
/* If we get here it wasn't a negTokenTarg auth packet. */
data_blob_free(&secblob);
if (!*auth_ntlmssp_state) {
if (!*gensec_security) {
status = auth_generic_prepare(NULL, sconn->remote_address,
auth_ntlmssp_state);
gensec_security);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@ -746,9 +746,9 @@ static void reply_spnego_auth(struct smb_request *req,
return;
}
gensec_want_feature((*auth_ntlmssp_state)->gensec_security, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(*gensec_security, GENSEC_FEATURE_SESSION_KEY);
status = auth_generic_start(*auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
status = gensec_start_mech_by_oid(*gensec_security, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@ -757,7 +757,7 @@ static void reply_spnego_auth(struct smb_request *req,
}
}
status = gensec_update((*auth_ntlmssp_state)->gensec_security, talloc_tos(),
status = gensec_update(*gensec_security, talloc_tos(),
NULL, auth, &auth_reply);
data_blob_free(&auth);
@ -765,7 +765,7 @@ static void reply_spnego_auth(struct smb_request *req,
/* Don't send the mechid as we've already sent this (RFC4178). */
reply_spnego_ntlmssp(req, vuid,
auth_ntlmssp_state,
gensec_security,
&auth_reply, status, NULL, true);
data_blob_free(&auth_reply);
@ -1144,9 +1144,9 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
if (sconn->use_gensec_hook || ntlmssp_blob_matches_magic(&blob1)) {
DATA_BLOB chal;
if (!vuser->auth_ntlmssp_state) {
if (!vuser->gensec_security) {
status = auth_generic_prepare(vuser, sconn->remote_address,
&vuser->auth_ntlmssp_state);
&vuser->gensec_security);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@ -1155,12 +1155,12 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
return;
}
gensec_want_feature(vuser->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(vuser->gensec_security, GENSEC_FEATURE_SESSION_KEY);
if (sconn->use_gensec_hook) {
status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
status = gensec_start_mech_by_oid(vuser->gensec_security, GENSEC_OID_SPNEGO);
} else {
status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
status = gensec_start_mech_by_oid(vuser->gensec_security, GENSEC_OID_NTLMSSP);
}
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
@ -1171,14 +1171,14 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
}
}
status = gensec_update(vuser->auth_ntlmssp_state->gensec_security,
status = gensec_update(vuser->gensec_security,
talloc_tos(), NULL,
blob1, &chal);
data_blob_free(&blob1);
reply_spnego_ntlmssp(req, vuid,
&vuser->auth_ntlmssp_state,
&vuser->gensec_security,
&chal, status, NULL, false);
data_blob_free(&chal);
return;
@ -1189,7 +1189,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
/* its a negTokenTarg packet */
reply_spnego_negotiate(req, vuid, blob1,
&vuser->auth_ntlmssp_state);
&vuser->gensec_security);
data_blob_free(&blob1);
return;
}
@ -1199,7 +1199,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
/* its a auth packet */
reply_spnego_auth(req, vuid, blob1,
&vuser->auth_ntlmssp_state);
&vuser->gensec_security);
data_blob_free(&blob1);
return;
}

40
source3/smbd/smb2_sesssetup.c
View File

@ -243,7 +243,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
status = NT_STATUS_NO_MEMORY;
goto fail;
}
session->compat_vuser->auth_ntlmssp_state = NULL;
session->compat_vuser->gensec_security = NULL;
session->compat_vuser->homes_snum = -1;
session->compat_vuser->session_info = session->session_info;
session->compat_vuser->session_keystr = NULL;
@ -341,7 +341,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
NTSTATUS status;
/* Ensure we have no old NTLM state around. */
TALLOC_FREE(session->auth_ntlmssp_state);
TALLOC_FREE(session->gensec_security);
status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
&secblob_in, &kerb_mech);
@ -376,19 +376,19 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
} else {
/* Fall back to NTLMSSP. */
status = auth_generic_prepare(session, session->sconn->remote_address,
&session->auth_ntlmssp_state);
&session->gensec_security);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = gensec_update(session->auth_ntlmssp_state->gensec_security,
status = gensec_update(session->gensec_security,
talloc_tos(), NULL,
secblob_in,
&chal_out);
@ -453,7 +453,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
TALLOC_FREE(session);
return NT_STATUS_NO_MEMORY;
}
session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state;
session->compat_vuser->gensec_security = session->gensec_security;
session->compat_vuser->homes_snum = -1;
session->compat_vuser->session_info = session->session_info;
session->compat_vuser->session_keystr = NULL;
@ -560,18 +560,18 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
data_blob_free(&secblob_in);
}
if (session->auth_ntlmssp_state == NULL) {
if (session->gensec_security == NULL) {
status = auth_generic_prepare(session, session->sconn->remote_address,
&session->auth_ntlmssp_state);
&session->gensec_security);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
return status;
}
gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
@ -579,14 +579,14 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
}
}
status = gensec_update(session->auth_ntlmssp_state->gensec_security,
status = gensec_update(session->gensec_security,
talloc_tos(), NULL,
auth,
&auth_out);
/* If status is NT_STATUS_OK then we need to get the token.
* Map to guest is now internal to auth_ntlmssp */
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(session->auth_ntlmssp_state->gensec_security,
status = gensec_session_info(session->gensec_security,
session,
&session->session_info);
}
@ -635,20 +635,20 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
*out_security_buffer = data_blob_null;
if (session->auth_ntlmssp_state == NULL) {
if (session->gensec_security == NULL) {
status = auth_generic_prepare(session, session->sconn->remote_address,
&session->auth_ntlmssp_state);
&session->gensec_security);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
if (session->sconn->use_gensec_hook) {
status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_SPNEGO);
} else {
status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP);
}
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
@ -657,7 +657,7 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
}
/* RAW NTLMSSP */
status = gensec_update(session->auth_ntlmssp_state->gensec_security,
status = gensec_update(session->gensec_security,
smb2req, NULL,
in_security_buffer,
out_security_buffer);
@ -667,7 +667,7 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
return status;
}
status = gensec_session_info(session->auth_ntlmssp_state->gensec_security,
status = gensec_session_info(session->gensec_security,
session,
&session->session_info);