diff options
author | Andreas Schneider <asn@samba.org> | 2011-06-15 11:15:06 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-07-04 18:28:00 +1000 |
commit | 45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0 (patch) | |
tree | ced1c978daa490107838a440c1fe4a475e0c36d0 | |
parent | 541f3cf639699d23b9a96e6c615027a5be4581a9 (diff) | |
download | samba-45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0.tar.gz samba-45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0.tar.bz2 samba-45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0.zip |
s3-auth: Added remote_address to ntlmssp server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source3/auth/auth_ntlmssp.c | 11 | ||||
-rw-r--r-- | source3/auth/proto.h | 3 | ||||
-rw-r--r-- | source3/include/ntlmssp_wrap.h | 1 | ||||
-rw-r--r-- | source3/librpc/crypto/spnego.h | 2 | ||||
-rw-r--r-- | source3/rpc_server/dcesrv_ntlmssp.c | 3 | ||||
-rw-r--r-- | source3/rpc_server/dcesrv_ntlmssp.h | 1 | ||||
-rw-r--r-- | source3/rpc_server/dcesrv_spnego.c | 16 | ||||
-rw-r--r-- | source3/rpc_server/dcesrv_spnego.h | 1 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 2 | ||||
-rw-r--r-- | source3/smbd/seal.c | 50 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 9 | ||||
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 9 |
12 files changed, 87 insertions, 21 deletions
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index ad08981d2f..54f7e6d5fc 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -26,6 +26,7 @@ #include "ntlmssp_wrap.h" #include "../librpc/gen_ndr/netlogon.h" #include "smbd/smbd.h" +#include "../lib/tsocket/tsocket.h" NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx, struct auth_ntlmssp_state *auth_ntlmssp_state, @@ -173,7 +174,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, static int auth_ntlmssp_state_destructor(void *ptr); -NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state) +NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address, + struct auth_ntlmssp_state **auth_ntlmssp_state) { NTSTATUS nt_status; bool is_standalone; @@ -205,6 +207,12 @@ NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state) return NT_STATUS_NO_MEMORY; } + ans->remote_address = tsocket_address_copy(remote_address, ans); + if (ans->remote_address == NULL) { + DEBUG(0,("auth_ntlmssp_start: talloc failed!\n")); + return NT_STATUS_NO_MEMORY; + } + nt_status = ntlmssp_server_start(ans, is_standalone, netbios_name, @@ -240,6 +248,7 @@ static int auth_ntlmssp_state_destructor(void *ptr) ans = talloc_get_type(ptr, struct auth_ntlmssp_state); + TALLOC_FREE(ans->remote_address); TALLOC_FREE(ans->server_info); TALLOC_FREE(ans->ntlmssp_state); return 0; diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 46846ac907..a4330155d1 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -69,7 +69,8 @@ NTSTATUS auth_netlogond_init(void); NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx, struct auth_ntlmssp_state *auth_ntlmssp_state, struct auth_serversupplied_info **session_info); -NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state); +NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address, + struct auth_ntlmssp_state **auth_ntlmssp_state); /* The following definitions come from auth/auth_sam.c */ diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h index ec97f58ed8..abe1e7a3b9 100644 --- a/source3/include/ntlmssp_wrap.h +++ b/source3/include/ntlmssp_wrap.h @@ -25,6 +25,7 @@ struct auth_ntlmssp_state { /* used only by server implementation */ struct auth_context *auth_context; struct auth_serversupplied_info *server_info; + struct tsocket_address *remote_address; /* used by both client and server implementation */ struct ntlmssp_state *ntlmssp_state; diff --git a/source3/librpc/crypto/spnego.h b/source3/librpc/crypto/spnego.h index 68d9243bb0..5e1a79b2af 100644 --- a/source3/librpc/crypto/spnego.h +++ b/source3/librpc/crypto/spnego.h @@ -48,6 +48,8 @@ struct spnego_context { bool do_sign; bool do_seal; bool is_dcerpc; + + struct tsocket_address *remote_address; }; NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx, diff --git a/source3/rpc_server/dcesrv_ntlmssp.c b/source3/rpc_server/dcesrv_ntlmssp.c index e43bba732b..8c9484649a 100644 --- a/source3/rpc_server/dcesrv_ntlmssp.c +++ b/source3/rpc_server/dcesrv_ntlmssp.c @@ -30,12 +30,13 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx, bool is_dcerpc, DATA_BLOB *token_in, DATA_BLOB *token_out, + const struct tsocket_address *remote_address, struct auth_ntlmssp_state **ctx) { struct auth_ntlmssp_state *a = NULL; NTSTATUS status; - status = auth_ntlmssp_start(&a); + status = auth_ntlmssp_start(remote_address, &a); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n", nt_errstr(status))); diff --git a/source3/rpc_server/dcesrv_ntlmssp.h b/source3/rpc_server/dcesrv_ntlmssp.h index a21c512f9e..0c830f3da4 100644 --- a/source3/rpc_server/dcesrv_ntlmssp.h +++ b/source3/rpc_server/dcesrv_ntlmssp.h @@ -28,6 +28,7 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx, bool is_dcerpc, DATA_BLOB *token_in, DATA_BLOB *token_out, + const struct tsocket_address *remote_address, struct auth_ntlmssp_state **ctx); NTSTATUS ntlmssp_server_step(struct auth_ntlmssp_state *ctx, TALLOC_CTX *mem_ctx, diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c index fb758e338b..515e59b7e8 100644 --- a/source3/rpc_server/dcesrv_spnego.c +++ b/source3/rpc_server/dcesrv_spnego.c @@ -19,6 +19,7 @@ #include "includes.h" #include "../libcli/auth/spnego.h" +#include "../lib/tsocket/tsocket.h" #include "dcesrv_ntlmssp.h" #include "dcesrv_gssapi.h" #include "dcesrv_spnego.h" @@ -26,6 +27,7 @@ static NTSTATUS spnego_init_server(TALLOC_CTX *mem_ctx, bool do_sign, bool do_seal, bool is_dcerpc, + const struct tsocket_address *remote_address, struct spnego_context **spnego_ctx) { struct spnego_context *sp_ctx = NULL; @@ -35,6 +37,11 @@ static NTSTATUS spnego_init_server(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + sp_ctx->remote_address = tsocket_address_copy(remote_address, sp_ctx); + if (sp_ctx->remote_address == NULL) { + return NT_STATUS_NO_MEMORY; + } + sp_ctx->do_sign = do_sign; sp_ctx->do_seal = do_seal; sp_ctx->is_dcerpc = is_dcerpc; @@ -76,6 +83,7 @@ static NTSTATUS spnego_server_mech_init(struct spnego_context *sp_ctx, sp_ctx->is_dcerpc, token_in, token_out, + sp_ctx->remote_address, &ntlmssp_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to init ntlmssp server " @@ -210,6 +218,7 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx, bool is_dcerpc, DATA_BLOB *spnego_in, DATA_BLOB *spnego_out, + const struct tsocket_address *remote_address, struct spnego_context **spnego_ctx) { struct spnego_context *sp_ctx; @@ -223,7 +232,12 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - status = spnego_init_server(mem_ctx, do_sign, do_seal, is_dcerpc, &sp_ctx); + status = spnego_init_server(mem_ctx, + do_sign, + do_seal, + is_dcerpc, + remote_address, + &sp_ctx); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source3/rpc_server/dcesrv_spnego.h b/source3/rpc_server/dcesrv_spnego.h index eeb865d805..e6187f64f4 100644 --- a/source3/rpc_server/dcesrv_spnego.h +++ b/source3/rpc_server/dcesrv_spnego.h @@ -28,6 +28,7 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx, bool is_dcerpc, DATA_BLOB *spnego_in, DATA_BLOB *spnego_out, + const struct tsocket_address *remote_address, struct spnego_context **spnego_ctx); NTSTATUS spnego_server_step(struct spnego_context *sp_ctx, TALLOC_CTX *mem_ctx, diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index fc08d56b1e..2504ac20b3 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -442,6 +442,7 @@ static bool pipe_spnego_auth_bind(struct pipes_struct *p, true, &auth_info->credentials, response, + p->remote_address, &spnego_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed SPNEGO negotiate (%s)\n", @@ -596,6 +597,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p, true, &auth_info->credentials, response, + p->remote_address, &ntlmssp_state); if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) { DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n", diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c index 26185062a6..f1c0f9cf3b 100644 --- a/source3/smbd/seal.c +++ b/source3/smbd/seal.c @@ -27,6 +27,7 @@ #include "../lib/util/asn1.h" #include "auth.h" #include "libsmb/libsmb.h" +#include "../lib/tsocket/tsocket.h" /****************************************************************************** Server side encryption. @@ -82,9 +83,11 @@ bool is_encrypted_packet(const uint8_t *inbuf) Create an auth_ntlmssp_state and ensure pointer copy is correct. ******************************************************************************/ -static NTSTATUS make_auth_ntlmssp(struct smb_srv_trans_enc_ctx *ec) +static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address, + struct smb_srv_trans_enc_ctx *ec) { - NTSTATUS status = auth_ntlmssp_start(&ec->auth_ntlmssp_state); + NTSTATUS status = auth_ntlmssp_start(remote_address, + &ec->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { return nt_status_squash(status); } @@ -256,7 +259,9 @@ static void srv_free_encryption_context(struct smb_srv_trans_enc_ctx **pp_ec) Create a server encryption context. ******************************************************************************/ -static NTSTATUS make_srv_encryption_context(enum smb_trans_enc_type smb_enc_type, struct smb_srv_trans_enc_ctx **pp_ec) +static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address, + enum smb_trans_enc_type smb_enc_type, + struct smb_srv_trans_enc_ctx **pp_ec) { struct smb_srv_trans_enc_ctx *ec; @@ -277,7 +282,8 @@ static NTSTATUS make_srv_encryption_context(enum smb_trans_enc_type smb_enc_type switch (smb_enc_type) { case SMB_TRANS_ENC_NTLM: { - NTSTATUS status = make_auth_ntlmssp(ec); + NTSTATUS status = make_auth_ntlmssp(remote_address, + ec); if (!NT_STATUS_IS_OK(status)) { srv_free_encryption_context(&ec); return status; @@ -368,7 +374,10 @@ NTSTATUS srv_encrypt_buffer(char *buf, char **buf_out) ******************************************************************************/ #if defined(HAVE_GSSAPI) && defined(HAVE_KRB5) -static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char **ppdata, size_t *p_data_size, DATA_BLOB secblob) +static NTSTATUS srv_enc_spnego_gss_negotiate(const struct tsocket_address *remote_address, + unsigned char **ppdata, + size_t *p_data_size, + DATA_BLOB secblob) { OM_uint32 ret; OM_uint32 min; @@ -380,7 +389,9 @@ static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char **ppdata, size_t *p_d NTSTATUS status; if (!partial_srv_trans_enc_ctx) { - status = make_srv_encryption_context(SMB_TRANS_ENC_GSS, &partial_srv_trans_enc_ctx); + status = make_srv_encryption_context(remote_address, + SMB_TRANS_ENC_GSS, + &partial_srv_trans_enc_ctx); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -450,13 +461,19 @@ static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char **ppdata, size_t *p_d Until success we do everything on the partial enc ctx. ******************************************************************************/ -static NTSTATUS srv_enc_ntlm_negotiate(unsigned char **ppdata, size_t *p_data_size, DATA_BLOB secblob, bool spnego_wrap) +static NTSTATUS srv_enc_ntlm_negotiate(const struct tsocket_address *remote_address, + unsigned char **ppdata, + size_t *p_data_size, + DATA_BLOB secblob, + bool spnego_wrap) { NTSTATUS status; DATA_BLOB chal = data_blob_null; DATA_BLOB response = data_blob_null; - status = make_srv_encryption_context(SMB_TRANS_ENC_NTLM, &partial_srv_trans_enc_ctx); + status = make_srv_encryption_context(remote_address, + SMB_TRANS_ENC_NTLM, + &partial_srv_trans_enc_ctx); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -517,14 +534,21 @@ static NTSTATUS srv_enc_spnego_negotiate(connection_struct *conn, TALLOC_FREE(kerb_mech); #if defined(HAVE_GSSAPI) && defined(HAVE_KRB5) - status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, secblob); + status = srv_enc_spnego_gss_negotiate(conn->sconn->remote_address, + ppdata, + p_data_size, + secblob); #else /* Currently we don't SPNEGO negotiate * back to NTLMSSP as we do in sessionsetupX. We should... */ return NT_STATUS_LOGON_FAILURE; #endif } else { - status = srv_enc_ntlm_negotiate(ppdata, p_data_size, secblob, true); + status = srv_enc_ntlm_negotiate(conn->sconn->remote_address, + ppdata, + p_data_size, + secblob, + true); } data_blob_free(&secblob); @@ -628,7 +652,11 @@ static NTSTATUS srv_enc_raw_ntlm_auth(connection_struct *conn, if (!partial_srv_trans_enc_ctx) { /* This is the initial step. */ - status = srv_enc_ntlm_negotiate(ppdata, p_data_size, blob, false); + status = srv_enc_ntlm_negotiate(conn->sconn->remote_address, + ppdata, + p_data_size, + blob, + false); if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { srv_free_encryption_context(&partial_srv_trans_enc_ctx); return nt_status_squash(status); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index dda4ef296e..7d111e3219 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -662,7 +662,8 @@ static void reply_spnego_negotiate(struct smb_request *req, return; } - status = auth_ntlmssp_start(auth_ntlmssp_state); + status = auth_ntlmssp_start(sconn->remote_address, + auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -763,7 +764,8 @@ static void reply_spnego_auth(struct smb_request *req, data_blob_free(&secblob); if (!*auth_ntlmssp_state) { - status = auth_ntlmssp_start(auth_ntlmssp_state); + status = auth_ntlmssp_start(sconn->remote_address, + auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -1175,7 +1177,8 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) DATA_BLOB chal; if (!vuser->auth_ntlmssp_state) { - status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state); + status = auth_ntlmssp_start(sconn->remote_address, + &vuser->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index c33d1c61be..13dfff0853 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -404,7 +404,8 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, status = NT_STATUS_MORE_PROCESSING_REQUIRED; } else { /* Fall back to NTLMSSP. */ - status = auth_ntlmssp_start(&session->auth_ntlmssp_state); + status = auth_ntlmssp_start(session->sconn->remote_address, + &session->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { goto out; } @@ -591,7 +592,8 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, } if (session->auth_ntlmssp_state == NULL) { - status = auth_ntlmssp_start(&session->auth_ntlmssp_state); + status = auth_ntlmssp_start(session->sconn->remote_address, + &session->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { data_blob_free(&auth); TALLOC_FREE(session); @@ -655,7 +657,8 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, DATA_BLOB secblob_out = data_blob_null; if (session->auth_ntlmssp_state == NULL) { - status = auth_ntlmssp_start(&session->auth_ntlmssp_state); + status = auth_ntlmssp_start(session->sconn->remote_address, + &session->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); return status; |