s3-auth use gensec directly rather than via auth_generic_state

This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>

6 files changed, 62 insertions, 63 deletions

diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 631298b155..44a76c4fb3 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -410,7 +410,7 @@ struct smbd_smb2_session {
 	struct smbd_server_connection *sconn;
 	NTSTATUS status;
 	uint64_t vuid;
-	struct auth_generic_state *auth_ntlmssp_state;
+	struct gensec_security *gensec_security;
 	struct auth_session_info *session_info;
 	DATA_BLOB session_key;
 	bool do_signing;
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 0a06e4a3d7..66da049bda 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -199,18 +199,18 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
 				   OID_NTLMSSP,
 				   NULL};
 	const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL};
-	struct auth_generic_state *auth_ntlmssp_state;
+	struct gensec_security *gensec_security;
 
 	sconn->use_gensec_hook = false;
 
 	/* See if we can get an SPNEGO blob out of the gensec hook (if auth_samba4 is loaded) */
 	status = auth_generic_prepare(talloc_tos(),
 				      sconn->remote_address,
-				      &auth_ntlmssp_state);
+				      &gensec_security);
 	if (NT_STATUS_IS_OK(status)) {
-		status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+		status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
 		if (NT_STATUS_IS_OK(status)) {
-			status = gensec_update(auth_ntlmssp_state->gensec_security, ctx,
+			status = gensec_update(gensec_security, ctx,
 					       NULL, data_blob_null, &blob);
 			/* If we get the list of OIDs, the 'OK' answer
 			 * is NT_STATUS_MORE_PROCESSING_REQUIRED */
@@ -218,7 +218,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
 				sconn->use_gensec_hook = true;
 			}
 		}
-		TALLOC_FREE(auth_ntlmssp_state);
+		TALLOC_FREE(gensec_security);
 	}
 
 	sconn->smb1.negprot.spnego = true;
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 7ccf2ea327..9df99ef6b1 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -124,8 +124,8 @@ void invalidate_vuid(struct smbd_server_connection *sconn, uint16 vuid)
 
 	session_yield(vuser);
 
-	if (vuser->auth_ntlmssp_state) {
-		TALLOC_FREE(vuser->auth_ntlmssp_state);
+	if (vuser->gensec_security) {
+		TALLOC_FREE(vuser->gensec_security);
 	}
 
 	DLIST_REMOVE(sconn->smb1.sessions.validated_users, vuser);
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index a609a3bad3..4393c1b27c 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -73,33 +73,32 @@ bool is_encrypted_packet(struct smbd_server_connection *sconn,
 }
 
 /******************************************************************************
- Create an auth_ntlmssp_state and ensure pointer copy is correct.
+ Create an gensec_security and ensure pointer copy is correct.
 ******************************************************************************/
 
 static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
 				  struct smb_trans_enc_state *es)
 {
-	struct auth_generic_state *auth_ntlmssp_state;
+	struct gensec_security *gensec_security;
 	NTSTATUS status = auth_generic_prepare(NULL, remote_address,
-					       &auth_ntlmssp_state);
+					       &gensec_security);
 	if (!NT_STATUS_IS_OK(status)) {
 		return nt_status_squash(status);
 	}
 
-	gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL);
+	gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
 
-	status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+	status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_NTLMSSP);
 
 	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(auth_ntlmssp_state);
+		TALLOC_FREE(gensec_security);
 		return nt_status_squash(status);
 	}
 
 	/* We do not need the auth_ntlmssp layer any more, which was
 	 * allocated on NULL, so promote gensec_security to the NULL
 	 * context */
-	es->s.gensec_security = talloc_move(NULL, &auth_ntlmssp_state->gensec_security);
-	TALLOC_FREE(auth_ntlmssp_state);
+	es->s.gensec_security = gensec_security;
 
 	return status;
 }
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index a15afd5e35..f1672ab1ad 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -420,7 +420,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 
 static void reply_spnego_ntlmssp(struct smb_request *req,
 				 uint16 vuid,
-				 struct auth_generic_state **auth_ntlmssp_state,
+				 struct gensec_security **gensec_security,
 				 DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status,
 				 const char *OID,
 				 bool wrap)
@@ -431,7 +431,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 	struct smbd_server_connection *sconn = req->sconn;
 
 	if (NT_STATUS_IS_OK(nt_status)) {
-		nt_status = gensec_session_info((*auth_ntlmssp_state)->gensec_security,
+		nt_status = gensec_session_info(*gensec_security,
 						talloc_tos(),
 						&session_info);
 	}
@@ -452,7 +452,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 		if (register_existing_vuid(sconn, vuid,
 					   session_info, nullblob) !=
 					   vuid) {
-			/* The problem is, *auth_ntlmssp_state points
+			/* The problem is, *gensec_security points
 			 * into the vuser this will have
 			 * talloc_free()'ed in
 			 * register_existing_vuid() */
@@ -492,7 +492,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		/* NB. This is *NOT* an error case. JRA */
 		if (do_invalidate) {
-			TALLOC_FREE(*auth_ntlmssp_state);
+			TALLOC_FREE(*gensec_security);
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				/* Kill the intermediate vuid */
 				invalidate_vuid(sconn, vuid);
@@ -578,7 +578,7 @@ static void reply_spnego_downgrade_to_ntlmssp(struct smb_request *req,
 static void reply_spnego_negotiate(struct smb_request *req,
 				   uint16 vuid,
 				   DATA_BLOB blob1,
-				   struct auth_generic_state **auth_ntlmssp_state)
+				   struct gensec_security **gensec_security)
 {
 	DATA_BLOB secblob;
 	DATA_BLOB chal;
@@ -614,7 +614,7 @@ static void reply_spnego_negotiate(struct smb_request *req,
 	}
 #endif
 
-	TALLOC_FREE(*auth_ntlmssp_state);
+	TALLOC_FREE(*gensec_security);
 
 	if (kerb_mech) {
 		data_blob_free(&secblob);
@@ -626,7 +626,7 @@ static void reply_spnego_negotiate(struct smb_request *req,
 	}
 
 	status = auth_generic_prepare(NULL, sconn->remote_address,
-				      auth_ntlmssp_state);
+				      gensec_security);
 	if (!NT_STATUS_IS_OK(status)) {
 		/* Kill the intermediate vuid */
 		invalidate_vuid(sconn, vuid);
@@ -634,9 +634,9 @@ static void reply_spnego_negotiate(struct smb_request *req,
 		return;
 	}
 
-	gensec_want_feature((*auth_ntlmssp_state)->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+	gensec_want_feature(*gensec_security, GENSEC_FEATURE_SESSION_KEY);
 
-	status = auth_generic_start(*auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+	status = gensec_start_mech_by_oid(*gensec_security, GENSEC_OID_NTLMSSP);
 	if (!NT_STATUS_IS_OK(status)) {
 		/* Kill the intermediate vuid */
 		invalidate_vuid(sconn, vuid);
@@ -644,12 +644,12 @@ static void reply_spnego_negotiate(struct smb_request *req,
 		return;
 	}
 
-	status = gensec_update((*auth_ntlmssp_state)->gensec_security, talloc_tos(),
+	status = gensec_update(*gensec_security, talloc_tos(),
 			       NULL, secblob, &chal);
 
 	data_blob_free(&secblob);
 
-	reply_spnego_ntlmssp(req, vuid, auth_ntlmssp_state,
+	reply_spnego_ntlmssp(req, vuid, gensec_security,
 			     &chal, status, OID_NTLMSSP, true);
 
 	data_blob_free(&chal);
@@ -665,7 +665,7 @@ static void reply_spnego_negotiate(struct smb_request *req,
 static void reply_spnego_auth(struct smb_request *req,
 			      uint16 vuid,
 			      DATA_BLOB blob1,
-			      struct auth_generic_state **auth_ntlmssp_state)
+			      struct gensec_security **gensec_security)
 {
 	DATA_BLOB auth = data_blob_null;
 	DATA_BLOB auth_reply = data_blob_null;
@@ -736,9 +736,9 @@ static void reply_spnego_auth(struct smb_request *req,
 	/* If we get here it wasn't a negTokenTarg auth packet. */
 	data_blob_free(&secblob);
 
-	if (!*auth_ntlmssp_state) {
+	if (!*gensec_security) {
 		status = auth_generic_prepare(NULL, sconn->remote_address,
-					      auth_ntlmssp_state);
+					      gensec_security);
 		if (!NT_STATUS_IS_OK(status)) {
 			/* Kill the intermediate vuid */
 			invalidate_vuid(sconn, vuid);
@@ -746,9 +746,9 @@ static void reply_spnego_auth(struct smb_request *req,
 			return;
 		}
 
-		gensec_want_feature((*auth_ntlmssp_state)->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+		gensec_want_feature(*gensec_security, GENSEC_FEATURE_SESSION_KEY);
 
-		status = auth_generic_start(*auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+		status = gensec_start_mech_by_oid(*gensec_security, GENSEC_OID_NTLMSSP);
 		if (!NT_STATUS_IS_OK(status)) {
 			/* Kill the intermediate vuid */
 			invalidate_vuid(sconn, vuid);
@@ -757,7 +757,7 @@ static void reply_spnego_auth(struct smb_request *req,
 		}
 	}
 
-	status = gensec_update((*auth_ntlmssp_state)->gensec_security, talloc_tos(),
+	status = gensec_update(*gensec_security, talloc_tos(),
 			       NULL, auth, &auth_reply);
 
 	data_blob_free(&auth);
@@ -765,7 +765,7 @@ static void reply_spnego_auth(struct smb_request *req,
 	/* Don't send the mechid as we've already sent this (RFC4178). */
 
 	reply_spnego_ntlmssp(req, vuid,
-			     auth_ntlmssp_state,
+			     gensec_security,
 			     &auth_reply, status, NULL, true);
 
 	data_blob_free(&auth_reply);
@@ -1144,9 +1144,9 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 	if (sconn->use_gensec_hook || ntlmssp_blob_matches_magic(&blob1)) {
 		DATA_BLOB chal;
 
-		if (!vuser->auth_ntlmssp_state) {
+		if (!vuser->gensec_security) {
 			status = auth_generic_prepare(vuser, sconn->remote_address,
-						      &vuser->auth_ntlmssp_state);
+						      &vuser->gensec_security);
 			if (!NT_STATUS_IS_OK(status)) {
 				/* Kill the intermediate vuid */
 				invalidate_vuid(sconn, vuid);
@@ -1155,12 +1155,12 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 				return;
 			}
 
-			gensec_want_feature(vuser->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+			gensec_want_feature(vuser->gensec_security, GENSEC_FEATURE_SESSION_KEY);
 
 			if (sconn->use_gensec_hook) {
-				status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+				status = gensec_start_mech_by_oid(vuser->gensec_security, GENSEC_OID_SPNEGO);
 			} else {
-				status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+				status = gensec_start_mech_by_oid(vuser->gensec_security, GENSEC_OID_NTLMSSP);
 			}
 			if (!NT_STATUS_IS_OK(status)) {
 				/* Kill the intermediate vuid */
@@ -1171,14 +1171,14 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 			}
 		}
 
-		status = gensec_update(vuser->auth_ntlmssp_state->gensec_security,
+		status = gensec_update(vuser->gensec_security,
 				       talloc_tos(), NULL,
 				       blob1, &chal);
 
 		data_blob_free(&blob1);
 
 		reply_spnego_ntlmssp(req, vuid,
-				     &vuser->auth_ntlmssp_state,
+				     &vuser->gensec_security,
 				     &chal, status, NULL, false);
 		data_blob_free(&chal);
 		return;
@@ -1189,7 +1189,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 		/* its a negTokenTarg packet */
 
 		reply_spnego_negotiate(req, vuid, blob1,
-				       &vuser->auth_ntlmssp_state);
+				       &vuser->gensec_security);
 		data_blob_free(&blob1);
 		return;
 	}
@@ -1199,7 +1199,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 		/* its a auth packet */
 
 		reply_spnego_auth(req, vuid, blob1,
-				  &vuser->auth_ntlmssp_state);
+				  &vuser->gensec_security);
 		data_blob_free(&blob1);
 		return;
 	}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 0a9edbc273..3878b76820 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -243,7 +243,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 		status = NT_STATUS_NO_MEMORY;
 		goto fail;
 	}
-	session->compat_vuser->auth_ntlmssp_state = NULL;
+	session->compat_vuser->gensec_security = NULL;
 	session->compat_vuser->homes_snum = -1;
 	session->compat_vuser->session_info = session->session_info;
 	session->compat_vuser->session_keystr = NULL;
@@ -341,7 +341,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 	NTSTATUS status;
 
 	/* Ensure we have no old NTLM state around. */
-	TALLOC_FREE(session->auth_ntlmssp_state);
+	TALLOC_FREE(session->gensec_security);
 
 	status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
 			&secblob_in, &kerb_mech);
@@ -376,19 +376,19 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 	} else {
 		/* Fall back to NTLMSSP. */
 		status = auth_generic_prepare(session, session->sconn->remote_address,
-					    &session->auth_ntlmssp_state);
+					    &session->gensec_security);
 		if (!NT_STATUS_IS_OK(status)) {
 			goto out;
 		}
 
-		gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+		gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
 
-		status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+		status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP);
 		if (!NT_STATUS_IS_OK(status)) {
 			goto out;
 		}
 
-		status = gensec_update(session->auth_ntlmssp_state->gensec_security,
+		status = gensec_update(session->gensec_security,
 				       talloc_tos(), NULL,
 				       secblob_in,
 				       &chal_out);
@@ -453,7 +453,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 		TALLOC_FREE(session);
 		return NT_STATUS_NO_MEMORY;
 	}
-	session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state;
+	session->compat_vuser->gensec_security = session->gensec_security;
 	session->compat_vuser->homes_snum = -1;
 	session->compat_vuser->session_info = session->session_info;
 	session->compat_vuser->session_keystr = NULL;
@@ -560,18 +560,18 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 		data_blob_free(&secblob_in);
 	}
 
-	if (session->auth_ntlmssp_state == NULL) {
+	if (session->gensec_security == NULL) {
 		status = auth_generic_prepare(session, session->sconn->remote_address,
-					    &session->auth_ntlmssp_state);
+					    &session->gensec_security);
 		if (!NT_STATUS_IS_OK(status)) {
 			data_blob_free(&auth);
 			TALLOC_FREE(session);
 			return status;
 		}
 
-		gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+		gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
 
-		status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+		status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP);
 		if (!NT_STATUS_IS_OK(status)) {
 			data_blob_free(&auth);
 			TALLOC_FREE(session);
@@ -579,14 +579,14 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 		}
 	}
 
-	status = gensec_update(session->auth_ntlmssp_state->gensec_security,
+	status = gensec_update(session->gensec_security,
 			       talloc_tos(), NULL,
 			       auth,
 			       &auth_out);
 	/* If status is NT_STATUS_OK then we need to get the token.
 	 * Map to guest is now internal to auth_ntlmssp */
 	if (NT_STATUS_IS_OK(status)) {
-		status = gensec_session_info(session->auth_ntlmssp_state->gensec_security,
+		status = gensec_session_info(session->gensec_security,
 					     session,
 					     &session->session_info);
 	}
@@ -635,20 +635,20 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
 
 	*out_security_buffer = data_blob_null;
 
-	if (session->auth_ntlmssp_state == NULL) {
+	if (session->gensec_security == NULL) {
 		status = auth_generic_prepare(session, session->sconn->remote_address,
-					    &session->auth_ntlmssp_state);
+					    &session->gensec_security);
 		if (!NT_STATUS_IS_OK(status)) {
 			TALLOC_FREE(session);
 			return status;
 		}
 
-		gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+		gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
 
 		if (session->sconn->use_gensec_hook) {
-			status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+			status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_SPNEGO);
 		} else {
-			status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+			status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP);
 		}
 		if (!NT_STATUS_IS_OK(status)) {
 			TALLOC_FREE(session);
@@ -657,7 +657,7 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
 	}
 
 	/* RAW NTLMSSP */
-	status = gensec_update(session->auth_ntlmssp_state->gensec_security,
+	status = gensec_update(session->gensec_security,
 			       smb2req, NULL,
 			       in_security_buffer,
 			       out_security_buffer);
@@ -667,7 +667,7 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
 		return status;
 	}
 
-	status = gensec_session_info(session->auth_ntlmssp_state->gensec_security,
+	status = gensec_session_info(session->gensec_security,
 				     session,
 				     &session->session_info);