summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-07-26 10:19:54 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-08-03 18:48:04 +1000
commit8b983d232648944c18fe878a3ace0f58658ec24d (patch)
tree02555b34ad4f949ea300edf4a244ed9e471e5e5f /source3/smbd
parent902df836807b700b2d27877f2fa5284930df3ff7 (diff)
downloadsamba-8b983d232648944c18fe878a3ace0f58658ec24d.tar.gz
samba-8b983d232648944c18fe878a3ace0f58658ec24d.tar.bz2
samba-8b983d232648944c18fe878a3ace0f58658ec24d.zip
s3-ntlmssp Split auth_ntlmssp_start into two functions
This helps map on to the GENSEC semantics better, and ensures that the full set of desired features are set before the mechanism starts. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/seal.c8
-rw-r--r--source3/smbd/sesssetup.c41
-rw-r--r--source3/smbd/smb2_sesssetup.c28
3 files changed, 67 insertions, 10 deletions
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index 12672681fe..979c97c38a 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -86,7 +86,7 @@ bool is_encrypted_packet(const uint8_t *inbuf)
static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
struct smb_srv_trans_enc_ctx *ec)
{
- NTSTATUS status = auth_ntlmssp_start(remote_address,
+ NTSTATUS status = auth_ntlmssp_prepare(remote_address,
&ec->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
return nt_status_squash(status);
@@ -94,6 +94,12 @@ static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
auth_ntlmssp_want_feature(ec->auth_ntlmssp_state, NTLMSSP_FEATURE_SEAL);
+ status = auth_ntlmssp_start(ec->auth_ntlmssp_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return nt_status_squash(status);
+ }
+
/*
* We must remember to update the pointer copy for the common
* functions after any auth_ntlmssp_start/auth_ntlmssp_end.
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 1eb4708994..20b31096b0 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -624,8 +624,8 @@ static void reply_spnego_negotiate(struct smb_request *req,
return;
}
- status = auth_ntlmssp_start(sconn->remote_address,
- auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(sconn->remote_address,
+ auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@@ -635,6 +635,14 @@ static void reply_spnego_negotiate(struct smb_request *req,
auth_ntlmssp_want_feature(*auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+ status = auth_ntlmssp_start(*auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* Kill the intermediate vuid */
+ invalidate_vuid(sconn, vuid);
+ reply_nterror(req, nt_status_squash(status));
+ return;
+ }
+
status = auth_ntlmssp_update(*auth_ntlmssp_state, talloc_tos(),
secblob, &chal);
@@ -728,8 +736,18 @@ static void reply_spnego_auth(struct smb_request *req,
data_blob_free(&secblob);
if (!*auth_ntlmssp_state) {
- status = auth_ntlmssp_start(sconn->remote_address,
- auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(sconn->remote_address,
+ auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* Kill the intermediate vuid */
+ invalidate_vuid(sconn, vuid);
+ reply_nterror(req, nt_status_squash(status));
+ return;
+ }
+
+ auth_ntlmssp_want_feature(*auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(*auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@@ -1141,8 +1159,19 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
DATA_BLOB chal;
if (!vuser->auth_ntlmssp_state) {
- status = auth_ntlmssp_start(sconn->remote_address,
- &vuser->auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(sconn->remote_address,
+ &vuser->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* Kill the intermediate vuid */
+ invalidate_vuid(sconn, vuid);
+ data_blob_free(&blob1);
+ reply_nterror(req, nt_status_squash(status));
+ return;
+ }
+
+ auth_ntlmssp_want_feature(vuser->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(vuser->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 40f98ce45f..7bc8692758 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -386,7 +386,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
/* Fall back to NTLMSSP. */
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto out;
@@ -394,6 +394,11 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
talloc_tos(),
secblob_in,
@@ -577,13 +582,22 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
}
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
return status;
}
+
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth);
+ TALLOC_FREE(session);
+ return status;
+ }
}
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
@@ -642,12 +656,20 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
NTSTATUS status;
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
+
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(session);
+ return status;
+ }
}
/* RAW NTLMSSP */