s3:auth Make AUTH_NTLMSSP_STATE a private structure.

This makes it a little easier for it to writen in terms of GENSEC in future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>

3 files changed, 28 insertions, 38 deletions

diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index 700d7ea02e..4662507c90 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -85,7 +85,7 @@ static NTSTATUS make_auth_ntlmssp(struct smb_srv_trans_enc_ctx *ec)
 	 * We must remember to update the pointer copy for the common
 	 * functions after any auth_ntlmssp_start/auth_ntlmssp_end.
 	 */
-	ec->es->s.ntlmssp_state = ec->auth_ntlmssp_state->ntlmssp_state;
+	ec->es->s.ntlmssp_state = auth_ntlmssp_get_ntlmssp_state(ec->auth_ntlmssp_state);
 	return status;
 }
 
@@ -710,8 +710,11 @@ static NTSTATUS check_enc_good(struct smb_srv_trans_enc_ctx *ec)
 	}
 
 	if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
-		if ((ec->es->s.ntlmssp_state->neg_flags & (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) !=
-				(NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL)) {
+		if (!auth_ntlmssp_negotiated_sign((ec->auth_ntlmssp_state))) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		if (!auth_ntlmssp_negotiated_seal((ec->auth_ntlmssp_state))) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 	}
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 9d0c68512c..ec82406349 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -634,12 +634,16 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 	struct smbd_server_connection *sconn = smbd_server_conn;
 
 	if (NT_STATUS_IS_OK(nt_status)) {
-		server_info = (*auth_ntlmssp_state)->server_info;
+		server_info = auth_ntlmssp_server_info(talloc_tos(), (*auth_ntlmssp_state));
 	} else {
+		/* Note that this server_info won't have a session
+		 * key.  But for map to guest, that's exactly the right
+		 * thing - we can't reasonably guess the key the
+		 * client wants, as the password was wrong */
 		nt_status = do_map_to_guest(nt_status,
-			    &server_info,
-			    (*auth_ntlmssp_state)->ntlmssp_state->user,
-			    (*auth_ntlmssp_state)->ntlmssp_state->domain);
+					    &server_info,
+					    auth_ntlmssp_get_username(*auth_ntlmssp_state),
+					    auth_ntlmssp_get_domain(*auth_ntlmssp_state));
 	}
 
 	reply_outbuf(req, 4, 0);
@@ -654,24 +658,15 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 			goto out;
 		}
 
-		data_blob_free(&server_info->user_session_key);
-		server_info->user_session_key =
-			data_blob_talloc(
-			server_info,
-			(*auth_ntlmssp_state)->ntlmssp_state->session_key.data,
-			(*auth_ntlmssp_state)->ntlmssp_state->session_key.length);
-
 		/* register_existing_vuid keeps the server info */
 		if (register_existing_vuid(sconn, vuid,
-				server_info, nullblob,
-				(*auth_ntlmssp_state)->ntlmssp_state->user) !=
-					vuid) {
+					   server_info, nullblob,
+					   auth_ntlmssp_get_username(*auth_ntlmssp_state)) !=
+					   vuid) {
 			nt_status = NT_STATUS_LOGON_FAILURE;
 			goto out;
 		}
 
-		(*auth_ntlmssp_state)->server_info = NULL;
-
 		/* current_user_info is changed on new vuid */
 		reload_services( True );
 
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index d8972156a1..b659f2e2ef 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -605,13 +605,19 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 					uint64_t *out_session_id)
 {
 	fstring tmp;
+	session->server_info = auth_ntlmssp_server_info(session, session->auth_ntlmssp_state);
+	if (!session->server_info) {
+		auth_ntlmssp_end(&session->auth_ntlmssp_state);
+		TALLOC_FREE(session);
+		return NT_STATUS_NO_MEMORY;
+	}
 
 	if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 	    lp_server_signing() == Required) {
 		session->do_signing = true;
 	}
 
-	if (session->auth_ntlmssp_state->server_info->guest) {
+	if (session->server_info->guest) {
 		/* we map anonymous to guest internally */
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@@ -619,20 +625,6 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 		session->do_signing = false;
 	}
 
-	session->server_info = session->auth_ntlmssp_state->server_info;
-	data_blob_free(&session->server_info->user_session_key);
-	session->server_info->user_session_key =
-		data_blob_talloc(
-			session->server_info,
-			session->auth_ntlmssp_state->ntlmssp_state->session_key.data,
-			session->auth_ntlmssp_state->ntlmssp_state->session_key.length);
-	if (session->auth_ntlmssp_state->ntlmssp_state->session_key.length > 0) {
-		if (session->server_info->user_session_key.data == NULL) {
-			auth_ntlmssp_end(&session->auth_ntlmssp_state);
-			TALLOC_FREE(session);
-			return NT_STATUS_NO_MEMORY;
-		}
-	}
 	session->session_key = session->server_info->user_session_key;
 
 	session->compat_vuser = talloc_zero(session, user_struct);
@@ -650,11 +642,11 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 
 	/* This is a potentially untrusted username */
 	alpha_strcpy(tmp,
-		session->auth_ntlmssp_state->ntlmssp_state->user,
-		". _-$",
-		sizeof(tmp));
+		     auth_ntlmssp_get_username(session->auth_ntlmssp_state),
+		     ". _-$",
+		     sizeof(tmp));
 	session->server_info->sanitized_username = talloc_strdup(
-			session->server_info, tmp);
+		session->server_info, tmp);
 
 	if (!session->compat_vuser->server_info->guest) {
 		session->compat_vuser->homes_snum =