s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.c

Guenther

8 files changed, 38 insertions, 36 deletions

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 70df694b1e..0e0aa01f4d 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -189,7 +189,6 @@ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_
 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
 					   struct loadparm_context *lp_ctx,
 					   struct auth_session_info **_session_info) ;
-NTSTATUS auth_nt_status_squash(NTSTATUS nt_status);
 
 NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
 				     struct tevent_context *ev,
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index ad581e2fa5..3c5257c195 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -274,7 +274,7 @@ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
 			     struct gensec_security **gensec_security);
 NTSTATUS gensec_session_info(struct gensec_security *gensec_security, 
 			     struct auth_session_info **session_info);
-NTSTATUS auth_nt_status_squash(NTSTATUS nt_status);
+NTSTATUS nt_status_squash(NTSTATUS nt_status);
 struct netlogon_creds_CredentialState;
 NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
 			       TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index 605cd980c6..d6b53dd4c5 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -231,27 +231,3 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_contex
 
 	return NT_STATUS_OK;
 }
-
-
-/**
- * Squash an NT_STATUS in line with security requirements.
- * In an attempt to avoid giving the whole game away when users
- * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and 
- * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations 
- * (session setups in particular).
- *
- * @param nt_status NTSTATUS input for squashing.
- * @return the 'squashed' nt_status
- **/
-_PUBLIC_ NTSTATUS auth_nt_status_squash(NTSTATUS nt_status)
-{
-	if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
-		/* Match WinXP and don't give the game away */
-		return NT_STATUS_LOGON_FAILURE;
-	} else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
-		/* Match WinXP and don't give the game away */
-		return NT_STATUS_LOGON_FAILURE;
-	}
-
-	return nt_status;
-}
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 0f3d0631d0..105e64078f 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -81,7 +81,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 			errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
 		}
 	} else {
-		status = auth_nt_status_squash(status);
+		status = nt_status_squash(status);
 
 		result = LDAP_INVALID_CREDENTIALS;
 		errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
@@ -311,7 +311,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 		talloc_unlink(conn, conn->gensec);
 		conn->gensec = NULL;
 	} else {
-		status = auth_nt_status_squash(status);
+		status = nt_status_squash(status);
 		if (result == 0) {
 			result = LDAP_INVALID_CREDENTIALS;
 			errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
diff --git a/source4/libcli/util/nterr.c b/source4/libcli/util/nterr.c
index cb0c081602..ca998bbf6f 100644
--- a/source4/libcli/util/nterr.c
+++ b/source4/libcli/util/nterr.c
@@ -929,3 +929,30 @@ NTSTATUS nt_status_string_to_code(const char *nt_status_str)
 	}
 	return NT_STATUS_UNSUCCESSFUL;
 }
+
+/**
+ * Squash an NT_STATUS in line with security requirements.
+ * In an attempt to avoid giving the whole game away when users
+ * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and
+ * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
+ * (session setups in particular).
+ *
+ * @param nt_status NTSTATUS input for squashing.
+ * @return the 'squashed' nt_status
+ **/
+
+NTSTATUS nt_status_squash(NTSTATUS nt_status)
+{
+	if NT_STATUS_IS_OK(nt_status) {
+		return nt_status;
+	} else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
+		/* Match WinXP and don't give the game away */
+		return NT_STATUS_LOGON_FAILURE;
+
+	} else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
+		/* Match WinXP and don't give the game away */
+		return NT_STATUS_LOGON_FAILURE;
+	} else {
+		return nt_status;
+	}
+}
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index 5e4e3e514f..c4efe3919c 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -106,7 +106,7 @@ static void sesssetup_old_send(struct tevent_req *subreq)
 	sess->old.out.vuid = smb_sess->vuid;
 
 failed:
-	status = auth_nt_status_squash(status);
+	status = nt_status_squash(status);
 	smbsrv_sesssetup_backend_send(req, sess, status);
 }
 
@@ -246,7 +246,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
 done:
 	status = NT_STATUS_OK;
 failed:
-	status = auth_nt_status_squash(status);
+	status = nt_status_squash(status);
 	smbsrv_sesssetup_backend_send(req, sess, status);
 }
 
@@ -348,7 +348,7 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess)
 nomem:
 	status = NT_STATUS_NO_MEMORY;
 failed:
-	status = auth_nt_status_squash(status);
+	status = nt_status_squash(status);
 	smbsrv_sesssetup_backend_send(req, sess, status);
 }
 
@@ -397,7 +397,7 @@ static void sesssetup_spnego_send(struct tevent_req *subreq)
 done:
 	sess->spnego.out.vuid = smb_sess->vuid;
 failed:
-	status = auth_nt_status_squash(status);
+	status = nt_status_squash(status);
 	smbsrv_sesssetup_backend_send(req, sess, status);
 	if (!NT_STATUS_IS_OK(status) && 
 	    !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -502,7 +502,7 @@ nomem:
 	status = NT_STATUS_NO_MEMORY;
 failed:
 	talloc_free(smb_sess);
-	status = auth_nt_status_squash(status);
+	status = nt_status_squash(status);
 	smbsrv_sesssetup_backend_send(req, sess, status);
 }
 
diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c
index ddc161d80c..94fe0da9fa 100644
--- a/source4/smb_server/smb2/sesssetup.c
+++ b/source4/smb_server/smb2/sesssetup.c
@@ -99,7 +99,7 @@ static void smb2srv_sesssetup_callback(struct tevent_req *subreq)
 done:
 	io->smb2.out.uid = smb_sess->vuid;
 failed:
-	req->status = auth_nt_status_squash(status);
+	req->status = nt_status_squash(status);
 	smb2srv_sesssetup_send(req, io);
 	if (!NT_STATUS_IS_OK(status) && !
 	    NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -213,7 +213,7 @@ nomem:
 	status = NT_STATUS_NO_MEMORY;
 failed:
 	talloc_free(smb_sess);
-	req->status = auth_nt_status_squash(status);
+	req->status = nt_status_squash(status);
 	smb2srv_sesssetup_send(req, io);
 }
 
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index 2c38416b43..34f79715ff 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -662,7 +662,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 	nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out);
 	
 	/* don't leak 'bad password'/'no such user' info to the network client */
-	nt_status = auth_nt_status_squash(nt_status);
+	nt_status = nt_status_squash(nt_status);
 
 	if (out.length) {
 		out_base64 = base64_encode_data_blob(mem_ctx, out);