summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/auth.h1
-rw-r--r--source4/auth/gensec/gensec.h2
-rw-r--r--source4/auth/ntlm/auth_util.c24
-rw-r--r--source4/ldap_server/ldap_bind.c4
-rw-r--r--source4/libcli/util/nterr.c27
-rw-r--r--source4/smb_server/smb/sesssetup.c10
-rw-r--r--source4/smb_server/smb2/sesssetup.c4
-rw-r--r--source4/utils/ntlm_auth.c2
8 files changed, 38 insertions, 36 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 70df694b1e..0e0aa01f4d 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -189,7 +189,6 @@ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_
NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info) ;
-NTSTATUS auth_nt_status_squash(NTSTATUS nt_status);
NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
struct tevent_context *ev,
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index ad581e2fa5..3c5257c195 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -274,7 +274,7 @@ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_security);
NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
struct auth_session_info **session_info);
-NTSTATUS auth_nt_status_squash(NTSTATUS nt_status);
+NTSTATUS nt_status_squash(NTSTATUS nt_status);
struct netlogon_creds_CredentialState;
NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index 605cd980c6..d6b53dd4c5 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -231,27 +231,3 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_contex
return NT_STATUS_OK;
}
-
-
-/**
- * Squash an NT_STATUS in line with security requirements.
- * In an attempt to avoid giving the whole game away when users
- * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and
- * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
- * (session setups in particular).
- *
- * @param nt_status NTSTATUS input for squashing.
- * @return the 'squashed' nt_status
- **/
-_PUBLIC_ NTSTATUS auth_nt_status_squash(NTSTATUS nt_status)
-{
- if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
- /* Match WinXP and don't give the game away */
- return NT_STATUS_LOGON_FAILURE;
- } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
- /* Match WinXP and don't give the game away */
- return NT_STATUS_LOGON_FAILURE;
- }
-
- return nt_status;
-}
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 0f3d0631d0..105e64078f 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -81,7 +81,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status));
}
} else {
- status = auth_nt_status_squash(status);
+ status = nt_status_squash(status);
result = LDAP_INVALID_CREDENTIALS;
errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
@@ -311,7 +311,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
talloc_unlink(conn, conn->gensec);
conn->gensec = NULL;
} else {
- status = auth_nt_status_squash(status);
+ status = nt_status_squash(status);
if (result == 0) {
result = LDAP_INVALID_CREDENTIALS;
errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
diff --git a/source4/libcli/util/nterr.c b/source4/libcli/util/nterr.c
index cb0c081602..ca998bbf6f 100644
--- a/source4/libcli/util/nterr.c
+++ b/source4/libcli/util/nterr.c
@@ -929,3 +929,30 @@ NTSTATUS nt_status_string_to_code(const char *nt_status_str)
}
return NT_STATUS_UNSUCCESSFUL;
}
+
+/**
+ * Squash an NT_STATUS in line with security requirements.
+ * In an attempt to avoid giving the whole game away when users
+ * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and
+ * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
+ * (session setups in particular).
+ *
+ * @param nt_status NTSTATUS input for squashing.
+ * @return the 'squashed' nt_status
+ **/
+
+NTSTATUS nt_status_squash(NTSTATUS nt_status)
+{
+ if NT_STATUS_IS_OK(nt_status) {
+ return nt_status;
+ } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
+ /* Match WinXP and don't give the game away */
+ return NT_STATUS_LOGON_FAILURE;
+
+ } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
+ /* Match WinXP and don't give the game away */
+ return NT_STATUS_LOGON_FAILURE;
+ } else {
+ return nt_status;
+ }
+}
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index 5e4e3e514f..c4efe3919c 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -106,7 +106,7 @@ static void sesssetup_old_send(struct tevent_req *subreq)
sess->old.out.vuid = smb_sess->vuid;
failed:
- status = auth_nt_status_squash(status);
+ status = nt_status_squash(status);
smbsrv_sesssetup_backend_send(req, sess, status);
}
@@ -246,7 +246,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
done:
status = NT_STATUS_OK;
failed:
- status = auth_nt_status_squash(status);
+ status = nt_status_squash(status);
smbsrv_sesssetup_backend_send(req, sess, status);
}
@@ -348,7 +348,7 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess)
nomem:
status = NT_STATUS_NO_MEMORY;
failed:
- status = auth_nt_status_squash(status);
+ status = nt_status_squash(status);
smbsrv_sesssetup_backend_send(req, sess, status);
}
@@ -397,7 +397,7 @@ static void sesssetup_spnego_send(struct tevent_req *subreq)
done:
sess->spnego.out.vuid = smb_sess->vuid;
failed:
- status = auth_nt_status_squash(status);
+ status = nt_status_squash(status);
smbsrv_sesssetup_backend_send(req, sess, status);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -502,7 +502,7 @@ nomem:
status = NT_STATUS_NO_MEMORY;
failed:
talloc_free(smb_sess);
- status = auth_nt_status_squash(status);
+ status = nt_status_squash(status);
smbsrv_sesssetup_backend_send(req, sess, status);
}
diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c
index ddc161d80c..94fe0da9fa 100644
--- a/source4/smb_server/smb2/sesssetup.c
+++ b/source4/smb_server/smb2/sesssetup.c
@@ -99,7 +99,7 @@ static void smb2srv_sesssetup_callback(struct tevent_req *subreq)
done:
io->smb2.out.uid = smb_sess->vuid;
failed:
- req->status = auth_nt_status_squash(status);
+ req->status = nt_status_squash(status);
smb2srv_sesssetup_send(req, io);
if (!NT_STATUS_IS_OK(status) && !
NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -213,7 +213,7 @@ nomem:
status = NT_STATUS_NO_MEMORY;
failed:
talloc_free(smb_sess);
- req->status = auth_nt_status_squash(status);
+ req->status = nt_status_squash(status);
smb2srv_sesssetup_send(req, io);
}
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index 2c38416b43..34f79715ff 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -662,7 +662,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out);
/* don't leak 'bad password'/'no such user' info to the network client */
- nt_status = auth_nt_status_squash(nt_status);
+ nt_status = nt_status_squash(nt_status);
if (out.length) {
out_base64 = base64_encode_data_blob(mem_ctx, out);