summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/auth_ntlmssp.c27
-rw-r--r--source3/auth/proto.h3
-rw-r--r--source3/rpc_server/dcesrv_ntlmssp.c11
-rw-r--r--source3/smbd/seal.c8
-rw-r--r--source3/smbd/sesssetup.c41
-rw-r--r--source3/smbd/smb2_sesssetup.c28
6 files changed, 93 insertions, 25 deletions
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index c078416aad..f7d3619d3b 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -188,8 +188,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
static int auth_ntlmssp_state_destructor(void *ptr);
-NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
- struct auth_ntlmssp_state **auth_ntlmssp_state)
+NTSTATUS auth_ntlmssp_prepare(const struct tsocket_address *remote_address,
+ struct auth_ntlmssp_state **auth_ntlmssp_state)
{
NTSTATUS nt_status;
bool is_standalone;
@@ -212,20 +212,16 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
return nt_status;
}
+ ans->auth_context = talloc_steal(ans, auth_context);
+
if (auth_context->prepare_gensec) {
nt_status = auth_context->prepare_gensec(ans, &ans->gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(ans);
return nt_status;
} else {
- nt_status = auth_context->gensec_start_mech_by_oid(ans->gensec_security, GENSEC_OID_NTLMSSP);
- if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE(ans);
- return nt_status;
- } else {
- *auth_ntlmssp_state = ans;
- return NT_STATUS_OK;
- }
+ *auth_ntlmssp_state = ans;
+ return NT_STATUS_OK;
}
}
@@ -261,8 +257,6 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
return nt_status;
}
- ans->auth_context = talloc_steal(ans, auth_context);
-
ans->ntlmssp_state->callback_private = ans;
ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
@@ -286,3 +280,12 @@ static int auth_ntlmssp_state_destructor(void *ptr)
TALLOC_FREE(ans->ntlmssp_state);
return 0;
}
+
+NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state)
+{
+ if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid) {
+ return auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid(auth_ntlmssp_state->gensec_security, GENSEC_OID_NTLMSSP);
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index f2b7875997..bce27c86c3 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -72,8 +72,9 @@ NTSTATUS auth_netlogond_init(void);
NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
struct auth_session_info **session_info);
-NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
+NTSTATUS auth_ntlmssp_prepare(const struct tsocket_address *remote_address,
struct auth_ntlmssp_state **auth_ntlmssp_state);
+NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state);
/* The following definitions come from auth/auth_sam.c */
diff --git a/source3/rpc_server/dcesrv_ntlmssp.c b/source3/rpc_server/dcesrv_ntlmssp.c
index fd5b820143..f9fbc060c5 100644
--- a/source3/rpc_server/dcesrv_ntlmssp.c
+++ b/source3/rpc_server/dcesrv_ntlmssp.c
@@ -36,9 +36,9 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *a = NULL;
NTSTATUS status;
- status = auth_ntlmssp_start(remote_address, &a);
+ status = auth_ntlmssp_prepare(remote_address, &a);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
+ DEBUG(0, (__location__ ": auth_ntlmssp_prepare failed: %s\n",
nt_errstr(status)));
return status;
}
@@ -51,6 +51,13 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
auth_ntlmssp_want_feature(a, NTLMSSP_FEATURE_SEAL);
}
+ status = auth_ntlmssp_start(a);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
status = auth_ntlmssp_update(a, mem_ctx, *token_in, token_out);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0, (__location__ ": auth_ntlmssp_update failed: %s\n",
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index 12672681fe..979c97c38a 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -86,7 +86,7 @@ bool is_encrypted_packet(const uint8_t *inbuf)
static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
struct smb_srv_trans_enc_ctx *ec)
{
- NTSTATUS status = auth_ntlmssp_start(remote_address,
+ NTSTATUS status = auth_ntlmssp_prepare(remote_address,
&ec->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
return nt_status_squash(status);
@@ -94,6 +94,12 @@ static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
auth_ntlmssp_want_feature(ec->auth_ntlmssp_state, NTLMSSP_FEATURE_SEAL);
+ status = auth_ntlmssp_start(ec->auth_ntlmssp_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return nt_status_squash(status);
+ }
+
/*
* We must remember to update the pointer copy for the common
* functions after any auth_ntlmssp_start/auth_ntlmssp_end.
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 1eb4708994..20b31096b0 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -624,8 +624,8 @@ static void reply_spnego_negotiate(struct smb_request *req,
return;
}
- status = auth_ntlmssp_start(sconn->remote_address,
- auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(sconn->remote_address,
+ auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@@ -635,6 +635,14 @@ static void reply_spnego_negotiate(struct smb_request *req,
auth_ntlmssp_want_feature(*auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+ status = auth_ntlmssp_start(*auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* Kill the intermediate vuid */
+ invalidate_vuid(sconn, vuid);
+ reply_nterror(req, nt_status_squash(status));
+ return;
+ }
+
status = auth_ntlmssp_update(*auth_ntlmssp_state, talloc_tos(),
secblob, &chal);
@@ -728,8 +736,18 @@ static void reply_spnego_auth(struct smb_request *req,
data_blob_free(&secblob);
if (!*auth_ntlmssp_state) {
- status = auth_ntlmssp_start(sconn->remote_address,
- auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(sconn->remote_address,
+ auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* Kill the intermediate vuid */
+ invalidate_vuid(sconn, vuid);
+ reply_nterror(req, nt_status_squash(status));
+ return;
+ }
+
+ auth_ntlmssp_want_feature(*auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(*auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@@ -1141,8 +1159,19 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
DATA_BLOB chal;
if (!vuser->auth_ntlmssp_state) {
- status = auth_ntlmssp_start(sconn->remote_address,
- &vuser->auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(sconn->remote_address,
+ &vuser->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* Kill the intermediate vuid */
+ invalidate_vuid(sconn, vuid);
+ data_blob_free(&blob1);
+ reply_nterror(req, nt_status_squash(status));
+ return;
+ }
+
+ auth_ntlmssp_want_feature(vuser->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(vuser->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 40f98ce45f..7bc8692758 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -386,7 +386,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
/* Fall back to NTLMSSP. */
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto out;
@@ -394,6 +394,11 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
talloc_tos(),
secblob_in,
@@ -577,13 +582,22 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
}
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
return status;
}
+
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth);
+ TALLOC_FREE(session);
+ return status;
+ }
}
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
@@ -642,12 +656,20 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
NTSTATUS status;
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
+
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(session);
+ return status;
+ }
}
/* RAW NTLMSSP */