summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/cyrus_sasl.c2
-rw-r--r--source4/auth/gensec/gensec.c8
-rw-r--r--source4/auth/gensec/gensec.h3
-rw-r--r--source4/auth/gensec/gensec_gssapi.c9
-rw-r--r--source4/auth/gensec/gensec_krb5.c4
-rw-r--r--source4/auth/gensec/schannel_sign.c2
-rw-r--r--source4/auth/gensec/schannel_state.c4
-rw-r--r--source4/auth/gensec/socket.c13
-rw-r--r--source4/auth/gensec/spnego.c15
9 files changed, 45 insertions, 15 deletions
diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
index 06a7b8a382..6f82de82fc 100644
--- a/source4/auth/gensec/cyrus_sasl.c
+++ b/source4/auth/gensec/cyrus_sasl.c
@@ -110,7 +110,7 @@ static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
{
sasl_dispose(&gensec_sasl_state->conn);
- return 0;
+ return SASL_OK;
}
static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 0edb34d740..5d57383d2a 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -490,6 +490,7 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
(*gensec_security)->ops = NULL;
+ (*gensec_security)->private_data = NULL;
ZERO_STRUCT((*gensec_security)->target);
ZERO_STRUCT((*gensec_security)->peer_addr);
@@ -525,6 +526,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->private_data = NULL;
(*gensec_security)->subcontext = true;
+ (*gensec_security)->want_features = parent->want_features;
(*gensec_security)->event_ctx = parent->event_ctx;
(*gensec_security)->msg_ctx = parent->msg_ctx;
(*gensec_security)->lp_ctx = parent->lp_ctx;
@@ -1015,7 +1017,11 @@ _PUBLIC_ NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_C
_PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
- gensec_security->want_features |= feature;
+ if (!gensec_security->ops || !gensec_security->ops->want_feature) {
+ gensec_security->want_features |= feature;
+ return;
+ }
+ gensec_security->ops->want_feature(gensec_security, feature);
}
/**
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 2830297ffe..0b31882ddd 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -133,6 +133,8 @@ struct gensec_security_ops {
NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key);
NTSTATUS (*session_info)(struct gensec_security *gensec_security,
struct auth_session_info **session_info);
+ void (*want_feature)(struct gensec_security *gensec_security,
+ uint32_t feature);
bool (*have_feature)(struct gensec_security *gensec_security,
uint32_t feature);
bool enabled;
@@ -174,6 +176,7 @@ struct gensec_security;
struct socket_context;
NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
struct socket_context *current_socket,
struct event_context *ev,
void (*recv_handler)(void *, uint16_t),
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 1334e799ae..e791226cf6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1181,6 +1181,10 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
OM_uint32 maj_stat, min_stat;
krb5_keyblock *subkey;
+ if (gensec_gssapi_state->sasl_state != STAGE_DONE) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
if (gensec_gssapi_state->session_key.data) {
*session_key = gensec_gssapi_state->session_key;
return NT_STATUS_OK;
@@ -1200,10 +1204,7 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
*session_key = data_blob_talloc(gensec_gssapi_state,
KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey);
- if (gensec_gssapi_state->sasl_state == STAGE_DONE) {
- /* only cache in the done stage */
- gensec_gssapi_state->session_key = *session_key;
- }
+ gensec_gssapi_state->session_key = *session_key;
dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
return NT_STATUS_OK;
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 47df2ccfcc..1f54043038 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -515,6 +515,10 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
krb5_keyblock *skey;
krb5_error_code err = -1;
+ if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
if (gensec_krb5_state->session_key.data) {
*session_key = gensec_krb5_state->session_key;
return NT_STATUS_OK;
diff --git a/source4/auth/gensec/schannel_sign.c b/source4/auth/gensec/schannel_sign.c
index 1e57beba08..9862a029a4 100644
--- a/source4/auth/gensec/schannel_sign.c
+++ b/source4/auth/gensec/schannel_sign.c
@@ -21,7 +21,7 @@
*/
#include "includes.h"
-#include "lib/crypto/crypto.h"
+#include "../lib/crypto/crypto.h"
#include "auth/auth.h"
#include "auth/gensec/schannel.h"
#include "auth/credentials/credentials.h"
diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c
index f0710c5581..64c21d0c3e 100644
--- a/source4/auth/gensec/schannel_state.c
+++ b/source4/auth/gensec/schannel_state.c
@@ -44,7 +44,7 @@ struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct event_contex
"computerName: CASE_INSENSITIVE\n" \
"flatname: CASE_INSENSITIVE\n";
- path = smbd_tmp_path(mem_ctx, lp_ctx, "schannel.ldb");
+ path = private_path(mem_ctx, lp_ctx, "schannel.ldb");
if (!path) {
return NULL;
}
@@ -195,7 +195,7 @@ NTSTATUS schannel_fetch_session_key_ldb(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- ret = ldb_search_exp_fmt(ldb, mem_ctx, &res,
+ ret = ldb_search(ldb, mem_ctx, &res,
NULL, LDB_SCOPE_SUBTREE, NULL,
"(&(computerName=%s)(flatname=%s))", computer_name, domain);
if (ret != LDB_SUCCESS) {
diff --git a/source4/auth/gensec/socket.c b/source4/auth/gensec/socket.c
index 27449bf610..319730e2ca 100644
--- a/source4/auth/gensec/socket.c
+++ b/source4/auth/gensec/socket.c
@@ -408,8 +408,10 @@ static NTSTATUS gensec_socket_send(struct socket_context *sock,
}
/* Turn a normal socket into a potentially GENSEC wrapped socket */
+/* CAREFUL: this function will steal 'current_socket' */
NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
struct socket_context *current_socket,
struct event_context *ev,
void (*recv_handler)(void *, uint16_t),
@@ -420,7 +422,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
struct socket_context *new_sock;
NTSTATUS nt_status;
- nt_status = socket_create_with_ops(current_socket, &gensec_socket_ops, &new_sock,
+ nt_status = socket_create_with_ops(mem_ctx, &gensec_socket_ops, &new_sock,
SOCKET_TYPE_STREAM, current_socket->flags | SOCKET_FLAG_ENCRYPT);
if (!NT_STATUS_IS_OK(nt_status)) {
*new_socket = NULL;
@@ -432,22 +434,19 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
gensec_socket = talloc(new_sock, struct gensec_socket);
if (gensec_socket == NULL) {
*new_socket = NULL;
+ talloc_free(new_sock);
return NT_STATUS_NO_MEMORY;
}
new_sock->private_data = gensec_socket;
gensec_socket->socket = current_socket;
- if (talloc_reference(gensec_socket, current_socket) == NULL) {
- *new_socket = NULL;
- return NT_STATUS_NO_MEMORY;
- }
-
/* Nothing to do here, if we are not actually wrapping on this socket */
if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) &&
!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
gensec_socket->wrap = false;
+ talloc_steal(gensec_socket, current_socket);
*new_socket = new_sock;
return NT_STATUS_OK;
}
@@ -469,6 +468,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
gensec_socket->packet = packet_init(gensec_socket);
if (gensec_socket->packet == NULL) {
*new_socket = NULL;
+ talloc_free(new_sock);
return NT_STATUS_NO_MEMORY;
}
@@ -481,6 +481,7 @@ NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
/* TODO: full-request that knows about maximum packet size */
+ talloc_steal(gensec_socket, current_socket);
*new_socket = new_sock;
return NT_STATUS_OK;
}
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 1855e0583d..bf991616bd 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -1094,6 +1094,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
return NT_STATUS_INVALID_PARAMETER;
}
+static void gensec_spnego_want_feature(struct gensec_security *gensec_security,
+ uint32_t feature)
+{
+ struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
+
+ if (!spnego_state || !spnego_state->sub_sec_security) {
+ gensec_security->want_features |= feature;
+ return;
+ }
+
+ gensec_want_feature(spnego_state->sub_sec_security,
+ feature);
+}
+
static bool gensec_spnego_have_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
@@ -1133,6 +1147,7 @@ static const struct gensec_security_ops gensec_spnego_security_ops = {
.unwrap_packets = gensec_spnego_unwrap_packets,
.session_key = gensec_spnego_session_key,
.session_info = gensec_spnego_session_info,
+ .want_feature = gensec_spnego_want_feature,
.have_feature = gensec_spnego_have_feature,
.enabled = true,
.priority = GENSEC_SPNEGO
generated by cgit (git 2.34.1) at 2024-08-28 11:01:08 +0000