From 3042e38d519411e774e110b16a2eeeaef4b25a65 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Dec 2011 14:23:15 +1100 Subject: s3-auth use gensec directly rather than via auth_generic_state This is possible because the s3 gensec modules are started as normal gensec modules, so we do not need a wrapper any more. Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source3/auth/auth_generic.c | 62 ++++++++++++-------------------- source3/auth/proto.h | 6 +--- source3/include/auth.h | 2 +- source3/include/ntlmssp_wrap.h | 3 -- source3/include/smb.h | 2 +- source3/rpc_server/dcesrv_auth_generic.c | 56 +++++++++++++---------------- source3/smbd/globals.h | 2 +- source3/smbd/negprot.c | 10 +++--- source3/smbd/password.c | 4 +-- source3/smbd/seal.c | 15 ++++---- source3/smbd/sesssetup.c | 54 ++++++++++++++-------------- source3/smbd/smb2_sesssetup.c | 40 ++++++++++----------- 12 files changed, 112 insertions(+), 144 deletions(-) diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 8141f18eac..cd4b764e85 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -33,89 +33,73 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, - struct auth_generic_state **auth_ntlmssp_state) + struct gensec_security **gensec_security_out) { + struct gensec_security *gensec_security; struct auth_context *auth_context; - struct auth_generic_state *ans; NTSTATUS nt_status; - ans = talloc_zero(mem_ctx, struct auth_generic_state); - if (!ans) { - DEBUG(0,("auth_ntlmssp_start: talloc failed!\n")); - return NT_STATUS_NO_MEMORY; - } + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); - nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context); + nt_status = make_auth_context_subsystem(tmp_ctx, &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(ans); + TALLOC_FREE(tmp_ctx); return nt_status; } - ans->auth_context = talloc_steal(ans, auth_context); - if (auth_context->prepare_gensec) { - nt_status = auth_context->prepare_gensec(ans, - &ans->gensec_security); + nt_status = auth_context->prepare_gensec(tmp_ctx, + &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(ans); + TALLOC_FREE(tmp_ctx); return nt_status; } } else { struct gensec_settings *gensec_settings; struct loadparm_context *lp_ctx; - lp_ctx = loadparm_init_s3(ans, loadparm_s3_context()); + lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_context()); if (lp_ctx == NULL) { DEBUG(10, ("loadparm_init_s3 failed\n")); - TALLOC_FREE(ans); + TALLOC_FREE(tmp_ctx); return NT_STATUS_INVALID_SERVER_STATE; } - gensec_settings = lpcfg_gensec_settings(ans, lp_ctx); + gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx); if (lp_ctx == NULL) { DEBUG(10, ("lpcfg_gensec_settings failed\n")); - TALLOC_FREE(ans); + TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } gensec_settings->backends = talloc_zero_array(gensec_settings, struct gensec_security_ops *, 2); if (gensec_settings->backends == NULL) { - TALLOC_FREE(ans); + TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } gensec_settings->backends[0] = &gensec_ntlmssp3_server_ops; - nt_status = gensec_server_start(ans, gensec_settings, - NULL, &ans->gensec_security); + nt_status = gensec_server_start(tmp_ctx, gensec_settings, + NULL, &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(ans); + TALLOC_FREE(tmp_ctx); return nt_status; } - talloc_unlink(ans, lp_ctx); - talloc_unlink(ans, gensec_settings); + talloc_unlink(tmp_ctx, lp_ctx); + talloc_unlink(tmp_ctx, gensec_settings); } - nt_status = gensec_set_remote_address(ans->gensec_security, + nt_status = gensec_set_remote_address(gensec_security, remote_address); if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(ans); + TALLOC_FREE(tmp_ctx); return nt_status; } - *auth_ntlmssp_state = ans; + *gensec_security_out = talloc_steal(mem_ctx, gensec_security); + TALLOC_FREE(tmp_ctx); return NT_STATUS_OK; } - -NTSTATUS auth_generic_start(struct auth_generic_state *auth_ntlmssp_state, const char *oid) -{ - return gensec_start_mech_by_oid(auth_ntlmssp_state->gensec_security, oid); -} - -NTSTATUS auth_generic_authtype_start(struct auth_generic_state *auth_ntlmssp_state, - uint8_t auth_type, uint8_t auth_level) -{ - return gensec_start_mech_by_authtype(auth_ntlmssp_state->gensec_security, - auth_type, auth_level); -} diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 31271da3e5..77f0f543e9 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -70,11 +70,7 @@ NTSTATUS auth_netlogond_init(void); /* The following definitions come from auth/auth_ntlmssp.c */ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, - struct auth_generic_state **auth_ntlmssp_state); -NTSTATUS auth_generic_start(struct auth_generic_state *auth_ntlmssp_state, const char *oid); -NTSTATUS auth_generic_authtype_start(struct auth_generic_state *auth_ntlmssp_state, - uint8_t auth_type, uint8_t auth_level); - + struct gensec_security **gensec_security_out); /* The following definitions come from auth/auth_sam.c */ diff --git a/source3/include/auth.h b/source3/include/auth.h index 16bf1e6f14..522dc59a37 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -128,7 +128,7 @@ struct auth_init_function_entry { struct auth_init_function_entry *prev, *next; }; -struct auth_generic_state; +struct gensec_security; /* Changed from 1 -> 2 to add the logon_parameters field. */ /* Changed from 2 -> 3 when we reworked many auth structures to use IDL or be in common with Samba4 */ diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h index fb98309ab9..07f474f103 100644 --- a/source3/include/ntlmssp_wrap.h +++ b/source3/include/ntlmssp_wrap.h @@ -26,9 +26,6 @@ struct gensec_security; extern const struct gensec_security_ops gensec_ntlmssp3_server_ops; struct auth_generic_state { - /* used only by server implementation */ - struct auth_context *auth_context; - /* used only by the client implementation */ struct cli_credentials *credentials; diff --git a/source3/include/smb.h b/source3/include/smb.h index 2221b72763..2adfa36c8c 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1215,7 +1215,7 @@ typedef struct user_struct { struct auth_session_info *session_info; - struct auth_generic_state *auth_ntlmssp_state; + struct gensec_security *gensec_security; } user_struct; /* diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c index dee3c16ca3..78d0d78ffa 100644 --- a/source3/rpc_server/dcesrv_auth_generic.c +++ b/source3/rpc_server/dcesrv_auth_generic.c @@ -35,10 +35,10 @@ NTSTATUS auth_generic_server_start(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, struct gensec_security **ctx) { - struct auth_generic_state *a = NULL; + struct gensec_security *gensec_security = NULL; NTSTATUS status; - status = auth_generic_prepare(talloc_tos(), remote_address, &a); + status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n", nt_errstr(status))); @@ -46,40 +46,36 @@ NTSTATUS auth_generic_server_start(TALLOC_CTX *mem_ctx, } if (do_sign) { - gensec_want_feature(a->gensec_security, GENSEC_FEATURE_SIGN); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); } if (do_seal) { - gensec_want_feature(a->gensec_security, GENSEC_FEATURE_SIGN); - gensec_want_feature(a->gensec_security, GENSEC_FEATURE_SEAL); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL); } if (is_dcerpc) { - gensec_want_feature(a->gensec_security, GENSEC_FEATURE_DCE_STYLE); + gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE); } - status = auth_generic_start(a, oid); + status = gensec_start_mech_by_oid(gensec_security, oid); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, (__location__ ": auth_generic_start failed: %s\n", nt_errstr(status))); + TALLOC_FREE(gensec_security); return status; } - status = gensec_update(a->gensec_security, mem_ctx, NULL, *token_in, token_out); + status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(2, (__location__ ": gensec_update failed: %s\n", nt_errstr(status))); - goto done; + TALLOC_FREE(gensec_security); + return status; } - /* steal gensec context too */ - *ctx = talloc_move(mem_ctx, &a->gensec_security); - - status = NT_STATUS_OK; - -done: - TALLOC_FREE(a); - - return status; + /* steal gensec context to the caller */ + *ctx = talloc_move(mem_ctx, &gensec_security); + return NT_STATUS_OK; } NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, @@ -89,39 +85,35 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, struct gensec_security **ctx) { - struct auth_generic_state *a = NULL; + struct gensec_security *gensec_security = NULL; NTSTATUS status; - status = auth_generic_prepare(talloc_tos(), remote_address, &a); + status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n", nt_errstr(status))); return status; } - status = auth_generic_authtype_start(a, auth_type, auth_level); + status = gensec_start_mech_by_authtype(gensec_security, auth_type, auth_level); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, (__location__ ": auth_generic_start failed: %s\n", nt_errstr(status))); + TALLOC_FREE(gensec_security); return status; } - status = gensec_update(a->gensec_security, mem_ctx, NULL, *token_in, token_out); + status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(2, (__location__ ": gensec_update failed: %s\n", nt_errstr(status))); - goto done; + TALLOC_FREE(gensec_security); + return status; } - /* steal gensec context too */ - *ctx = talloc_move(mem_ctx, &a->gensec_security); - - status = NT_STATUS_OK; - -done: - TALLOC_FREE(a); - - return status; + /* steal gensec context to the caller */ + *ctx = talloc_move(mem_ctx, &gensec_security); + return NT_STATUS_OK; } NTSTATUS auth_generic_server_step(struct gensec_security *gensec_security, diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 631298b155..44a76c4fb3 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -410,7 +410,7 @@ struct smbd_smb2_session { struct smbd_server_connection *sconn; NTSTATUS status; uint64_t vuid; - struct auth_generic_state *auth_ntlmssp_state; + struct gensec_security *gensec_security; struct auth_session_info *session_info; DATA_BLOB session_key; bool do_signing; diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 0a06e4a3d7..66da049bda 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -199,18 +199,18 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) OID_NTLMSSP, NULL}; const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; - struct auth_generic_state *auth_ntlmssp_state; + struct gensec_security *gensec_security; sconn->use_gensec_hook = false; /* See if we can get an SPNEGO blob out of the gensec hook (if auth_samba4 is loaded) */ status = auth_generic_prepare(talloc_tos(), sconn->remote_address, - &auth_ntlmssp_state); + &gensec_security); if (NT_STATUS_IS_OK(status)) { - status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_SPNEGO); + status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO); if (NT_STATUS_IS_OK(status)) { - status = gensec_update(auth_ntlmssp_state->gensec_security, ctx, + status = gensec_update(gensec_security, ctx, NULL, data_blob_null, &blob); /* If we get the list of OIDs, the 'OK' answer * is NT_STATUS_MORE_PROCESSING_REQUIRED */ @@ -218,7 +218,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) sconn->use_gensec_hook = true; } } - TALLOC_FREE(auth_ntlmssp_state); + TALLOC_FREE(gensec_security); } sconn->smb1.negprot.spnego = true; diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 7ccf2ea327..9df99ef6b1 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -124,8 +124,8 @@ void invalidate_vuid(struct smbd_server_connection *sconn, uint16 vuid) session_yield(vuser); - if (vuser->auth_ntlmssp_state) { - TALLOC_FREE(vuser->auth_ntlmssp_state); + if (vuser->gensec_security) { + TALLOC_FREE(vuser->gensec_security); } DLIST_REMOVE(sconn->smb1.sessions.validated_users, vuser); diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c index a609a3bad3..4393c1b27c 100644 --- a/source3/smbd/seal.c +++ b/source3/smbd/seal.c @@ -73,33 +73,32 @@ bool is_encrypted_packet(struct smbd_server_connection *sconn, } /****************************************************************************** - Create an auth_ntlmssp_state and ensure pointer copy is correct. + Create an gensec_security and ensure pointer copy is correct. ******************************************************************************/ static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address, struct smb_trans_enc_state *es) { - struct auth_generic_state *auth_ntlmssp_state; + struct gensec_security *gensec_security; NTSTATUS status = auth_generic_prepare(NULL, remote_address, - &auth_ntlmssp_state); + &gensec_security); if (!NT_STATUS_IS_OK(status)) { return nt_status_squash(status); } - gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL); - status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(auth_ntlmssp_state); + TALLOC_FREE(gensec_security); return nt_status_squash(status); } /* We do not need the auth_ntlmssp layer any more, which was * allocated on NULL, so promote gensec_security to the NULL * context */ - es->s.gensec_security = talloc_move(NULL, &auth_ntlmssp_state->gensec_security); - TALLOC_FREE(auth_ntlmssp_state); + es->s.gensec_security = gensec_security; return status; } diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index a15afd5e35..f1672ab1ad 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -420,7 +420,7 @@ static void reply_spnego_kerberos(struct smb_request *req, static void reply_spnego_ntlmssp(struct smb_request *req, uint16 vuid, - struct auth_generic_state **auth_ntlmssp_state, + struct gensec_security **gensec_security, DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status, const char *OID, bool wrap) @@ -431,7 +431,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, struct smbd_server_connection *sconn = req->sconn; if (NT_STATUS_IS_OK(nt_status)) { - nt_status = gensec_session_info((*auth_ntlmssp_state)->gensec_security, + nt_status = gensec_session_info(*gensec_security, talloc_tos(), &session_info); } @@ -452,7 +452,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, if (register_existing_vuid(sconn, vuid, session_info, nullblob) != vuid) { - /* The problem is, *auth_ntlmssp_state points + /* The problem is, *gensec_security points * into the vuser this will have * talloc_free()'ed in * register_existing_vuid() */ @@ -492,7 +492,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { /* NB. This is *NOT* an error case. JRA */ if (do_invalidate) { - TALLOC_FREE(*auth_ntlmssp_state); + TALLOC_FREE(*gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -578,7 +578,7 @@ static void reply_spnego_downgrade_to_ntlmssp(struct smb_request *req, static void reply_spnego_negotiate(struct smb_request *req, uint16 vuid, DATA_BLOB blob1, - struct auth_generic_state **auth_ntlmssp_state) + struct gensec_security **gensec_security) { DATA_BLOB secblob; DATA_BLOB chal; @@ -614,7 +614,7 @@ static void reply_spnego_negotiate(struct smb_request *req, } #endif - TALLOC_FREE(*auth_ntlmssp_state); + TALLOC_FREE(*gensec_security); if (kerb_mech) { data_blob_free(&secblob); @@ -626,7 +626,7 @@ static void reply_spnego_negotiate(struct smb_request *req, } status = auth_generic_prepare(NULL, sconn->remote_address, - auth_ntlmssp_state); + gensec_security); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -634,9 +634,9 @@ static void reply_spnego_negotiate(struct smb_request *req, return; } - gensec_want_feature((*auth_ntlmssp_state)->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(*gensec_security, GENSEC_FEATURE_SESSION_KEY); - status = auth_generic_start(*auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(*gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -644,12 +644,12 @@ static void reply_spnego_negotiate(struct smb_request *req, return; } - status = gensec_update((*auth_ntlmssp_state)->gensec_security, talloc_tos(), + status = gensec_update(*gensec_security, talloc_tos(), NULL, secblob, &chal); data_blob_free(&secblob); - reply_spnego_ntlmssp(req, vuid, auth_ntlmssp_state, + reply_spnego_ntlmssp(req, vuid, gensec_security, &chal, status, OID_NTLMSSP, true); data_blob_free(&chal); @@ -665,7 +665,7 @@ static void reply_spnego_negotiate(struct smb_request *req, static void reply_spnego_auth(struct smb_request *req, uint16 vuid, DATA_BLOB blob1, - struct auth_generic_state **auth_ntlmssp_state) + struct gensec_security **gensec_security) { DATA_BLOB auth = data_blob_null; DATA_BLOB auth_reply = data_blob_null; @@ -736,9 +736,9 @@ static void reply_spnego_auth(struct smb_request *req, /* If we get here it wasn't a negTokenTarg auth packet. */ data_blob_free(&secblob); - if (!*auth_ntlmssp_state) { + if (!*gensec_security) { status = auth_generic_prepare(NULL, sconn->remote_address, - auth_ntlmssp_state); + gensec_security); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -746,9 +746,9 @@ static void reply_spnego_auth(struct smb_request *req, return; } - gensec_want_feature((*auth_ntlmssp_state)->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(*gensec_security, GENSEC_FEATURE_SESSION_KEY); - status = auth_generic_start(*auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(*gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -757,7 +757,7 @@ static void reply_spnego_auth(struct smb_request *req, } } - status = gensec_update((*auth_ntlmssp_state)->gensec_security, talloc_tos(), + status = gensec_update(*gensec_security, talloc_tos(), NULL, auth, &auth_reply); data_blob_free(&auth); @@ -765,7 +765,7 @@ static void reply_spnego_auth(struct smb_request *req, /* Don't send the mechid as we've already sent this (RFC4178). */ reply_spnego_ntlmssp(req, vuid, - auth_ntlmssp_state, + gensec_security, &auth_reply, status, NULL, true); data_blob_free(&auth_reply); @@ -1144,9 +1144,9 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) if (sconn->use_gensec_hook || ntlmssp_blob_matches_magic(&blob1)) { DATA_BLOB chal; - if (!vuser->auth_ntlmssp_state) { + if (!vuser->gensec_security) { status = auth_generic_prepare(vuser, sconn->remote_address, - &vuser->auth_ntlmssp_state); + &vuser->gensec_security); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -1155,12 +1155,12 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) return; } - gensec_want_feature(vuser->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(vuser->gensec_security, GENSEC_FEATURE_SESSION_KEY); if (sconn->use_gensec_hook) { - status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_SPNEGO); + status = gensec_start_mech_by_oid(vuser->gensec_security, GENSEC_OID_SPNEGO); } else { - status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(vuser->gensec_security, GENSEC_OID_NTLMSSP); } if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ @@ -1171,14 +1171,14 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) } } - status = gensec_update(vuser->auth_ntlmssp_state->gensec_security, + status = gensec_update(vuser->gensec_security, talloc_tos(), NULL, blob1, &chal); data_blob_free(&blob1); reply_spnego_ntlmssp(req, vuid, - &vuser->auth_ntlmssp_state, + &vuser->gensec_security, &chal, status, NULL, false); data_blob_free(&chal); return; @@ -1189,7 +1189,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) /* its a negTokenTarg packet */ reply_spnego_negotiate(req, vuid, blob1, - &vuser->auth_ntlmssp_state); + &vuser->gensec_security); data_blob_free(&blob1); return; } @@ -1199,7 +1199,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) /* its a auth packet */ reply_spnego_auth(req, vuid, blob1, - &vuser->auth_ntlmssp_state); + &vuser->gensec_security); data_blob_free(&blob1); return; } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 0a9edbc273..3878b76820 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -243,7 +243,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, status = NT_STATUS_NO_MEMORY; goto fail; } - session->compat_vuser->auth_ntlmssp_state = NULL; + session->compat_vuser->gensec_security = NULL; session->compat_vuser->homes_snum = -1; session->compat_vuser->session_info = session->session_info; session->compat_vuser->session_keystr = NULL; @@ -341,7 +341,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, NTSTATUS status; /* Ensure we have no old NTLM state around. */ - TALLOC_FREE(session->auth_ntlmssp_state); + TALLOC_FREE(session->gensec_security); status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer, &secblob_in, &kerb_mech); @@ -376,19 +376,19 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, } else { /* Fall back to NTLMSSP. */ status = auth_generic_prepare(session, session->sconn->remote_address, - &session->auth_ntlmssp_state); + &session->gensec_security); if (!NT_STATUS_IS_OK(status)) { goto out; } - gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY); - status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { goto out; } - status = gensec_update(session->auth_ntlmssp_state->gensec_security, + status = gensec_update(session->gensec_security, talloc_tos(), NULL, secblob_in, &chal_out); @@ -453,7 +453,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } - session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state; + session->compat_vuser->gensec_security = session->gensec_security; session->compat_vuser->homes_snum = -1; session->compat_vuser->session_info = session->session_info; session->compat_vuser->session_keystr = NULL; @@ -560,18 +560,18 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, data_blob_free(&secblob_in); } - if (session->auth_ntlmssp_state == NULL) { + if (session->gensec_security == NULL) { status = auth_generic_prepare(session, session->sconn->remote_address, - &session->auth_ntlmssp_state); + &session->gensec_security); if (!NT_STATUS_IS_OK(status)) { data_blob_free(&auth); TALLOC_FREE(session); return status; } - gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY); - status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { data_blob_free(&auth); TALLOC_FREE(session); @@ -579,14 +579,14 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, } } - status = gensec_update(session->auth_ntlmssp_state->gensec_security, + status = gensec_update(session->gensec_security, talloc_tos(), NULL, auth, &auth_out); /* If status is NT_STATUS_OK then we need to get the token. * Map to guest is now internal to auth_ntlmssp */ if (NT_STATUS_IS_OK(status)) { - status = gensec_session_info(session->auth_ntlmssp_state->gensec_security, + status = gensec_session_info(session->gensec_security, session, &session->session_info); } @@ -635,20 +635,20 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, *out_security_buffer = data_blob_null; - if (session->auth_ntlmssp_state == NULL) { + if (session->gensec_security == NULL) { status = auth_generic_prepare(session, session->sconn->remote_address, - &session->auth_ntlmssp_state); + &session->gensec_security); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); return status; } - gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY); if (session->sconn->use_gensec_hook) { - status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO); + status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_SPNEGO); } else { - status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP); } if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); @@ -657,7 +657,7 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, } /* RAW NTLMSSP */ - status = gensec_update(session->auth_ntlmssp_state->gensec_security, + status = gensec_update(session->gensec_security, smb2req, NULL, in_security_buffer, out_security_buffer); @@ -667,7 +667,7 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, return status; } - status = gensec_session_info(session->auth_ntlmssp_state->gensec_security, + status = gensec_session_info(session->gensec_security, session, &session->session_info); -- cgit