From 3042e38d519411e774e110b16a2eeeaef4b25a65 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Dec 2011 14:23:15 +1100 Subject: s3-auth use gensec directly rather than via auth_generic_state This is possible because the s3 gensec modules are started as normal gensec modules, so we do not need a wrapper any more. Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source3/smbd/globals.h | 2 +- source3/smbd/negprot.c | 10 ++++---- source3/smbd/password.c | 4 ++-- source3/smbd/seal.c | 15 ++++++------ source3/smbd/sesssetup.c | 54 +++++++++++++++++++++---------------------- source3/smbd/smb2_sesssetup.c | 40 ++++++++++++++++---------------- 6 files changed, 62 insertions(+), 63 deletions(-) (limited to 'source3/smbd') diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 631298b155..44a76c4fb3 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -410,7 +410,7 @@ struct smbd_smb2_session { struct smbd_server_connection *sconn; NTSTATUS status; uint64_t vuid; - struct auth_generic_state *auth_ntlmssp_state; + struct gensec_security *gensec_security; struct auth_session_info *session_info; DATA_BLOB session_key; bool do_signing; diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 0a06e4a3d7..66da049bda 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -199,18 +199,18 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) OID_NTLMSSP, NULL}; const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; - struct auth_generic_state *auth_ntlmssp_state; + struct gensec_security *gensec_security; sconn->use_gensec_hook = false; /* See if we can get an SPNEGO blob out of the gensec hook (if auth_samba4 is loaded) */ status = auth_generic_prepare(talloc_tos(), sconn->remote_address, - &auth_ntlmssp_state); + &gensec_security); if (NT_STATUS_IS_OK(status)) { - status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_SPNEGO); + status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO); if (NT_STATUS_IS_OK(status)) { - status = gensec_update(auth_ntlmssp_state->gensec_security, ctx, + status = gensec_update(gensec_security, ctx, NULL, data_blob_null, &blob); /* If we get the list of OIDs, the 'OK' answer * is NT_STATUS_MORE_PROCESSING_REQUIRED */ @@ -218,7 +218,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) sconn->use_gensec_hook = true; } } - TALLOC_FREE(auth_ntlmssp_state); + TALLOC_FREE(gensec_security); } sconn->smb1.negprot.spnego = true; diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 7ccf2ea327..9df99ef6b1 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -124,8 +124,8 @@ void invalidate_vuid(struct smbd_server_connection *sconn, uint16 vuid) session_yield(vuser); - if (vuser->auth_ntlmssp_state) { - TALLOC_FREE(vuser->auth_ntlmssp_state); + if (vuser->gensec_security) { + TALLOC_FREE(vuser->gensec_security); } DLIST_REMOVE(sconn->smb1.sessions.validated_users, vuser); diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c index a609a3bad3..4393c1b27c 100644 --- a/source3/smbd/seal.c +++ b/source3/smbd/seal.c @@ -73,33 +73,32 @@ bool is_encrypted_packet(struct smbd_server_connection *sconn, } /****************************************************************************** - Create an auth_ntlmssp_state and ensure pointer copy is correct. + Create an gensec_security and ensure pointer copy is correct. ******************************************************************************/ static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address, struct smb_trans_enc_state *es) { - struct auth_generic_state *auth_ntlmssp_state; + struct gensec_security *gensec_security; NTSTATUS status = auth_generic_prepare(NULL, remote_address, - &auth_ntlmssp_state); + &gensec_security); if (!NT_STATUS_IS_OK(status)) { return nt_status_squash(status); } - gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL); + gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL); - status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(auth_ntlmssp_state); + TALLOC_FREE(gensec_security); return nt_status_squash(status); } /* We do not need the auth_ntlmssp layer any more, which was * allocated on NULL, so promote gensec_security to the NULL * context */ - es->s.gensec_security = talloc_move(NULL, &auth_ntlmssp_state->gensec_security); - TALLOC_FREE(auth_ntlmssp_state); + es->s.gensec_security = gensec_security; return status; } diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index a15afd5e35..f1672ab1ad 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -420,7 +420,7 @@ static void reply_spnego_kerberos(struct smb_request *req, static void reply_spnego_ntlmssp(struct smb_request *req, uint16 vuid, - struct auth_generic_state **auth_ntlmssp_state, + struct gensec_security **gensec_security, DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status, const char *OID, bool wrap) @@ -431,7 +431,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, struct smbd_server_connection *sconn = req->sconn; if (NT_STATUS_IS_OK(nt_status)) { - nt_status = gensec_session_info((*auth_ntlmssp_state)->gensec_security, + nt_status = gensec_session_info(*gensec_security, talloc_tos(), &session_info); } @@ -452,7 +452,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, if (register_existing_vuid(sconn, vuid, session_info, nullblob) != vuid) { - /* The problem is, *auth_ntlmssp_state points + /* The problem is, *gensec_security points * into the vuser this will have * talloc_free()'ed in * register_existing_vuid() */ @@ -492,7 +492,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { /* NB. This is *NOT* an error case. JRA */ if (do_invalidate) { - TALLOC_FREE(*auth_ntlmssp_state); + TALLOC_FREE(*gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -578,7 +578,7 @@ static void reply_spnego_downgrade_to_ntlmssp(struct smb_request *req, static void reply_spnego_negotiate(struct smb_request *req, uint16 vuid, DATA_BLOB blob1, - struct auth_generic_state **auth_ntlmssp_state) + struct gensec_security **gensec_security) { DATA_BLOB secblob; DATA_BLOB chal; @@ -614,7 +614,7 @@ static void reply_spnego_negotiate(struct smb_request *req, } #endif - TALLOC_FREE(*auth_ntlmssp_state); + TALLOC_FREE(*gensec_security); if (kerb_mech) { data_blob_free(&secblob); @@ -626,7 +626,7 @@ static void reply_spnego_negotiate(struct smb_request *req, } status = auth_generic_prepare(NULL, sconn->remote_address, - auth_ntlmssp_state); + gensec_security); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -634,9 +634,9 @@ static void reply_spnego_negotiate(struct smb_request *req, return; } - gensec_want_feature((*auth_ntlmssp_state)->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(*gensec_security, GENSEC_FEATURE_SESSION_KEY); - status = auth_generic_start(*auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(*gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -644,12 +644,12 @@ static void reply_spnego_negotiate(struct smb_request *req, return; } - status = gensec_update((*auth_ntlmssp_state)->gensec_security, talloc_tos(), + status = gensec_update(*gensec_security, talloc_tos(), NULL, secblob, &chal); data_blob_free(&secblob); - reply_spnego_ntlmssp(req, vuid, auth_ntlmssp_state, + reply_spnego_ntlmssp(req, vuid, gensec_security, &chal, status, OID_NTLMSSP, true); data_blob_free(&chal); @@ -665,7 +665,7 @@ static void reply_spnego_negotiate(struct smb_request *req, static void reply_spnego_auth(struct smb_request *req, uint16 vuid, DATA_BLOB blob1, - struct auth_generic_state **auth_ntlmssp_state) + struct gensec_security **gensec_security) { DATA_BLOB auth = data_blob_null; DATA_BLOB auth_reply = data_blob_null; @@ -736,9 +736,9 @@ static void reply_spnego_auth(struct smb_request *req, /* If we get here it wasn't a negTokenTarg auth packet. */ data_blob_free(&secblob); - if (!*auth_ntlmssp_state) { + if (!*gensec_security) { status = auth_generic_prepare(NULL, sconn->remote_address, - auth_ntlmssp_state); + gensec_security); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -746,9 +746,9 @@ static void reply_spnego_auth(struct smb_request *req, return; } - gensec_want_feature((*auth_ntlmssp_state)->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(*gensec_security, GENSEC_FEATURE_SESSION_KEY); - status = auth_generic_start(*auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(*gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -757,7 +757,7 @@ static void reply_spnego_auth(struct smb_request *req, } } - status = gensec_update((*auth_ntlmssp_state)->gensec_security, talloc_tos(), + status = gensec_update(*gensec_security, talloc_tos(), NULL, auth, &auth_reply); data_blob_free(&auth); @@ -765,7 +765,7 @@ static void reply_spnego_auth(struct smb_request *req, /* Don't send the mechid as we've already sent this (RFC4178). */ reply_spnego_ntlmssp(req, vuid, - auth_ntlmssp_state, + gensec_security, &auth_reply, status, NULL, true); data_blob_free(&auth_reply); @@ -1144,9 +1144,9 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) if (sconn->use_gensec_hook || ntlmssp_blob_matches_magic(&blob1)) { DATA_BLOB chal; - if (!vuser->auth_ntlmssp_state) { + if (!vuser->gensec_security) { status = auth_generic_prepare(vuser, sconn->remote_address, - &vuser->auth_ntlmssp_state); + &vuser->gensec_security); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -1155,12 +1155,12 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) return; } - gensec_want_feature(vuser->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(vuser->gensec_security, GENSEC_FEATURE_SESSION_KEY); if (sconn->use_gensec_hook) { - status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_SPNEGO); + status = gensec_start_mech_by_oid(vuser->gensec_security, GENSEC_OID_SPNEGO); } else { - status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(vuser->gensec_security, GENSEC_OID_NTLMSSP); } if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ @@ -1171,14 +1171,14 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) } } - status = gensec_update(vuser->auth_ntlmssp_state->gensec_security, + status = gensec_update(vuser->gensec_security, talloc_tos(), NULL, blob1, &chal); data_blob_free(&blob1); reply_spnego_ntlmssp(req, vuid, - &vuser->auth_ntlmssp_state, + &vuser->gensec_security, &chal, status, NULL, false); data_blob_free(&chal); return; @@ -1189,7 +1189,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) /* its a negTokenTarg packet */ reply_spnego_negotiate(req, vuid, blob1, - &vuser->auth_ntlmssp_state); + &vuser->gensec_security); data_blob_free(&blob1); return; } @@ -1199,7 +1199,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) /* its a auth packet */ reply_spnego_auth(req, vuid, blob1, - &vuser->auth_ntlmssp_state); + &vuser->gensec_security); data_blob_free(&blob1); return; } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 0a9edbc273..3878b76820 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -243,7 +243,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, status = NT_STATUS_NO_MEMORY; goto fail; } - session->compat_vuser->auth_ntlmssp_state = NULL; + session->compat_vuser->gensec_security = NULL; session->compat_vuser->homes_snum = -1; session->compat_vuser->session_info = session->session_info; session->compat_vuser->session_keystr = NULL; @@ -341,7 +341,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, NTSTATUS status; /* Ensure we have no old NTLM state around. */ - TALLOC_FREE(session->auth_ntlmssp_state); + TALLOC_FREE(session->gensec_security); status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer, &secblob_in, &kerb_mech); @@ -376,19 +376,19 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, } else { /* Fall back to NTLMSSP. */ status = auth_generic_prepare(session, session->sconn->remote_address, - &session->auth_ntlmssp_state); + &session->gensec_security); if (!NT_STATUS_IS_OK(status)) { goto out; } - gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY); - status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { goto out; } - status = gensec_update(session->auth_ntlmssp_state->gensec_security, + status = gensec_update(session->gensec_security, talloc_tos(), NULL, secblob_in, &chal_out); @@ -453,7 +453,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } - session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state; + session->compat_vuser->gensec_security = session->gensec_security; session->compat_vuser->homes_snum = -1; session->compat_vuser->session_info = session->session_info; session->compat_vuser->session_keystr = NULL; @@ -560,18 +560,18 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, data_blob_free(&secblob_in); } - if (session->auth_ntlmssp_state == NULL) { + if (session->gensec_security == NULL) { status = auth_generic_prepare(session, session->sconn->remote_address, - &session->auth_ntlmssp_state); + &session->gensec_security); if (!NT_STATUS_IS_OK(status)) { data_blob_free(&auth); TALLOC_FREE(session); return status; } - gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY); - status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { data_blob_free(&auth); TALLOC_FREE(session); @@ -579,14 +579,14 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, } } - status = gensec_update(session->auth_ntlmssp_state->gensec_security, + status = gensec_update(session->gensec_security, talloc_tos(), NULL, auth, &auth_out); /* If status is NT_STATUS_OK then we need to get the token. * Map to guest is now internal to auth_ntlmssp */ if (NT_STATUS_IS_OK(status)) { - status = gensec_session_info(session->auth_ntlmssp_state->gensec_security, + status = gensec_session_info(session->gensec_security, session, &session->session_info); } @@ -635,20 +635,20 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, *out_security_buffer = data_blob_null; - if (session->auth_ntlmssp_state == NULL) { + if (session->gensec_security == NULL) { status = auth_generic_prepare(session, session->sconn->remote_address, - &session->auth_ntlmssp_state); + &session->gensec_security); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); return status; } - gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY); if (session->sconn->use_gensec_hook) { - status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO); + status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_SPNEGO); } else { - status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP); + status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP); } if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); @@ -657,7 +657,7 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, } /* RAW NTLMSSP */ - status = gensec_update(session->auth_ntlmssp_state->gensec_security, + status = gensec_update(session->gensec_security, smb2req, NULL, in_security_buffer, out_security_buffer); @@ -667,7 +667,7 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, return status; } - status = gensec_session_info(session->auth_ntlmssp_state->gensec_security, + status = gensec_session_info(session->gensec_security, session, &session->session_info); -- cgit