From dc35442fb163c6f14cf8c5730056a4a094ead85a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 3 Mar 2011 01:05:33 +0100 Subject: s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.c Guenther --- source4/auth/auth.h | 1 - source4/auth/gensec/gensec.h | 2 +- source4/auth/ntlm/auth_util.c | 24 ------------------------ source4/ldap_server/ldap_bind.c | 4 ++-- source4/libcli/util/nterr.c | 27 +++++++++++++++++++++++++++ source4/smb_server/smb/sesssetup.c | 10 +++++----- source4/smb_server/smb2/sesssetup.c | 4 ++-- source4/utils/ntlm_auth.c | 2 +- 8 files changed, 38 insertions(+), 36 deletions(-) (limited to 'source4') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 70df694b1e..0e0aa01f4d 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -189,7 +189,6 @@ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info) ; -NTSTATUS auth_nt_status_squash(NTSTATUS nt_status); NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, struct tevent_context *ev, diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index ad581e2fa5..3c5257c195 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -274,7 +274,7 @@ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security); NTSTATUS gensec_session_info(struct gensec_security *gensec_security, struct auth_session_info **session_info); -NTSTATUS auth_nt_status_squash(NTSTATUS nt_status); +NTSTATUS nt_status_squash(NTSTATUS nt_status); struct netlogon_creds_CredentialState; NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c index 605cd980c6..d6b53dd4c5 100644 --- a/source4/auth/ntlm/auth_util.c +++ b/source4/auth/ntlm/auth_util.c @@ -231,27 +231,3 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_contex return NT_STATUS_OK; } - - -/** - * Squash an NT_STATUS in line with security requirements. - * In an attempt to avoid giving the whole game away when users - * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and - * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations - * (session setups in particular). - * - * @param nt_status NTSTATUS input for squashing. - * @return the 'squashed' nt_status - **/ -_PUBLIC_ NTSTATUS auth_nt_status_squash(NTSTATUS nt_status) -{ - if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { - /* Match WinXP and don't give the game away */ - return NT_STATUS_LOGON_FAILURE; - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { - /* Match WinXP and don't give the game away */ - return NT_STATUS_LOGON_FAILURE; - } - - return nt_status; -} diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 0f3d0631d0..105e64078f 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -81,7 +81,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) errstr = talloc_asprintf(reply, "Simple Bind: Failed to advise ldb new credentials: %s", nt_errstr(status)); } } else { - status = auth_nt_status_squash(status); + status = nt_status_squash(status); result = LDAP_INVALID_CREDENTIALS; errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status)); @@ -311,7 +311,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) talloc_unlink(conn, conn->gensec); conn->gensec = NULL; } else { - status = auth_nt_status_squash(status); + status = nt_status_squash(status); if (result == 0) { result = LDAP_INVALID_CREDENTIALS; errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); diff --git a/source4/libcli/util/nterr.c b/source4/libcli/util/nterr.c index cb0c081602..ca998bbf6f 100644 --- a/source4/libcli/util/nterr.c +++ b/source4/libcli/util/nterr.c @@ -929,3 +929,30 @@ NTSTATUS nt_status_string_to_code(const char *nt_status_str) } return NT_STATUS_UNSUCCESSFUL; } + +/** + * Squash an NT_STATUS in line with security requirements. + * In an attempt to avoid giving the whole game away when users + * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and + * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations + * (session setups in particular). + * + * @param nt_status NTSTATUS input for squashing. + * @return the 'squashed' nt_status + **/ + +NTSTATUS nt_status_squash(NTSTATUS nt_status) +{ + if NT_STATUS_IS_OK(nt_status) { + return nt_status; + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { + /* Match WinXP and don't give the game away */ + return NT_STATUS_LOGON_FAILURE; + + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { + /* Match WinXP and don't give the game away */ + return NT_STATUS_LOGON_FAILURE; + } else { + return nt_status; + } +} diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index 5e4e3e514f..c4efe3919c 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -106,7 +106,7 @@ static void sesssetup_old_send(struct tevent_req *subreq) sess->old.out.vuid = smb_sess->vuid; failed: - status = auth_nt_status_squash(status); + status = nt_status_squash(status); smbsrv_sesssetup_backend_send(req, sess, status); } @@ -246,7 +246,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq) done: status = NT_STATUS_OK; failed: - status = auth_nt_status_squash(status); + status = nt_status_squash(status); smbsrv_sesssetup_backend_send(req, sess, status); } @@ -348,7 +348,7 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess) nomem: status = NT_STATUS_NO_MEMORY; failed: - status = auth_nt_status_squash(status); + status = nt_status_squash(status); smbsrv_sesssetup_backend_send(req, sess, status); } @@ -397,7 +397,7 @@ static void sesssetup_spnego_send(struct tevent_req *subreq) done: sess->spnego.out.vuid = smb_sess->vuid; failed: - status = auth_nt_status_squash(status); + status = nt_status_squash(status); smbsrv_sesssetup_backend_send(req, sess, status); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { @@ -502,7 +502,7 @@ nomem: status = NT_STATUS_NO_MEMORY; failed: talloc_free(smb_sess); - status = auth_nt_status_squash(status); + status = nt_status_squash(status); smbsrv_sesssetup_backend_send(req, sess, status); } diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index ddc161d80c..94fe0da9fa 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -99,7 +99,7 @@ static void smb2srv_sesssetup_callback(struct tevent_req *subreq) done: io->smb2.out.uid = smb_sess->vuid; failed: - req->status = auth_nt_status_squash(status); + req->status = nt_status_squash(status); smb2srv_sesssetup_send(req, io); if (!NT_STATUS_IS_OK(status) && ! NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { @@ -213,7 +213,7 @@ nomem: status = NT_STATUS_NO_MEMORY; failed: talloc_free(smb_sess); - req->status = auth_nt_status_squash(status); + req->status = nt_status_squash(status); smb2srv_sesssetup_send(req, io); } diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 2c38416b43..34f79715ff 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -662,7 +662,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ - nt_status = auth_nt_status_squash(nt_status); + nt_status = nt_status_squash(nt_status); if (out.length) { out_base64 = base64_encode_data_blob(mem_ctx, out); -- cgit