uint16 enc_ctx_num;
bool enc_on;
union {
- struct auth_ntlmssp_state *auth_ntlmssp_state;
+ struct gensec_security *gensec_security;
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
struct smb_tran_enc_state_gss *gss_state;
#endif
DATA_BLOB blob_out = data_blob_null;
DATA_BLOB param_out = data_blob_null;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ struct auth_ntlmssp_state *auth_ntlmssp_state;
struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_NTLM);
if (!es) {
return NT_STATUS_NO_MEMORY;
}
status = auth_ntlmssp_client_prepare(NULL,
- &es->s.auth_ntlmssp_state);
+ &auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- gensec_want_feature(es->s.auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
- gensec_want_feature(es->s.auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL);
+ gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+ gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL);
- if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_username(es->s.auth_ntlmssp_state, user))) {
+ if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_username(auth_ntlmssp_state, user))) {
goto fail;
}
- if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_domain(es->s.auth_ntlmssp_state, domain))) {
+ if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_domain(auth_ntlmssp_state, domain))) {
goto fail;
}
- if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_password(es->s.auth_ntlmssp_state, pass))) {
+ if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_password(auth_ntlmssp_state, pass))) {
goto fail;
}
- if (!NT_STATUS_IS_OK(status = auth_ntlmssp_client_start(es->s.auth_ntlmssp_state))) {
+ if (!NT_STATUS_IS_OK(status = auth_ntlmssp_client_start(auth_ntlmssp_state))) {
goto fail;
}
do {
- status = gensec_update(es->s.auth_ntlmssp_state->gensec_security, es->s.auth_ntlmssp_state,
+ status = gensec_update(auth_ntlmssp_state->gensec_security, auth_ntlmssp_state,
NULL, blob_in, &blob_out);
data_blob_free(&blob_in);
data_blob_free(¶m_out);
if (cli->trans_enc_state) {
common_free_encryption_state(&cli->trans_enc_state);
}
+ /* We only need the gensec_security part from here.
+ * es is a malloc()ed pointer, so we cannot make
+ * gensec_security a talloc child */
+ es->s.gensec_security = talloc_steal(NULL, auth_ntlmssp_state->gensec_security);
cli->trans_enc_state = es;
cli->trans_enc_state->enc_on = True;
es = NULL;
}
fail:
-
+ TALLOC_FREE(auth_ntlmssp_state);
common_free_encryption_state(&es);
return status;
}
/******************************************************************************
Generic code for client and server.
- NTLM decrypt an incoming buffer.
- Abartlett tells me that SSPI puts the signature first before the encrypted
- output, so cope with the same for compatibility.
+ GENSEC decrypt an incoming buffer.
******************************************************************************/
-NTSTATUS common_ntlm_decrypt_buffer(struct auth_ntlmssp_state *auth_ntlmssp_state, char *buf)
+static NTSTATUS common_gensec_decrypt_buffer(struct gensec_security *gensec_security, char *buf)
{
NTSTATUS status;
size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
- size_t data_len;
- char *inbuf;
- DATA_BLOB sig;
-
- if (buf_len < 8 + NTLMSSP_SIG_SIZE) {
+ DATA_BLOB in_buf, out_buf;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (buf_len < 8) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
- inbuf = (char *)smb_xmemdup(buf, buf_len);
-
- /* Adjust for the signature. */
- data_len = buf_len - 8 - NTLMSSP_SIG_SIZE;
-
- /* Point at the signature. */
- sig = data_blob_const(inbuf+8, NTLMSSP_SIG_SIZE);
+ in_buf = data_blob_const(buf + 8, buf_len - 8);
- status = gensec_unseal_packet(auth_ntlmssp_state->gensec_security,
- (unsigned char *)inbuf + 8 + NTLMSSP_SIG_SIZE, /* 4 byte len + 0xFF 'E' <enc> <ctx> */
- data_len,
- (unsigned char *)inbuf + 8 + NTLMSSP_SIG_SIZE,
- data_len,
- &sig);
+ status = gensec_unwrap(gensec_security, frame, &in_buf, &out_buf);
if (!NT_STATUS_IS_OK(status)) {
- SAFE_FREE(inbuf);
+ DEBUG(0,("common_gensec_decrypt_buffer: gensec_unwrap failed. Error %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
- memcpy(buf + 8, inbuf + 8 + NTLMSSP_SIG_SIZE, data_len);
+ if (out_buf.length > in_buf.length) {
+ DEBUG(0,("common_gensec_decrypt_buffer: gensec_unwrap size (%u) too large (%u) !\n",
+ (unsigned int)out_buf.length,
+ (unsigned int)in_buf.length ));
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ memcpy(buf + 8, out_buf.data, out_buf.length);
/* Reset the length and overwrite the header. */
- smb_setlen(buf,data_len + 4);
+ smb_setlen(buf, out_buf.length + 4);
+
+ TALLOC_FREE(frame);
- SAFE_FREE(inbuf);
return NT_STATUS_OK;
}
/******************************************************************************
Generic code for client and server.
NTLM encrypt an outgoing buffer. Return the encrypted pointer in ppbuf_out.
- Abartlett tells me that SSPI puts the signature first before the encrypted
- output, so do the same for compatibility.
******************************************************************************/
-NTSTATUS common_ntlm_encrypt_buffer(struct auth_ntlmssp_state *auth_ntlmssp_state,
- uint16 enc_ctx_num,
- char *buf,
- char **ppbuf_out)
+static NTSTATUS common_gensec_encrypt_buffer(struct gensec_security *gensec_security,
+ uint16 enc_ctx_num,
+ char *buf,
+ char **ppbuf_out)
{
NTSTATUS status;
- char *buf_out;
- size_t data_len = smb_len(buf) - 4; /* Ignore the 0xFF SMB bytes. */
- DATA_BLOB sig;
- TALLOC_CTX *frame;
+ DATA_BLOB in_buf, out_buf;
+ size_t buf_len = smb_len(buf) + 4; /* Don't forget the 4 length bytes. */
+
+ TALLOC_CTX *frame = talloc_stackframe();
+
*ppbuf_out = NULL;
- if (data_len == 0) {
+ if (buf_len < 8) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
+ in_buf = data_blob_const(buf + 8, buf_len - 8);
- frame = talloc_stackframe();
- /*
- * We know smb_len can't return a value > 128k, so no int overflow
- * check needed.
- */
-
- buf_out = SMB_XMALLOC_ARRAY(char, 8 + NTLMSSP_SIG_SIZE + data_len);
-
- /* Copy the data from the original buffer. */
-
- memcpy(buf_out + 8 + NTLMSSP_SIG_SIZE, buf + 8, data_len);
-
- smb_set_enclen(buf_out, smb_len(buf) + NTLMSSP_SIG_SIZE, enc_ctx_num);
-
- ZERO_STRUCT(sig);
-
- status = gensec_seal_packet(auth_ntlmssp_state->gensec_security,
- frame,
- (unsigned char *)buf_out + 8 + NTLMSSP_SIG_SIZE, /* 4 byte len + 0xFF 'S' <enc> <ctx> */
- data_len,
- (unsigned char *)buf_out + 8 + NTLMSSP_SIG_SIZE,
- data_len,
- &sig);
+ status = gensec_wrap(gensec_security, frame, &in_buf, &out_buf);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(frame);
- SAFE_FREE(buf_out);
+ DEBUG(0,("common_gensec_encrypt_buffer: gensec_wrap failed. Error %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
- /* First 16 data bytes are signature for SSPI compatibility. */
- memcpy(buf_out + 8, sig.data, NTLMSSP_SIG_SIZE);
- talloc_free(frame);
- *ppbuf_out = buf_out;
+ *ppbuf_out = (char *)SMB_MALLOC(out_buf.length + 8); /* We know this can't wrap. */
+ if (!*ppbuf_out) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ memcpy(*ppbuf_out+8, out_buf.data, out_buf.length);
+ smb_set_enclen(*ppbuf_out, out_buf.length + 4, enc_ctx_num);
+
+ TALLOC_FREE(frame);
+
return NT_STATUS_OK;
}
switch (es->smb_enc_type) {
case SMB_TRANS_ENC_NTLM:
- return common_ntlm_encrypt_buffer(es->s.auth_ntlmssp_state, es->enc_ctx_num, buffer, buf_out);
+ return common_gensec_encrypt_buffer(es->s.gensec_security, es->enc_ctx_num, buffer, buf_out);
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
case SMB_TRANS_ENC_GSS:
return common_gss_encrypt_buffer(es->s.gss_state, es->enc_ctx_num, buffer, buf_out);
switch (es->smb_enc_type) {
case SMB_TRANS_ENC_NTLM:
- return common_ntlm_decrypt_buffer(es->s.auth_ntlmssp_state, buf);
+ return common_gensec_decrypt_buffer(es->s.gensec_security, buf);
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
case SMB_TRANS_ENC_GSS:
return common_gss_decrypt_buffer(es->s.gss_state, buf);
}
if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- if (es->s.auth_ntlmssp_state) {
- TALLOC_FREE(es->s.auth_ntlmssp_state);
+ if (es->s.gensec_security) {
+ TALLOC_FREE(es->s.gensec_security);
}
}
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
struct smb_srv_trans_enc_ctx {
struct smb_trans_enc_state *es;
- struct auth_ntlmssp_state *auth_ntlmssp_state; /* Must be kept in sync with pointer in ec->ntlmssp_state. */
+ struct gensec_security *gensec_security; /* Must be kept in sync with pointer in ec->ntlmssp_state. */
};
/******************************************************************************
static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
struct smb_srv_trans_enc_ctx *ec)
{
+ struct auth_ntlmssp_state *auth_ntlmssp_state;
NTSTATUS status = auth_ntlmssp_prepare(remote_address,
- &ec->auth_ntlmssp_state);
+ &auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
return nt_status_squash(status);
}
- gensec_want_feature(ec->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL);
+ gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL);
- status = auth_ntlmssp_start(ec->auth_ntlmssp_state);
+ status = auth_ntlmssp_start(auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(auth_ntlmssp_state);
return nt_status_squash(status);
}
* We must remember to update the pointer copy for the common
* functions after any auth_ntlmssp_start/auth_ntlmssp_end.
*/
- ec->es->s.auth_ntlmssp_state = ec->auth_ntlmssp_state;
+ ec->es->s.gensec_security = ec->gensec_security;
+
+ /* We do not need the auth_ntlmssp layer any more, which was
+ * allocated on NULL, so promote gensec_security to the NULL
+ * context */
+ ec->gensec_security = talloc_move(NULL, &auth_ntlmssp_state->gensec_security);
+ TALLOC_FREE(auth_ntlmssp_state);
+
return status;
}
* functions after any auth_ntlmssp_start/auth_ntlmssp_end.
*/
- if (ec->auth_ntlmssp_state) {
- TALLOC_FREE(ec->auth_ntlmssp_state);
+ if (ec->gensec_security) {
+ TALLOC_FREE(ec->gensec_security);
/* The auth_ntlmssp_end killed this already. */
- ec->es->s.auth_ntlmssp_state = NULL;
+ ec->es->s.gensec_security = NULL;
}
}
return status;
}
- status = gensec_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state->gensec_security,
- partial_srv_trans_enc_ctx->auth_ntlmssp_state, NULL,
+ status = gensec_update(partial_srv_trans_enc_ctx->gensec_security,
+ partial_srv_trans_enc_ctx->gensec_security, NULL,
secblob, &chal);
/* status here should be NT_STATUS_MORE_PROCESSING_REQUIRED
/* We must have a partial context here. */
- if (!ec || !ec->es || ec->auth_ntlmssp_state == NULL || ec->es->smb_enc_type != SMB_TRANS_ENC_NTLM) {
+ if (!ec || !ec->es || ec->gensec_security == NULL || ec->es->smb_enc_type != SMB_TRANS_ENC_NTLM) {
srv_free_encryption_context(&partial_srv_trans_enc_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
return NT_STATUS_INVALID_PARAMETER;
}
- status = gensec_update(ec->auth_ntlmssp_state->gensec_security, talloc_tos(), NULL, auth, &auth_reply);
+ status = gensec_update(ec->gensec_security, talloc_tos(), NULL, auth, &auth_reply);
data_blob_free(&auth);
/* From RFC4178.
}
ec = partial_srv_trans_enc_ctx;
- if (!ec || !ec->es || ec->auth_ntlmssp_state == NULL || ec->es->smb_enc_type != SMB_TRANS_ENC_NTLM) {
+ if (!ec || !ec->es || ec->gensec_security == NULL || ec->es->smb_enc_type != SMB_TRANS_ENC_NTLM) {
srv_free_encryption_context(&partial_srv_trans_enc_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
/* Second step. */
- status = gensec_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state->gensec_security,
+ status = gensec_update(partial_srv_trans_enc_ctx->gensec_security,
talloc_tos(), NULL,
blob, &response);
}
if (ec->es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- if (!gensec_have_feature(ec->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SIGN)) {
+ if (!gensec_have_feature(ec->gensec_security, GENSEC_FEATURE_SIGN)) {
return NT_STATUS_INVALID_PARAMETER;
}
- if (!gensec_have_feature(ec->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL)) {
+ if (!gensec_have_feature(ec->gensec_security, GENSEC_FEATURE_SEAL)) {
return NT_STATUS_INVALID_PARAMETER;
}
}