s3-ntlmssp Split calls to gensec plugin into prepare and start

GENSEC has the concept of starting the GENSEC subsystem before starting the
actual mechansim.  Between these two stages is when most context methods
are called, to specify credentials and features.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index df93e0d27a8953dd8cabb12e438d09a04581a57f..f2cd7032972de2a8be6d46bd0be5f834aa7e775e 100644 (file)
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -462,8 +462,9 @@ static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
 
        /* Look for the first module to provide a start_gensec hook, and set that if provided */
        for (method = (*auth_context)->auth_method_list; method; method = method->next) {
 
        /* Look for the first module to provide a start_gensec hook, and set that if provided */
        for (method = (*auth_context)->auth_method_list; method; method = method->next) {

-               if (method->start_gensec) {
-                       (*auth_context)->start_gensec = method->start_gensec;
+               if (method->prepare_gensec && method->gensec_start_mech_by_oid) {
+                       (*auth_context)->prepare_gensec = method->prepare_gensec;
+                       (*auth_context)->gensec_start_mech_by_oid = method->gensec_start_mech_by_oid;

                        break;
                }
        }
                        break;
                }
        }

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 64307bea48955dbd4f17359c2ea932d57f2507e4..c078416aad0fa456b2dedf203756dc47d2d8c368 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -212,14 +212,20 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
                return nt_status;
        }
 
                return nt_status;
        }
 

-       if (auth_context->start_gensec) {
-               nt_status = auth_context->start_gensec(ans, GENSEC_OID_NTLMSSP, &ans->gensec_security);
+       if (auth_context->prepare_gensec) {
+               nt_status = auth_context->prepare_gensec(ans, &ans->gensec_security);

                if (!NT_STATUS_IS_OK(nt_status)) {
                        TALLOC_FREE(ans);
                        return nt_status;
                } else {
                if (!NT_STATUS_IS_OK(nt_status)) {
                        TALLOC_FREE(ans);
                        return nt_status;
                } else {

-                       *auth_ntlmssp_state = ans;
-                       return NT_STATUS_OK;
+                       nt_status = auth_context->gensec_start_mech_by_oid(ans->gensec_security, GENSEC_OID_NTLMSSP);
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               TALLOC_FREE(ans);
+                               return nt_status;
+                       } else {
+                               *auth_ntlmssp_state = ans;
+                               return NT_STATUS_OK;
+                       }

                }
        }
 
                }
        }
 

diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index cf185f750a6c788cbf3149d763b8ab900d4c2dcd..2c9a6a0f8c334d36d7db67bcf350e1de10ca4202 100644 (file)
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -97,8 +97,8 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
 
 /* Hook to allow GENSEC to handle blob-based authentication
  * mechanisms, without directly linking the mechansim code */
 
 /* Hook to allow GENSEC to handle blob-based authentication
  * mechanisms, without directly linking the mechansim code */

-static NTSTATUS start_gensec(TALLOC_CTX *mem_ctx, const char *oid_string,
-                             struct gensec_security **gensec_context)
+static NTSTATUS prepare_gensec(TALLOC_CTX *mem_ctx,
+                              struct gensec_security **gensec_context)

 {
        NTSTATUS status;
        struct loadparm_context *lp_ctx;
 {
        NTSTATUS status;
        struct loadparm_context *lp_ctx;


@@ -165,15 +165,8 @@ static NTSTATUS start_gensec(TALLOC_CTX *mem_ctx, const char *oid_string,
        gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
        gensec_want_feature(gensec_ctx, GENSEC_FEATURE_UNIX_TOKEN);
 
        gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
        gensec_want_feature(gensec_ctx, GENSEC_FEATURE_UNIX_TOKEN);
 

-       status = gensec_start_mech_by_oid(gensec_ctx, oid_string);
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Failed to start GENSEC %s server code: %s\n",
-                         gensec_get_name_by_oid(gensec_ctx, oid_string), nt_errstr(status)));
-               TALLOC_FREE(frame);
-               return status;
-       }
-

        *gensec_context = gensec_ctx;
        *gensec_context = gensec_ctx;

+       TALLOC_FREE(frame);

        return status;
 }
 
        return status;
 }
 


@@ -192,7 +185,8 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context,
        }
        result->name = "samba4";
        result->auth = check_samba4_security;
        }
        result->name = "samba4";
        result->auth = check_samba4_security;

-       result->start_gensec = start_gensec;
+       result->prepare_gensec = prepare_gensec;
+       result->gensec_start_mech_by_oid = gensec_start_mech_by_oid;

 
         *auth_method = result;
        return NT_STATUS_OK;
 
         *auth_method = result;
        return NT_STATUS_OK;

diff --git a/source3/include/auth.h b/source3/include/auth.h
index 3545e27d201480b3adff0afe457f89b6152e7016..5c842fd550a0cfd5160853d21d20696d51219dec 100644 (file)
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -96,8 +96,9 @@ struct auth_context {
                                        struct auth_serversupplied_info **server_info);
        NTSTATUS (*nt_status_squash)(NTSTATUS nt_status);
 
                                        struct auth_serversupplied_info **server_info);
        NTSTATUS (*nt_status_squash)(NTSTATUS nt_status);
 

-       NTSTATUS (*start_gensec)(TALLOC_CTX *mem_ctx, const char *oid_string,
+       NTSTATUS (*prepare_gensec)(TALLOC_CTX *mem_ctx,

                                 struct gensec_security **gensec_context);
                                 struct gensec_security **gensec_context);

+       NTSTATUS (*gensec_start_mech_by_oid)(struct gensec_security *gensec_context, const char *oid_string);

 };
 
 typedef struct auth_methods
 };
 
 typedef struct auth_methods


@@ -119,10 +120,10 @@ typedef struct auth_methods
                              void **my_private_data, 
                              TALLOC_CTX *mem_ctx);
 
                              void **my_private_data, 
                              TALLOC_CTX *mem_ctx);
 

-       /* Optional method allowing this module to provide a way to get a gensec context */
-       NTSTATUS (*start_gensec)(TALLOC_CTX *mem_ctx, const char *oid_string,
+       /* Optional methods allowing this module to provide a way to get a gensec context */
+       NTSTATUS (*prepare_gensec)(TALLOC_CTX *mem_ctx,

                                 struct gensec_security **gensec_context);
                                 struct gensec_security **gensec_context);

-
+       NTSTATUS (*gensec_start_mech_by_oid)(struct gensec_security *gensec_context, const char *oid_string);

        /* Used to keep tabs on things like the cli for SMB server authentication */
        void *private_data;
 
        /* Used to keep tabs on things like the cli for SMB server authentication */
        void *private_data;