s3-smbd Remove unused code now we always have SPNEGO via gensec

[ira/wip.git] / source3 / smbd / negprot.c

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 9b58a79795e9332001f35ddd88754648bfd1883e..717000a4327cb41d5df8c14fc251ca6b6262b845 100644 (file)
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -24,10 +24,10 @@
 #include "../libcli/auth/spnego.h"
 #include "serverid.h"
 #include "auth.h"
-#include "ntlmssp_wrap.h"
 #include "messages.h"
 #include "smbprofile.h"
 #include "auth/gensec/gensec.h"
+#include "../libcli/smb/smb_signing.h"
 
 extern fstring remote_proto;
 
@@ -193,30 +193,25 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
 #ifdef DEVELOPER
        size_t slen;
 #endif
-       const char *OIDs_krb5[] = {OID_KERBEROS5,
-                                  OID_KERBEROS5_OLD,
-                                  OID_NTLMSSP,
-                                  NULL};
-       const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL};
-       struct auth_ntlmssp_state *auth_ntlmssp_state;
-
-       sconn->use_gensec_hook = false;
-
-       /* See if we can get an SPNEGO blob out of the gensec hook (if auth_samba4 is loaded) */
-       status = auth_ntlmssp_prepare(sconn->remote_address,
-                                     &auth_ntlmssp_state);
+       struct gensec_security *gensec_security;
+
+       /* See if we can get an SPNEGO blob */
+       status = auth_generic_prepare(talloc_tos(),
+                                     sconn->remote_address,
+                                     &gensec_security);
        if (NT_STATUS_IS_OK(status)) {
-               status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+               status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
                if (NT_STATUS_IS_OK(status)) {
-                       status = gensec_update(auth_ntlmssp_state->gensec_security, ctx,
+                       status = gensec_update(gensec_security, ctx,
                                               NULL, data_blob_null, &blob);
                        /* If we get the list of OIDs, the 'OK' answer
                         * is NT_STATUS_MORE_PROCESSING_REQUIRED */
-                       if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-                               sconn->use_gensec_hook = true;
+                       if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+                               DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
+                               blob = data_blob_null;
                        }
                }
-               TALLOC_FREE(auth_ntlmssp_state);
+               TALLOC_FREE(gensec_security);
        }
 
        sconn->smb1.negprot.spnego = true;
@@ -234,32 +229,6 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
 
        */
 
-       if (sconn->use_gensec_hook) {
-               /* blob initialised above */
-       } else if (lp_security() != SEC_ADS && !USE_KERBEROS_KEYTAB) {
-#if 0
-               /* Code for PocketPC client */
-               blob = data_blob(guid, 16);
-#else
-               /* Code for standalone WXP client */
-               blob = spnego_gen_negTokenInit(ctx, OIDs_ntlm, NULL, "NONE");
-#endif
-       } else if (!lp_send_spnego_principal()) {
-               /* By default, Windows 2008 and later sends not_defined_in_RFC4178@please_ignore */
-               blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, ADS_IGNORE_PRINCIPAL);
-       } else {
-               fstring myname;
-               char *host_princ_s = NULL;
-               name_to_fqdn(myname, lp_netbios_name());
-               strlower_m(myname);
-               if (asprintf(&host_princ_s, "cifs/%s@%s", myname, lp_realm())
-                   == -1) {
-                       return data_blob_null;
-               }
-               blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, host_princ_s);
-               SAFE_FREE(host_princ_s);
-       }
-
        if (blob.length == 0 || blob.data == NULL) {
                return data_blob_null;
        }
@@ -307,6 +276,8 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
        struct timespec ts;
        ssize_t ret;
        struct smbd_server_connection *sconn = req->sconn;
+       bool signing_enabled = false;
+       bool signing_required = false;
 
        sconn->smb1.negprot.encrypted_passwords = lp_encrypted_passwords();
 
@@ -368,16 +339,20 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
                secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE;
        }
 
-       if (lp_server_signing() != SMB_SIGNING_OFF) {
+       signing_enabled = smb_signing_is_allowed(req->sconn->smb1.signing_state);
+       signing_required = smb_signing_is_mandatory(req->sconn->smb1.signing_state);
+
+       if (signing_enabled) {
                if (lp_security() >= SEC_USER) {
                        secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
                        /* No raw mode with smb signing. */
                        capabilities &= ~CAP_RAW_MODE;
-                       if (lp_server_signing() == SMB_SIGNING_REQUIRED)
+                       if (signing_required) {
                                secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
+                       }
                } else {
                        DEBUG(0,("reply_nt1: smb signing is incompatible with share level security !\n"));
-                       if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
+                       if (signing_required) {
                                exit_server_cleanly("reply_nt1: smb signing required and share level security selected.");
                        }
                }
@@ -707,13 +682,13 @@ void reply_negprot(struct smb_request *req)
        }
 
        /* possibly reload - change of architecture */
-       reload_services(sconn->msg_ctx, sconn->sock, True);
+       reload_services(sconn, conn_snum_used, true);
 
        /* moved from the netbios session setup code since we don't have that 
           when the client connects to port 445.  Of course there is a small
           window where we are listening to messages   -- jerry */
 
-       serverid_register(sconn_server_id(sconn),
+       serverid_register(messaging_server_id(sconn->msg_ctx),
                          FLAG_MSG_GENERAL|FLAG_MSG_SMBD
                          |FLAG_MSG_PRINT_GENERAL);
 
@@ -733,7 +708,7 @@ void reply_negprot(struct smb_request *req)
 
        if(choice != -1) {
                fstrcpy(remote_proto,supported_protocols[protocol].short_name);
-               reload_services(sconn->msg_ctx, sconn->sock, True);
+               reload_services(sconn, conn_snum_used, true);
                supported_protocols[protocol].proto_reply_fn(req, choice);
                DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
        } else {