diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2017-02-20 14:17:34 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:25 +0200 |
| commit | d82ac32eb744a0e3883b1d09832131ff9bc9bcad (patch) | |
| tree | eb9ff6764aa2f101b8acc38512989a95fbf3ccb1 | |
| parent | af9d4807399ff73a5d4baab713ef3731de0f5d62 (diff) | |
| download | samba-d82ac32eb744a0e3883b1d09832131ff9bc9bcad.tar.gz | |
s3-auth: Pass service_description into gensec via auth_generic_prepare()
This allows the GENSEC service description to be set from the various callers
that go via this function.
The RPC service description is the name of the interface from the IDL.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
| -rw-r--r-- | source3/auth/auth_generic.c | 9 | ||||
| -rw-r--r-- | source3/auth/proto.h | 1 | ||||
| -rw-r--r-- | source3/rpc_server/dcesrv_auth_generic.c | 7 | ||||
| -rw-r--r-- | source3/rpc_server/dcesrv_auth_generic.h | 1 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 6 | ||||
| -rw-r--r-- | source3/smbd/negprot.c | 8 | ||||
| -rw-r--r-- | source3/smbd/seal.c | 1 | ||||
| -rw-r--r-- | source3/smbd/sesssetup.c | 1 | ||||
| -rw-r--r-- | source3/smbd/smb2_sesssetup.c | 1 |
9 files changed, 33 insertions, 2 deletions
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index b7b9527f976..70eb5145932 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -233,6 +233,7 @@ NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_co NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, + const char *service_description, struct gensec_security **gensec_security_out) { struct gensec_security *gensec_security; @@ -377,6 +378,14 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, return nt_status; } + nt_status = gensec_set_target_service_description(gensec_security, + service_description); + + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(tmp_ctx); + return nt_status; + } + *gensec_security_out = talloc_steal(mem_ctx, gensec_security); TALLOC_FREE(tmp_ctx); return NT_STATUS_OK; diff --git a/source3/auth/proto.h b/source3/auth/proto.h index c5f6ade1ea4..7df30048d82 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -106,6 +106,7 @@ NTSTATUS auth_domain_init(void); NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_context_out); NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, + const char *service_description, struct gensec_security **gensec_security_out); NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c index a338108a41f..7bdfdeeed94 100644 --- a/source3/rpc_server/dcesrv_auth_generic.c +++ b/source3/rpc_server/dcesrv_auth_generic.c @@ -29,12 +29,15 @@ static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx, DATA_BLOB *token_in, DATA_BLOB *token_out, const struct tsocket_address *remote_address, + const char *service_description, struct gensec_security **ctx) { struct gensec_security *gensec_security = NULL; NTSTATUS status; - status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security); + status = auth_generic_prepare(talloc_tos(), remote_address, + service_description, + &gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n", nt_errstr(status))); @@ -67,6 +70,7 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, DATA_BLOB *token_in, DATA_BLOB *token_out, const struct tsocket_address *remote_address, + const char *service_description, struct gensec_security **ctx) { NTSTATUS status; @@ -78,6 +82,7 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, token_in, token_out, remote_address, + service_description, ctx); unbecome_root(); return status; diff --git a/source3/rpc_server/dcesrv_auth_generic.h b/source3/rpc_server/dcesrv_auth_generic.h index f288c94621f..36e1a83e077 100644 --- a/source3/rpc_server/dcesrv_auth_generic.h +++ b/source3/rpc_server/dcesrv_auth_generic.h @@ -27,6 +27,7 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, DATA_BLOB *token_in, DATA_BLOB *token_out, const struct tsocket_address *remote_address, + const char *service_description, struct gensec_security **ctx); NTSTATUS auth_generic_server_step(struct gensec_security *ctx, diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 407d8d70583..4a63dd734aa 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -517,6 +517,7 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax) static bool pipe_auth_generic_bind(struct pipes_struct *p, struct ncacn_packet *pkt, struct dcerpc_auth *auth_info, + const char *service_description, DATA_BLOB *response) { TALLOC_CTX *mem_ctx = pkt; @@ -529,6 +530,7 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p, &auth_info->credentials, response, p->remote_address, + service_description, &gensec_security); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) @@ -813,7 +815,9 @@ static bool api_pipe_bind_req(struct pipes_struct *p, } if (!pipe_auth_generic_bind(p, pkt, - &auth_info, &auth_resp)) { + &auth_info, + table->name, + &auth_resp)) { goto err_exit; } } else { diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 838ff45aad1..b5321011201 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -171,7 +171,15 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn) /* See if we can get an SPNEGO blob */ status = auth_generic_prepare(talloc_tos(), xconn->remote_address, + "SMB", &gensec_security); + + /* + * There is no need to set a remote address or similar as we + * are just interested in the SPNEGO blob, we never keep this + * context. + */ + if (NT_STATUS_IS_OK(status)) { status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO); if (NT_STATUS_IS_OK(status)) { diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c index d2c8951b879..f406c43b0af 100644 --- a/source3/smbd/seal.c +++ b/source3/smbd/seal.c @@ -77,6 +77,7 @@ static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address, NTSTATUS status; status = auth_generic_prepare(es, remote_address, + "SMB encryption", &es->gensec_security); if (!NT_STATUS_IS_OK(status)) { return nt_status_squash(status); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 8ec60937155..5196e4f6182 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -247,6 +247,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) if (auth->gensec == NULL) { status = auth_generic_prepare(session, xconn->remote_address, + "SMB", &auth->gensec); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 6a0caac1308..7e3102b0c2b 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -855,6 +855,7 @@ auth: if (state->auth->gensec == NULL) { status = auth_generic_prepare(state->auth, state->smb2req->xconn->remote_address, + "SMB2", &state->auth->gensec); if (tevent_req_nterror(req, status)) { return tevent_req_post(req, ev); |