diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2017-02-23 14:31:52 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:26 +0200 |
| commit | 85536c1ff3513840728ba281de2b6f003e49f227 (patch) | |
| tree | 8225ba99a304c6e2c09a05adf14b65dd0b4b537c /source3 | |
| parent | dc43000c0e15638cb4bc56ef8bbf6a50e681bb5a (diff) | |
| download | samba-85536c1ff3513840728ba281de2b6f003e49f227.tar.gz | |
auth: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/auth/auth_generic.c | 8 | ||||
| -rw-r--r-- | source3/auth/proto.h | 4 | ||||
| -rw-r--r-- | source3/rpc_server/dcesrv_auth_generic.c | 7 | ||||
| -rw-r--r-- | source3/rpc_server/dcesrv_auth_generic.h | 1 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 1 | ||||
| -rw-r--r-- | source3/smbd/negprot.c | 7 | ||||
| -rw-r--r-- | source3/smbd/seal.c | 5 | ||||
| -rw-r--r-- | source3/smbd/sesssetup.c | 4 | ||||
| -rw-r--r-- | source3/smbd/smb2_sesssetup.c | 1 |
9 files changed, 32 insertions, 6 deletions
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 70eb5145932..7c57e18e1aa 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -233,6 +233,7 @@ NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_co NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, const char *service_description, struct gensec_security **gensec_security_out) { @@ -378,6 +379,13 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, return nt_status; } + nt_status = gensec_set_local_address(gensec_security, + local_address); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(tmp_ctx); + return nt_status; + } + nt_status = gensec_set_target_service_description(gensec_security, service_description); diff --git a/source3/auth/proto.h b/source3/auth/proto.h index b64ebed4e07..400875f0591 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -105,7 +105,9 @@ NTSTATUS auth_domain_init(void); /* The following definitions come from auth/auth_generic.c */ NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_context_out); -NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, +NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, + const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, const char *service_description, struct gensec_security **gensec_security_out); diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c index 7bdfdeeed94..1092cd3317f 100644 --- a/source3/rpc_server/dcesrv_auth_generic.c +++ b/source3/rpc_server/dcesrv_auth_generic.c @@ -29,13 +29,16 @@ static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx, DATA_BLOB *token_in, DATA_BLOB *token_out, const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, const char *service_description, struct gensec_security **ctx) { struct gensec_security *gensec_security = NULL; NTSTATUS status; - status = auth_generic_prepare(talloc_tos(), remote_address, + status = auth_generic_prepare(talloc_tos(), + remote_address, + local_address, service_description, &gensec_security); if (!NT_STATUS_IS_OK(status)) { @@ -70,6 +73,7 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, DATA_BLOB *token_in, DATA_BLOB *token_out, const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, const char *service_description, struct gensec_security **ctx) { @@ -82,6 +86,7 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, token_in, token_out, remote_address, + local_address, service_description, ctx); unbecome_root(); diff --git a/source3/rpc_server/dcesrv_auth_generic.h b/source3/rpc_server/dcesrv_auth_generic.h index 36e1a83e077..4e86eabc953 100644 --- a/source3/rpc_server/dcesrv_auth_generic.h +++ b/source3/rpc_server/dcesrv_auth_generic.h @@ -27,6 +27,7 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx, DATA_BLOB *token_in, DATA_BLOB *token_out, const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, const char *service_description, struct gensec_security **ctx); diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 4a63dd734aa..446679f39d4 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -530,6 +530,7 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p, &auth_info->credentials, response, p->remote_address, + p->local_address, service_description, &gensec_security); if (!NT_STATUS_IS_OK(status) && diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index b5321011201..d3f4776076f 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -171,13 +171,14 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn) /* See if we can get an SPNEGO blob */ status = auth_generic_prepare(talloc_tos(), xconn->remote_address, + xconn->local_address, "SMB", &gensec_security); /* - * There is no need to set a remote address or similar as we - * are just interested in the SPNEGO blob, we never keep this - * context. + * Despite including it above, there is no need to set a + * remote address or similar as we are just interested in the + * SPNEGO blob, we never keep this context. */ if (NT_STATUS_IS_OK(status)) { diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c index f406c43b0af..8a0dbeb2bf4 100644 --- a/source3/smbd/seal.c +++ b/source3/smbd/seal.c @@ -72,11 +72,13 @@ bool is_encrypted_packet(const uint8_t *inbuf) ******************************************************************************/ static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, struct smb_trans_enc_state *es) { NTSTATUS status; status = auth_generic_prepare(es, remote_address, + local_address, "SMB encryption", &es->gensec_security); if (!NT_STATUS_IS_OK(status)) { @@ -107,6 +109,7 @@ static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address, ******************************************************************************/ static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, struct smb_trans_enc_state **pp_es) { NTSTATUS status; @@ -120,6 +123,7 @@ static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote return NT_STATUS_NO_MEMORY; } status = make_auth_gensec(remote_address, + local_address, es); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(es); @@ -208,6 +212,7 @@ NTSTATUS srv_request_encryption_setup(connection_struct *conn, if (!partial_srv_trans_enc_ctx) { /* This is the initial step. */ status = make_srv_encryption_context(conn->sconn->remote_address, + conn->sconn->local_address, &partial_srv_trans_enc_ctx); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 68c0efd5082..3a283b9d575 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -249,7 +249,9 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) } if (auth->gensec == NULL) { - status = auth_generic_prepare(session, xconn->remote_address, + status = auth_generic_prepare(session, + xconn->remote_address, + xconn->local_address, "SMB", &auth->gensec); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 7e3102b0c2b..52462882771 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -855,6 +855,7 @@ auth: if (state->auth->gensec == NULL) { status = auth_generic_prepare(state->auth, state->smb2req->xconn->remote_address, + state->smb2req->xconn->local_address, "SMB2", &state->auth->gensec); if (tevent_req_nterror(req, status)) { |