diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-06-15 00:03:14 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2017-06-17 20:54:59 +0200 |
commit | 156fe6e4d6b6a295cdf96202584b93cf69d99876 (patch) | |
tree | fecaf5321a7b7385f55d11a393673066f09d19e4 /source4/libcli | |
parent | 664b2ed36b90f0d6f081ca6889c66d2c515fe021 (diff) | |
download | samba-156fe6e4d6b6a295cdf96202584b93cf69d99876.tar.gz |
s4:libcli/smb_composite: make the additional gensec_update steps async
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 17 20:54:59 CEST 2017 on sn-devel-144
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/smb_composite/sesssetup.c | 151 |
1 files changed, 128 insertions, 23 deletions
diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index 2f1ce4c5db7..6ee4929e8d7 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -42,6 +42,7 @@ struct sesssetup_state { NTSTATUS gensec_status; struct smb_composite_sesssetup *io; struct smbcli_request *req; + struct smbcli_request *check_req; unsigned int logon_retries; }; @@ -71,6 +72,7 @@ static NTSTATUS session_setup_spnego(struct composite_context *c, struct smb_composite_sesssetup *io, struct smbcli_request **req); static void smb_composite_sesssetup_spnego_done1(struct tevent_req *subreq); +static void smb_composite_sesssetup_spnego_done2(struct tevent_req *subreq); /* @@ -204,6 +206,7 @@ static void request_handler(struct smbcli_request *req) return; } if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + struct tevent_req *subreq = NULL; /* The status value here, from the earlier pass at GENSEC is * vital to the security of the system. Even if the other end @@ -211,15 +214,22 @@ static void request_handler(struct smbcli_request *req) * you must keep feeding it blobs, or else the remote * host/attacker might avoid mutal authentication * requirements */ - - state->gensec_status = gensec_update_ev(session->gensec, state, c->event_ctx, - state->setup.spnego.out.secblob, - &state->setup.spnego.in.secblob); - c->status = state->gensec_status; - if (GENSEC_UPDATE_IS_NTERROR(c->status)) { - composite_error(c, c->status); + + subreq = gensec_update_send(state, c->event_ctx, + session->gensec, + state->setup.spnego.out.secblob); + if (composite_nomem(subreq, c)) { return; } + tevent_req_set_callback(subreq, + smb_composite_sesssetup_spnego_done2, + c); + if (NT_STATUS_IS_OK(state->remote_status)) { + state->check_req = check_req; + } else { + TALLOC_FREE(check_req); + } + return; } else { state->setup.spnego.in.secblob = data_blob(NULL, 0); } @@ -252,22 +262,6 @@ static void request_handler(struct smbcli_request *req) } } - if (state->setup.spnego.in.secblob.length) { - /* - * set the session->vuid value only for calling - * smb_raw_sesssetup_send() - */ - uint16_t vuid = session->vuid; - session->vuid = state->io->out.vuid; - state->req = smb_raw_sesssetup_send(session, &state->setup); - session->vuid = vuid; - if (state->req && - !smb1cli_conn_signing_is_active(state->req->transport->conn)) { - state->req->sign_caller_checks = true; - } - composite_continue_smb(c, state->req, request_handler, c); - return; - } os = state->setup.spnego.out.os; lanman = state->setup.spnego.out.lanman; break; @@ -720,6 +714,117 @@ static void smb_composite_sesssetup_spnego_done1(struct tevent_req *subreq) composite_continue_smb(c, state->req, request_handler, c); } +static void smb_composite_sesssetup_spnego_done2(struct tevent_req *subreq) +{ + struct composite_context *c = + tevent_req_callback_data(subreq, + struct composite_context); + struct sesssetup_state *state = + talloc_get_type_abort(c->private_data, + struct sesssetup_state); + struct smbcli_session *session = state->session; + NTSTATUS status; + const char *os = NULL; + const char *lanman = NULL; + + status = gensec_update_recv(subreq, state, + &state->setup.spnego.in.secblob); + TALLOC_FREE(subreq); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n", + gensec_get_name_by_oid(state->session->gensec, + state->chosen_oid), + nt_errstr(status))); + c->status = status; + composite_error(c, c->status); + return; + } + state->gensec_status = status; + + if (NT_STATUS_IS_OK(state->remote_status)) { + if (state->setup.spnego.in.secblob.length) { + c->status = NT_STATUS_INTERNAL_ERROR; + composite_error(c, c->status); + return; + } + } + + if (state->setup.spnego.in.secblob.length) { + /* + * set the session->vuid value only for calling + * smb_raw_sesssetup_send() + */ + uint16_t vuid = session->vuid; + session->vuid = state->io->out.vuid; + state->req = smb_raw_sesssetup_send(session, &state->setup); + session->vuid = vuid; + if (state->req && + !smb1cli_conn_signing_is_active(state->req->transport->conn)) { + state->req->sign_caller_checks = true; + } + composite_continue_smb(c, state->req, request_handler, c); + return; + } + + if (cli_credentials_is_anonymous(state->io->in.credentials)) { + /* + * anonymous => no signing + */ + } else if (NT_STATUS_IS_OK(state->remote_status)) { + NTSTATUS session_key_err; + DATA_BLOB session_key; + + session_key_err = gensec_session_key(session->gensec, session, &session_key); + if (NT_STATUS_IS_OK(session_key_err)) { + smb1cli_conn_activate_signing(session->transport->conn, + session_key, + data_blob_null); + } + + c->status = smb1cli_session_set_session_key(session->smbXcli, + session_key); + data_blob_free(&session_key); + if (!NT_STATUS_IS_OK(c->status)) { + composite_error(c, c->status); + return; + } + } + + os = state->setup.spnego.out.os; + lanman = state->setup.spnego.out.lanman; + + if (state->check_req) { + struct smbcli_request *check_req = state->check_req; + bool ok; + + check_req->sign_caller_checks = false; + + ok = smb1cli_conn_check_signing(check_req->transport->conn, + check_req->in.buffer, 1); + TALLOC_FREE(check_req); + if (!ok) { + c->status = NT_STATUS_ACCESS_DENIED; + composite_error(c, c->status); + return; + } + } + + if (os) { + session->os = talloc_strdup(session, os); + if (composite_nomem(session->os, c)) return; + } else { + session->os = NULL; + } + if (lanman) { + session->lanman = talloc_strdup(session, lanman); + if (composite_nomem(session->lanman, c)) return; + } else { + session->lanman = NULL; + } + + composite_done(c); +} + /* receive a composite session setup reply */ |