The branch, master has been updated
via 507872f s3:smbd: inline code in reply_sesssetup_and_X_spnego()
via 5f79ad5 s3:smbd: the spnego session setup don't need to copy the in
blob
via ec0142d s3:smbd: rework reply_spnego_ntlmssp to reply_spnego_generic
via ee15790 s3:smbd: remove unused code from sesssetup.c
via 63f6567 s3:smbd: remove pending_auth_data logic
via 8327ee9 s3:smbd: always use the gensec code path in sesssetup.c
via 3383ebb s3:smbd: rework smbd_smb2_*_ntlmssp_auth* to
smbd_smb2_auth_generic*
via 58e401f s3:smbd: always use the gensec code path in smb2_sesssetup.c
via 5ad7665 libcli/smb: Convert struct smb_trans_enc_state to talloc
via fce53e0 s3-libsmb: Remove unused enum smb_trans_enc_type
via a1a667d s3-libsmb: Use gensec_spnego in smb seal client
via d6b0d52 s3-smbd: Use gensec_spnego in smb seal server
via 204dfd2 s3:libsmb/auth_generic: make use of gensec_spnego in the
client
via ab364e9 s3:auth/auth_generic: make use of gensec_spnego in the
server
from 2b1d7ac s3: Unify stream testing in open_directory
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 507872f90f0df364cc758b1df6b29f46806c9671
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 14 13:24:51 2012 +0100
s3:smbd: inline code in reply_sesssetup_and_X_spnego()
This makes the logic much easier to follow.
metze
Autobuild-User: Stefan Metzmacher <[email protected]>
Autobuild-Date: Tue Jan 31 21:52:45 CET 2012 on sn-devel-104
commit 5f79ad5f8718fec99f209590f088bafb998f1c9c
Author: Stefan Metzmacher <[email protected]>
Date: Sat Jan 14 12:38:36 2012 +0100
s3:smbd: the spnego session setup don't need to copy the in blob
metze
commit ec0142dd3197a9cd429ee925486d2fc87509706f
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jan 13 13:20:27 2012 +0100
s3:smbd: rework reply_spnego_ntlmssp to reply_spnego_generic
This removes the unused spnego_gen_auth_response() wrapping.
metze
commit ee15790d7a28aff22efc7b95f86f70078322241d
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jan 13 12:46:25 2012 +0100
s3:smbd: remove unused code from sesssetup.c
metze
commit 63f6567ca98179736bf41922bddf8a8f3567fd68
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jan 13 12:30:08 2012 +0100
s3:smbd: remove pending_auth_data logic
This is handled by the gensec_spnego module.
metze
commit 8327ee94db3d2b89eaa1763ccde896b437da9094
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jan 13 12:24:47 2012 +0100
s3:smbd: always use the gensec code path in sesssetup.c
The other code pathes are unused, because we always have
the spnego gensec module.
metze
commit 3383ebbe7edaf902a511bd3be964d7ae56b62610
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 25 09:02:15 2012 +0100
s3:smbd: rework smbd_smb2_*_ntlmssp_auth* to smbd_smb2_auth_generic*
metze
commit 58e401fae28728d7f28106216b4bbffa8cb0df93
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jan 13 12:24:47 2012 +0100
s3:smbd: always use the gensec code path in smb2_sesssetup.c
The other code pathes are unused, because we always have
the spnego gensec module.
metze
commit 5ad7665b6377768d3710b00b25aeb530131924cc
Author: Andrew Bartlett <[email protected]>
Date: Sat Jan 14 15:30:34 2012 +1100
libcli/smb: Convert struct smb_trans_enc_state to talloc
Signed-off-by: Stefan Metzmacher <[email protected]>
commit fce53e0e794f38782092be3433608772f5be7f2b
Author: Andrew Bartlett <[email protected]>
Date: Sat Jan 14 15:17:41 2012 +1100
s3-libsmb: Remove unused enum smb_trans_enc_type
Signed-off-by: Stefan Metzmacher <[email protected]>
commit a1a667dd37d0218eda56bd2033a24cdff2dc8ea2
Author: Andrew Bartlett <[email protected]>
Date: Sat Jan 14 12:28:28 2012 +1100
s3-libsmb: Use gensec_spnego in smb seal client
This is intead of the inline, manual spnego code currently
in use.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit d6b0d521ea816cb538077fa84cbc292aab1299e8
Author: Andrew Bartlett <[email protected]>
Date: Sat Jan 14 12:15:17 2012 +1100
s3-smbd: Use gensec_spnego in smb seal server
This is instead of the inline, manual spnego code currently
in use.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 204dfd2c1d40e6f0450004b38805bd3d78a4b5a9
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jan 12 16:12:02 2012 +0100
s3:libsmb/auth_generic: make use of gensec_spnego in the client
metze
commit ab364e987433bb5d5f7dd08e8ef74a32c0aa592a
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jan 12 16:12:02 2012 +0100
s3:auth/auth_generic: make use of gensec_spnego in the server
metze
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smbXcli_base.c | 4 +-
libcli/smb/smb_seal.c | 19 -
libcli/smb/smb_seal.h | 8 -
source3/auth/auth_generic.c | 13 +-
source3/libsmb/auth_generic.c | 13 +-
source3/libsmb/clifsinfo.c | 80 +---
source3/param/loadparm_ctx.c | 1 +
source3/smbd/globals.h | 2 -
source3/smbd/proto.h | 4 -
source3/smbd/seal.c | 370 ++-------------
source3/smbd/sesssetup.c | 1067 ++++-------------------------------------
source3/smbd/smb2_sesssetup.c | 503 ++------------------
12 files changed, 179 insertions(+), 1905 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 06fcb34..df01457 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -214,7 +214,7 @@ static int smbXcli_conn_destructor(struct smbXcli_conn
*conn)
}
if (conn->smb1.trans_enc) {
- common_free_encryption_state(&conn->smb1.trans_enc);
+ TALLOC_FREE(conn->smb1.trans_enc);
}
return 0;
@@ -596,7 +596,7 @@ void smb1cli_conn_set_encryption(struct smbXcli_conn *conn,
{
/* Replace the old state, if any. */
if (conn->smb1.trans_enc) {
- common_free_encryption_state(&conn->smb1.trans_enc);
+ TALLOC_FREE(conn->smb1.trans_enc);
}
conn->smb1.trans_enc = es;
}
diff --git a/libcli/smb/smb_seal.c b/libcli/smb/smb_seal.c
index a56dc60..d5bb238 100644
--- a/libcli/smb/smb_seal.c
+++ b/libcli/smb/smb_seal.c
@@ -200,25 +200,6 @@ NTSTATUS common_decrypt_buffer(struct smb_trans_enc_state
*es, char *buf)
}
/******************************************************************************
- Shutdown an encryption state.
-******************************************************************************/
-
-void common_free_encryption_state(struct smb_trans_enc_state **pp_es)
-{
- struct smb_trans_enc_state *es = *pp_es;
-
- if (es == NULL) {
- return;
- }
-
- if (es->gensec_security) {
- TALLOC_FREE(es->gensec_security);
- }
- SAFE_FREE(es);
- *pp_es = NULL;
-}
-
-/******************************************************************************
Free an encryption-allocated buffer.
******************************************************************************/
diff --git a/libcli/smb/smb_seal.h b/libcli/smb/smb_seal.h
index 081208e..f47f904 100644
--- a/libcli/smb/smb_seal.h
+++ b/libcli/smb/smb_seal.h
@@ -20,14 +20,7 @@
#ifndef _HEADER_SMB_CRYPT_H
#define _HEADER_SMB_CRYPT_H
-/* Transport encryption state. */
-enum smb_trans_enc_type {
- SMB_TRANS_ENC_NTLM,
- SMB_TRANS_ENC_GSS
-};
-
struct smb_trans_enc_state {
- enum smb_trans_enc_type smb_enc_type;
uint16_t enc_ctx_num;
bool enc_on;
struct gensec_security *gensec_security;
@@ -39,7 +32,6 @@ NTSTATUS get_enc_ctx_num(const uint8_t *buf, uint16_t
*p_enc_ctx_num);
bool common_encryption_on(struct smb_trans_enc_state *es);
NTSTATUS common_encrypt_buffer(struct smb_trans_enc_state *es, char *buffer,
char **buf_out);
NTSTATUS common_decrypt_buffer(struct smb_trans_enc_state *es, char *buf);
-void common_free_encryption_state(struct smb_trans_enc_state **pp_es);
void common_free_enc_buffer(struct smb_trans_enc_state *es, char *buf);
#endif /* _HEADER_SMB_CRYPT_H */
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 38968a7..ca5a2af 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -181,7 +181,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
} else {
struct gensec_settings *gensec_settings;
struct loadparm_context *lp_ctx;
-
+ size_t idx = 0;
struct cli_credentials *server_credentials;
struct auth4_context *auth4_context = talloc_zero(tmp_ctx,
struct auth4_context);
if (auth4_context == NULL) {
@@ -205,18 +205,23 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- gensec_settings->backends = talloc_zero_array(gensec_settings,
struct gensec_security_ops *, 3);
+ gensec_settings->backends = talloc_zero_array(gensec_settings,
+ struct gensec_security_ops *,
4);
if (gensec_settings->backends == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- gensec_settings->backends[0] = &gensec_ntlmssp3_server_ops;
+ gensec_settings->backends[idx++] = &gensec_ntlmssp3_server_ops;
#if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
- gensec_settings->backends[1] = &gensec_gse_krb5_security_ops;
+ gensec_settings->backends[idx++] =
&gensec_gse_krb5_security_ops;
#endif
+ gensec_init();
+ gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
+ GENSEC_OID_SPNEGO);
+
/*
* This is anonymous for now, because we just use it
* to set the kerberos state at the moment
diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
index 39d14f6..d38c11c 100644
--- a/source3/libsmb/auth_generic.c
+++ b/source3/libsmb/auth_generic.c
@@ -52,7 +52,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx,
struct auth_generic_st
{
struct auth_generic_state *ans;
NTSTATUS nt_status;
-
+ size_t idx = 0;
struct gensec_settings *gensec_settings;
struct loadparm_context *lp_ctx;
@@ -76,18 +76,23 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx,
struct auth_generic_st
return NT_STATUS_NO_MEMORY;
}
- gensec_settings->backends = talloc_zero_array(gensec_settings, struct
gensec_security_ops *, 3);
+ gensec_settings->backends = talloc_zero_array(gensec_settings,
+ struct gensec_security_ops *, 4);
if (gensec_settings->backends == NULL) {
TALLOC_FREE(ans);
return NT_STATUS_NO_MEMORY;
}
- gensec_settings->backends[0] = &gensec_ntlmssp3_client_ops;
+ gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
#if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
- gensec_settings->backends[1] = &gensec_gse_krb5_security_ops;
+ gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
#endif
+ gensec_init();
+ gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
+ GENSEC_OID_SPNEGO);
+
nt_status = gensec_client_start(ans, &ans->gensec_security,
gensec_settings);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index fe0238a..ad5128e 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -573,23 +573,6 @@ static NTSTATUS enc_blob_send_receive(struct cli_state
*cli, DATA_BLOB *in, DATA
}
/******************************************************************************
- Make a client state struct.
-******************************************************************************/
-
-static struct smb_trans_enc_state *make_cli_enc_state(enum smb_trans_enc_type
smb_enc_type)
-{
- struct smb_trans_enc_state *es = NULL;
- es = SMB_MALLOC_P(struct smb_trans_enc_state);
- if (!es) {
- return NULL;
- }
- ZERO_STRUCTP(es);
- es->smb_enc_type = smb_enc_type;
-
- return es;
-}
-
-/******************************************************************************
Start a raw ntlmssp encryption.
******************************************************************************/
@@ -603,12 +586,11 @@ NTSTATUS cli_raw_ntlm_smb_encryption_start(struct
cli_state *cli,
DATA_BLOB param_out = data_blob_null;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
struct auth_generic_state *auth_generic_state;
- struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_NTLM);
-
+ struct smb_trans_enc_state *es = talloc_zero(NULL, struct
smb_trans_enc_state);
if (!es) {
return NT_STATUS_NO_MEMORY;
}
- status = auth_generic_client_prepare(NULL,
+ status = auth_generic_client_prepare(es,
&auth_generic_state);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
@@ -669,46 +651,7 @@ NTSTATUS cli_raw_ntlm_smb_encryption_start(struct
cli_state *cli,
}
fail:
- TALLOC_FREE(auth_generic_state);
- common_free_encryption_state(&es);
- return status;
-}
-
-/******************************************************************************
- Get client gss blob to send to a server.
-******************************************************************************/
-
-static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx,
- struct gensec_security *gensec_security,
- NTSTATUS status_in,
- DATA_BLOB spnego_blob_in,
- DATA_BLOB *p_blob_out)
-{
- const char *krb_mechs[] = {OID_KERBEROS5, NULL};
- DATA_BLOB blob_out = data_blob_null;
- DATA_BLOB blob_in = data_blob_null;
- NTSTATUS status = NT_STATUS_OK;
-
- if (spnego_blob_in.length == 0) {
- blob_in = spnego_blob_in;
- } else {
- /* Remove the SPNEGO wrapper */
- if (!spnego_parse_auth_response(ctx, spnego_blob_in, status_in,
OID_KERBEROS5, &blob_in)) {
- status = NT_STATUS_UNSUCCESSFUL;
- goto fail;
- }
- }
-
- status = gensec_update(gensec_security, ctx,
- NULL, blob_in, &blob_out);
-
- /* Wrap in an SPNEGO wrapper */
- *p_blob_out = spnego_gen_negTokenInit(ctx, krb_mechs, &blob_out, NULL);
-
- fail:
-
- data_blob_free(&blob_out);
- data_blob_free(&blob_in);
+ TALLOC_FREE(es);
return status;
}
@@ -723,13 +666,13 @@ NTSTATUS cli_gss_smb_encryption_start(struct cli_state
*cli)
DATA_BLOB param_out = data_blob_null;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
struct auth_generic_state *auth_generic_state;
- struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_GSS);
+ struct smb_trans_enc_state *es = talloc_zero(NULL, struct
smb_trans_enc_state);
if (!es) {
return NT_STATUS_NO_MEMORY;
}
- status = auth_generic_client_prepare(NULL,
+ status = auth_generic_client_prepare(es,
&auth_generic_state);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
@@ -752,11 +695,13 @@ NTSTATUS cli_gss_smb_encryption_start(struct cli_state
*cli)
goto fail;
}
- if (!NT_STATUS_IS_OK(status =
auth_generic_client_start(auth_generic_state, GENSEC_OID_KERBEROS5))) {
+ if (!NT_STATUS_IS_OK(status =
auth_generic_client_start(auth_generic_state, GENSEC_OID_SPNEGO))) {
goto fail;
}
- status = make_cli_gss_blob(talloc_tos(),
auth_generic_state->gensec_security, NT_STATUS_OK, blob_recv, &blob_send);
+ status = gensec_update(auth_generic_state->gensec_security,
talloc_tos(),
+ NULL, blob_recv, &blob_send);
+
do {
data_blob_free(&blob_recv);
status = enc_blob_send_receive(cli, &blob_send, &blob_recv,
¶m_out);
@@ -764,7 +709,8 @@ NTSTATUS cli_gss_smb_encryption_start(struct cli_state *cli)
es->enc_ctx_num = SVAL(param_out.data, 0);
}
data_blob_free(&blob_send);
- status = make_cli_gss_blob(talloc_tos(),
auth_generic_state->gensec_security, status, blob_recv, &blob_send);
+ status = gensec_update(auth_generic_state->gensec_security,
talloc_tos(),
+ NULL, blob_recv, &blob_send);
} while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
data_blob_free(&blob_recv);
@@ -783,13 +729,13 @@ NTSTATUS cli_gss_smb_encryption_start(struct cli_state
*cli)
/* We only need the gensec_security part from here.
* es is a malloc()ed pointer, so we cannot make
* gensec_security a talloc child */
- es->gensec_security = talloc_move(NULL,
+ es->gensec_security = talloc_move(es,
&auth_generic_state->gensec_security);
smb1cli_conn_set_encryption(cli->conn, es);
es = NULL;
}
fail:
- common_free_encryption_state(&es);
+ TALLOC_FREE(es);
return status;
}
diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
index f95965f..e1bbda3 100644
--- a/source3/param/loadparm_ctx.c
+++ b/source3/param/loadparm_ctx.c
@@ -98,6 +98,7 @@ static const struct loadparm_s3_context s3_fns =
.client_plaintext_auth = lp_client_plaintext_auth,
.client_lanman_auth = lp_client_lanman_auth,
.client_ntlmv2_auth = lp_client_ntlmv2_auth,
+ .client_use_spnego_principal = lp_client_use_spnego_principal,
.private_dir = lp_private_dir,
.ncalrpc_dir = lp_ncalrpc_dir,
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 44a76c4..24c17ca 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -558,8 +558,6 @@ struct smbd_server_connection {
struct bitmap *bmap;
} tcons;
struct smb_signing_state *signing_state;
- /* List to store partial SPNEGO auth fragments. */
- struct pending_auth_data *pd_list;
struct notify_mid_map *notify_mid_maps;
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 93d2315..8124ee9 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -993,10 +993,6 @@ int list_sessions(TALLOC_CTX *mem_ctx, struct sessionid
**session_list);
/* The following definitions come from smbd/sesssetup.c */
-NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx,
- DATA_BLOB blob_in,
- DATA_BLOB *pblob_out,
- char **kerb_mechOID);
void reply_sesssetup_and_X(struct smb_request *req);
/* The following definitions come from smbd/share_access.c */
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index fdeb3ae..cdcfe06 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -75,16 +75,17 @@ bool is_encrypted_packet(struct smbd_server_connection
*sconn,
******************************************************************************/
static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address,
- struct smb_trans_enc_state *es, const char
*oid)
+ struct smb_trans_enc_state *es)
{
- struct gensec_security *gensec_security;
- NTSTATUS status = auth_generic_prepare(NULL, remote_address,
- &gensec_security);
+ NTSTATUS status;
+
+ status = auth_generic_prepare(es, remote_address,
+ &es->gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return nt_status_squash(status);
}
- gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
+ gensec_want_feature(es->gensec_security, GENSEC_FEATURE_SEAL);
/*
* We could be accessing the secrets.tdb or krb5.keytab file here.
@@ -92,74 +93,38 @@ static NTSTATUS make_auth_gensec(const struct
tsocket_address *remote_address,
*/
become_root();
- status = gensec_start_mech_by_oid(gensec_security, oid);
+ status = gensec_start_mech_by_oid(es->gensec_security,
GENSEC_OID_SPNEGO);
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(gensec_security);
return nt_status_squash(status);
}
- es->gensec_security = gensec_security;
-
return status;
}
/******************************************************************************
- Shutdown a server encryption context.
-******************************************************************************/
-
-static void srv_free_encryption_context(struct smb_trans_enc_state **pp_es)
-{
- struct smb_trans_enc_state *es = *pp_es;
-
- if (!es) {
- return;
- }
-
- common_free_encryption_state(&es);
-
- SAFE_FREE(es);
- *pp_es = NULL;
-}
-
-/******************************************************************************
Create a server encryption context.
******************************************************************************/
static NTSTATUS make_srv_encryption_context(const struct tsocket_address
*remote_address,
- enum smb_trans_enc_type
smb_enc_type,
struct smb_trans_enc_state **pp_es)
{
NTSTATUS status;
- const char *oid;
struct smb_trans_enc_state *es;
*pp_es = NULL;
ZERO_STRUCTP(partial_srv_trans_enc_ctx);
- es = SMB_MALLOC_P(struct smb_trans_enc_state);
+ es = talloc_zero(NULL, struct smb_trans_enc_state);
if (!es) {
return NT_STATUS_NO_MEMORY;
}
- ZERO_STRUCTP(es);
- es->smb_enc_type = smb_enc_type;
- switch (smb_enc_type) {
- case SMB_TRANS_ENC_NTLM:
- oid = GENSEC_OID_NTLMSSP;
- break;
- case SMB_TRANS_ENC_GSS:
- oid = GENSEC_OID_KERBEROS5;
- break;
- default:
- srv_free_encryption_context(&es);
- return NT_STATUS_INVALID_PARAMETER;
- }
status = make_auth_gensec(remote_address,
- es, oid);
+ es);
if (!NT_STATUS_IS_OK(status)) {
- srv_free_encryption_context(&es);
+ TALLOC_FREE(es);
return status;
}
*pp_es = es;
@@ -225,231 +190,10 @@ NTSTATUS srv_encrypt_buffer(struct
smbd_server_connection *sconn, char *buf,
}
/******************************************************************************
- Do the gss encryption negotiation. Parameters are in/out.
- Until success we do everything on the partial enc ctx.
-******************************************************************************/
-
-static NTSTATUS srv_enc_spnego_gss_negotiate(const struct tsocket_address
*remote_address,
- unsigned char **ppdata,
- size_t *p_data_size,
- DATA_BLOB secblob)
-{
- NTSTATUS status;
- DATA_BLOB unwrapped_response = data_blob_null;
- DATA_BLOB response = data_blob_null;
-
- status = make_srv_encryption_context(remote_address,
- SMB_TRANS_ENC_GSS,
- &partial_srv_trans_enc_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- become_root();
-
- status = gensec_update(partial_srv_trans_enc_ctx->gensec_security,
- talloc_tos(), NULL,
- secblob, &unwrapped_response);
-
- unbecome_root();
-
- /* status here should be NT_STATUS_MORE_PROCESSING_REQUIRED
- * for success ... */
-
- response = spnego_gen_auth_response(talloc_tos(), &unwrapped_response,
status, OID_KERBEROS5);
- data_blob_free(&unwrapped_response);
-
- SAFE_FREE(*ppdata);
- *ppdata = (unsigned char *)memdup(response.data, response.length);
- if ((*ppdata) == NULL && response.length > 0) {
- status = NT_STATUS_NO_MEMORY;
- }
- *p_data_size = response.length;
- data_blob_free(&response);
-
--
Samba Shared Repository
