The branch, master has been updated
via 86dd7b9 smbXsrv_session:idl: remove the preauth and gensec members
via 321862d s3:sesssetup: use session->pending_auth in smb1 session
setup
via d391f6d s3:smb2_sesssetup: use session->pending_auth
via 2c39036 smbXsrv_session: add smbXsrv_session_create_auth()
via e9885cf smbXsrv_session: add smbXsrv_session_find_auth()
via 5e463b5 smbXsrv_session:idl: add smbXsrv_session_auth0
from 56f2f2b lib/param: move function typedef to after forward
declaration of struct loadparm_context
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 86dd7b941c4bcb9b45d02f15386c1673c0052f69
Author: Michael Adam <[email protected]>
Date: Wed Jul 29 16:16:29 2015 +0200
smbXsrv_session:idl: remove the preauth and gensec members
They are now taken from the pending_auth member (smbXsrv_session_auth0).
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Michael Adam <[email protected]>
Autobuild-Date(master): Fri Jul 31 01:03:13 CEST 2015 on sn-devel-104
commit 321862d4ac89601fb9453e14a28db48b4f0dda9e
Author: Michael Adam <[email protected]>
Date: Thu Jul 30 13:23:45 2015 +0200
s3:sesssetup: use session->pending_auth in smb1 session setup
(instead of session->gensec)
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
commit d391f6daeaeb915dd4ce9ef82c2415217c90f42f
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 29 16:48:55 2015 +0200
s3:smb2_sesssetup: use session->pending_auth
Pair-Programmed-With: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
commit 2c39036806c34eaaee5dbe2000e978a10c5af6c2
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 29 15:48:05 2015 +0200
smbXsrv_session: add smbXsrv_session_create_auth()
Pair-Programmed-With: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
commit e9885cfd0e4abd6a6a8e276e11a57e6e58e873e6
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jul 29 15:47:09 2015 +0200
smbXsrv_session: add smbXsrv_session_find_auth()
Pair-Programmed-With: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
commit 5e463b553b467dab73bcd8816a0e415b96a5cf2d
Author: Michael Adam <[email protected]>
Date: Wed Jun 25 13:30:59 2014 +0200
smbXsrv_session:idl: add smbXsrv_session_auth0
This contains various auth related items for a session,
in particular preauth. This is in preparation to take
the direct member preauth from smbXsrv_session and have
all session auth code operate on session->pending_auth
instead of session->preauth and friends.
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/librpc/idl/smbXsrv.idl | 17 +++++++--
source3/smbd/globals.h | 10 ++++++
source3/smbd/sesssetup.c | 35 ++++++++++++------
source3/smbd/smb2_sesssetup.c | 66 ++++++++++++++++++++++++----------
source3/smbd/smbXsrv_session.c | 82 +++++++++++++++++++++++++++++++++++++-----
5 files changed, 170 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 77959ce..4062610 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -177,6 +177,20 @@ interface smbXsrv
* smbXsrv_session for version 1
* and could implement transparent mapping.
*/
+
+ typedef struct {
+ [ignore] smbXsrv_session_auth0 *prev;
+ smbXsrv_session_auth0 *next;
+ [ignore] smbXsrv_session *session;
+ [ignore] smbXsrv_connection *connection;
+ [ignore] gensec_security *gensec;
+ [ignore] smbXsrv_preauth *preauth;
+ uint8 in_flags;
+ uint8 in_security_mode;
+ NTTIME creation_time;
+ NTTIME idle_time;
+ } smbXsrv_session_auth0;
+
typedef struct {
[ignore] smbXsrv_session_table *table;
[ignore] db_record *db_rec;
@@ -189,10 +203,9 @@ interface smbXsrv
hyper nonce_high_max;
hyper nonce_high;
hyper nonce_low;
- [ignore] gensec_security *gensec;
[ignore] user_struct *compat;
[ignore] smbXsrv_tcon_table *tcon_table;
- [ignore] smbXsrv_preauth *preauth;
+ smbXsrv_session_auth0 *pending_auth;
boolean8 encryption_desired;
} smbXsrv_session;
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 1885629..e8fb1d5 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -541,6 +541,16 @@ struct smbXsrv_channel_global0;
NTSTATUS smbXsrv_session_find_channel(const struct smbXsrv_session *session,
const struct smbXsrv_connection *conn,
struct smbXsrv_channel_global0 **_c);
+NTSTATUS smbXsrv_session_find_auth(const struct smbXsrv_session *session,
+ const struct smbXsrv_connection *conn,
+ NTTIME now,
+ struct smbXsrv_session_auth0 **_a);
+NTSTATUS smbXsrv_session_create_auth(struct smbXsrv_session *session,
+ struct smbXsrv_connection *conn,
+ NTTIME now,
+ uint8_t in_flags,
+ uint8_t in_security_mode,
+ struct smbXsrv_session_auth0 **_a);
struct tevent_req *smb2srv_session_shutdown_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct smbXsrv_session *session,
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index d68bcb6..6c31958 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -138,6 +138,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request
*req)
struct smbXsrv_session *session = NULL;
uint16_t smb_bufsize = SVAL(req->vwv+2, 0);
uint32_t client_caps = IVAL(req->vwv+10, 0);
+ struct smbXsrv_session_auth0 *auth;
DEBUG(3,("Doing spnego session setup\n"));
@@ -216,7 +217,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request
*req)
if (NT_STATUS_IS_OK(status)) {
session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- TALLOC_FREE(session->gensec);
+ TALLOC_FREE(session->pending_auth);
}
if (!NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
reply_nterror(req, nt_status_squash(status));
@@ -234,19 +235,31 @@ static void reply_sesssetup_and_X_spnego(struct
smb_request *req)
}
}
- if (!session->gensec) {
+ status = smbXsrv_session_find_auth(session, xconn, now, &auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ status = smbXsrv_session_create_auth(session, xconn, now,
+ 0, /* flags */
+ 0, /* security */
+ &auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, nt_status_squash(status));
+ return;
+ }
+ }
+
+ if (auth->gensec == NULL) {
status = auth_generic_prepare(session, xconn->remote_address,
- &session->gensec);
+ &auth->gensec);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
reply_nterror(req, nt_status_squash(status));
return;
}
- gensec_want_feature(session->gensec,
GENSEC_FEATURE_SESSION_KEY);
- gensec_want_feature(session->gensec, GENSEC_FEATURE_UNIX_TOKEN);
+ gensec_want_feature(auth->gensec, GENSEC_FEATURE_SESSION_KEY);
+ gensec_want_feature(auth->gensec, GENSEC_FEATURE_UNIX_TOKEN);
- status = gensec_start_mech_by_oid(session->gensec,
+ status = gensec_start_mech_by_oid(auth->gensec,
GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to start SPNEGO handler!\n"));
@@ -257,7 +270,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request
*req)
}
become_root();
- status = gensec_update(session->gensec,
+ status = gensec_update(auth->gensec,
talloc_tos(),
in_blob, &out_blob);
unbecome_root();
@@ -271,7 +284,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request
*req)
if (NT_STATUS_IS_OK(status) && session->global->auth_session_info ==
NULL) {
struct auth_session_info *session_info = NULL;
- status = gensec_session_info(session->gensec,
+ status = gensec_session_info(auth->gensec,
session,
&session_info);
if (!NT_STATUS_IS_OK(status)) {
@@ -357,7 +370,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request
*req)
session->global->auth_time = now;
if (client_caps & CAP_DYNAMIC_REAUTH) {
session->global->expiration_time =
- gensec_expire_time(session->gensec);
+ gensec_expire_time(auth->gensec);
} else {
session->global->expiration_time =
GENSEC_EXPIRE_TIME_INFINITY;
@@ -397,7 +410,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request
*req)
} else if (NT_STATUS_IS_OK(status)) {
struct auth_session_info *session_info = NULL;
- status = gensec_session_info(session->gensec,
+ status = gensec_session_info(auth->gensec,
session,
&session_info);
if (!NT_STATUS_IS_OK(status)) {
@@ -445,7 +458,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request
*req)
session->global->auth_time = now;
if (client_caps & CAP_DYNAMIC_REAUTH) {
session->global->expiration_time =
- gensec_expire_time(session->gensec);
+ gensec_expire_time(auth->gensec);
} else {
session->global->expiration_time =
GENSEC_EXPIRE_TIME_INFINITY;
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 3233846..7d1aaf5 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -177,6 +177,7 @@ static void smbd_smb2_request_sesssetup_done(struct
tevent_req *subreq)
}
static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
+ struct smbXsrv_session_auth0 **_auth,
struct smbd_smb2_request *smb2req,
uint8_t in_security_mode,
struct auth_session_info *session_info,
@@ -187,6 +188,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
bool guest = false;
uint8_t session_key[16];
struct smbXsrv_session *x = session;
+ struct smbXsrv_session_auth0 *auth = *_auth;
struct smbXsrv_connection *xconn = smb2req->xconn;
struct _derivation {
DATA_BLOB label;
@@ -199,6 +201,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
struct _derivation application;
} derivation = { };
+ *_auth = NULL;
+
if (xconn->protocol >= PROTOCOL_SMB3_10) {
struct smbXsrv_preauth *preauth;
struct _derivation *d;
@@ -206,7 +210,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
struct hc_sha512state sctx;
size_t i;
- preauth = talloc_move(smb2req, &session->preauth);
+ preauth = talloc_move(smb2req, &auth->preauth);
samba_SHA512_Init(&sctx);
samba_SHA512_Update(&sctx, preauth->sha512_value,
@@ -440,7 +444,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
session->global->channels[0].auth_session_info_seqnum =
session->global->auth_session_info_seqnum;
session->global->auth_time = timeval_to_nttime(&smb2req->request_time);
- session->global->expiration_time = gensec_expire_time(session->gensec);
+ session->global->expiration_time = gensec_expire_time(auth->gensec);
if (!session_claim(session)) {
DEBUG(1, ("smb2: Failed to claim session "
@@ -449,6 +453,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
return NT_STATUS_LOGON_FAILURE;
}
+ TALLOC_FREE(auth);
status = smbXsrv_session_update(session);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
@@ -473,6 +478,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
}
static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session
*session,
+ struct smbXsrv_session_auth0 **_auth,
struct smbd_smb2_request *smb2req,
struct auth_session_info *session_info,
uint16_t *out_session_flags,
@@ -480,6 +486,9 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct
smbXsrv_session *session,
{
NTSTATUS status;
struct smbXsrv_session *x = session;
+ struct smbXsrv_session_auth0 *auth = *_auth;
+
+ *_auth = NULL;
data_blob_clear_free(&session_info->session_key);
session_info->session_key = data_blob_dup_talloc(session_info,
@@ -507,8 +516,9 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct
smbXsrv_session *session,
session->global->channels[0].auth_session_info_seqnum =
session->global->auth_session_info_seqnum;
session->global->auth_time = timeval_to_nttime(&smb2req->request_time);
- session->global->expiration_time = gensec_expire_time(session->gensec);
+ session->global->expiration_time = gensec_expire_time(auth->gensec);
+ TALLOC_FREE(auth);
status = smbXsrv_session_update(session);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
@@ -537,6 +547,7 @@ struct smbd_smb2_session_setup_state {
uint64_t in_previous_session_id;
DATA_BLOB in_security_buffer;
struct smbXsrv_session *session;
+ struct smbXsrv_session_auth0 *auth;
struct auth_session_info *session_info;
uint16_t out_session_flags;
DATA_BLOB out_security_buffer;
@@ -608,15 +619,15 @@ static struct tevent_req
*smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED))
{
status = NT_STATUS_OK;
}
- if (NT_STATUS_IS_OK(status)) {
- state->session->status =
NT_STATUS_MORE_PROCESSING_REQUIRED;
- status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- TALLOC_FREE(state->session->gensec);
+ if (NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ status = NT_STATUS_OK;
}
- if (!NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- tevent_req_nterror(req, status);
+ if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
+ if (!(in_flags & SMB2_SESSION_FLAG_BINDING)) {
+ state->session->status =
NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
}
status = smbXsrv_session_find_channel(smb2req->session,
@@ -626,27 +637,44 @@ static struct tevent_req
*smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (state->session->gensec == NULL) {
- status = auth_generic_prepare(state->session,
+ status = smbXsrv_session_find_auth(state->session, smb2req->xconn,
+ now, &state->auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ status = smbXsrv_session_create_auth(state->session,
+ smb2req->xconn, now,
+ in_flags, in_security_mode,
+ &state->auth);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ if (state->auth->gensec == NULL) {
+ status = auth_generic_prepare(state->auth,
state->smb2req->xconn->remote_address,
- &state->session->gensec);
+ &state->auth->gensec);
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
- gensec_want_feature(state->session->gensec,
GENSEC_FEATURE_SESSION_KEY);
- gensec_want_feature(state->session->gensec,
GENSEC_FEATURE_UNIX_TOKEN);
+ gensec_want_feature(state->auth->gensec,
GENSEC_FEATURE_SESSION_KEY);
+ gensec_want_feature(state->auth->gensec,
GENSEC_FEATURE_UNIX_TOKEN);
- status = gensec_start_mech_by_oid(state->session->gensec,
+ status = gensec_start_mech_by_oid(state->auth->gensec,
GENSEC_OID_SPNEGO);
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
}
+ status = smbXsrv_session_update(state->session);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
become_root();
subreq = gensec_update_send(state, state->ev,
- state->session->gensec,
+ state->auth->gensec,
state->in_security_buffer);
unbecome_root();
if (tevent_req_nomem(subreq, req)) {
@@ -680,12 +708,12 @@ static void smbd_smb2_session_setup_gensec_done(struct
tevent_req *subreq)
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
state->out_session_id = state->session->global->session_wire_id;
- state->smb2req->preauth = state->session->preauth;
+ state->smb2req->preauth = state->auth->preauth;
tevent_req_nterror(req, status);
return;
}
- status = gensec_session_info(state->session->gensec,
+ status = gensec_session_info(state->auth->gensec,
state->session->global,
&state->session_info);
if (tevent_req_nterror(req, status)) {
@@ -738,6 +766,7 @@ static void smbd_smb2_session_setup_auth_return(struct
tevent_req *req)
if (state->session->global->auth_session_info != NULL) {
status = smbd_smb2_reauth_generic_return(state->session,
+ &state->auth,
state->smb2req,
state->session_info,
&state->out_session_flags,
@@ -750,6 +779,7 @@ static void smbd_smb2_session_setup_auth_return(struct
tevent_req *req)
}
status = smbd_smb2_auth_generic_return(state->session,
+ &state->auth,
state->smb2req,
state->in_security_mode,
state->session_info,
diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
index 17ba401..9b2b521 100644
--- a/source3/smbd/smbXsrv_session.c
+++ b/source3/smbd/smbXsrv_session.c
@@ -1179,15 +1179,6 @@ NTSTATUS smbXsrv_session_create(struct
smbXsrv_connection *conn,
session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
session->client = conn->client;
- if (conn->protocol >= PROTOCOL_SMB3_10) {
- session->preauth = talloc(session, struct smbXsrv_preauth);
- if (session->preauth == NULL) {
- TALLOC_FREE(session);
- return NT_STATUS_NO_MEMORY;
- }
- *session->preauth = conn->smb2.preauth;
- }
-
status = smbXsrv_session_global_allocate(table->global.db_ctx,
session,
&global);
@@ -1387,6 +1378,79 @@ NTSTATUS smbXsrv_session_find_channel(const struct
smbXsrv_session *session,
return NT_STATUS_USER_SESSION_DELETED;
}
+NTSTATUS smbXsrv_session_find_auth(const struct smbXsrv_session *session,
+ const struct smbXsrv_connection *conn,
+ NTTIME now,
+ struct smbXsrv_session_auth0 **_a)
+{
+ struct smbXsrv_session_auth0 *a;
+
+ for (a = session->pending_auth; a != NULL; a = a->next) {
+ if (a->connection == conn) {
+ if (now != 0) {
+ a->idle_time = now;
+ }
+ *_a = a;
+ return NT_STATUS_OK;
+ }
+ }
+
+ return NT_STATUS_USER_SESSION_DELETED;
+}
+
+static int smbXsrv_session_auth0_destructor(struct smbXsrv_session_auth0 *a)
+{
+ if (a->session == NULL) {
+ return 0;
+ }
+
+ DLIST_REMOVE(a->session->pending_auth, a);
+ a->session = NULL;
+ return 0;
+}
+
+NTSTATUS smbXsrv_session_create_auth(struct smbXsrv_session *session,
+ struct smbXsrv_connection *conn,
+ NTTIME now,
+ uint8_t in_flags,
+ uint8_t in_security_mode,
+ struct smbXsrv_session_auth0 **_a)
+{
+ struct smbXsrv_session_auth0 *a;
+ NTSTATUS status;
+
+ status = smbXsrv_session_find_auth(session, conn, 0, &a);
+ if (NT_STATUS_IS_OK(status)) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ a = talloc_zero(session, struct smbXsrv_session_auth0);
+ if (a == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ a->session = session;
+ a->connection = conn;
+ a->in_flags = in_flags;
+ a->in_security_mode = in_security_mode;
+ a->creation_time = now;
+ a->idle_time = now;
+
+ if (conn->protocol >= PROTOCOL_SMB3_10) {
+ a->preauth = talloc(a, struct smbXsrv_preauth);
+ if (a->preauth == NULL) {
+ TALLOC_FREE(session);
+ return NT_STATUS_NO_MEMORY;
+ }
+ *a->preauth = conn->smb2.preauth;
+ }
+
+ talloc_set_destructor(a, smbXsrv_session_auth0_destructor);
+ DLIST_ADD_END(session->pending_auth, a, NULL);
+
+ *_a = a;
+ return NT_STATUS_OK;
+}
+
struct smb2srv_session_shutdown_state {
struct tevent_queue *wait_queue;
};
--
Samba Shared Repository
