From cd8105484c55341972ae7ef980446f99313d3cd2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 21 May 2014 10:27:50 +0200 Subject: [PATCH] s3:smbd: move sconn->smb1.negprot.* to xconn->smb1.negprot.* This prepares the structures for multi-channel support. Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Reviewed-by: Michael Adam --- source3/smbd/globals.h | 25 +++++++++++----------- source3/smbd/negprot.c | 52 ++++++++++++++++++++++++++-------------------- source3/smbd/process.c | 2 +- source3/smbd/reply.c | 6 ++++-- source3/smbd/server_exit.c | 2 +- source3/smbd/sesssetup.c | 11 +++++----- 6 files changed, 53 insertions(+), 45 deletions(-) diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 4d18308fe9e..625bff690b9 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -355,6 +355,19 @@ struct smbXsrv_connection { struct { struct { + bool encrypted_passwords; + bool spnego; + struct auth4_context *auth_context; + bool done; + /* + * Size of the data we can receive. Set by us. + * Can be modified by the max xmit parameter. + */ + int max_recv; + } negprot; + } smb1; + struct { + struct { uint32_t capabilities; struct GUID guid; uint16_t security_mode; @@ -735,18 +748,6 @@ struct smbd_server_connection { } echo_handler; struct { - bool encrypted_passwords; - bool spnego; - struct auth4_context *auth_context; - bool done; - /* - * Size of the data we can receive. Set by us. - * Can be modified by the max xmit parameter. - */ - int max_recv; - } negprot; - - struct { uint16_t client_major; uint16_t client_minor; uint32_t client_cap_low; diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 225fe39156e..4a109cd1946 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -33,27 +33,28 @@ extern fstring remote_proto; static void get_challenge(struct smbd_server_connection *sconn, uint8 buff[8]) { + struct smbXsrv_connection *xconn = sconn->conn; NTSTATUS nt_status; /* We might be called more than once, multiple negprots are * permitted */ - if (sconn->smb1.negprot.auth_context) { + if (xconn->smb1.negprot.auth_context) { DEBUG(3, ("get challenge: is this a secondary negprot? " "sconn->negprot.auth_context is non-NULL!\n")); - TALLOC_FREE(sconn->smb1.negprot.auth_context); + TALLOC_FREE(xconn->smb1.negprot.auth_context); } DEBUG(10, ("get challenge: creating negprot_global_auth_context\n")); nt_status = make_auth4_context( - sconn, &sconn->smb1.negprot.auth_context); + xconn, &xconn->smb1.negprot.auth_context); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("make_auth_context_subsystem returned %s", nt_errstr(nt_status))); smb_panic("cannot make_negprot_global_auth_context!"); } DEBUG(10, ("get challenge: getting challenge\n")); - sconn->smb1.negprot.auth_context->get_ntlm_challenge( - sconn->smb1.negprot.auth_context, buff); + xconn->smb1.negprot.auth_context->get_ntlm_challenge( + xconn->smb1.negprot.auth_context, buff); } /**************************************************************************** @@ -65,6 +66,7 @@ static void reply_lanman1(struct smb_request *req, uint16 choice) int secword=0; time_t t = time(NULL); struct smbd_server_connection *sconn = req->sconn; + struct smbXsrv_connection *xconn = sconn->conn; uint16_t raw; if (lp_async_smb_echo_handler()) { raw = 0; @@ -72,19 +74,19 @@ static void reply_lanman1(struct smb_request *req, uint16 choice) raw = (lp_read_raw()?1:0) | (lp_write_raw()?2:0); } - sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); + xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); secword |= NEGOTIATE_SECURITY_USER_LEVEL; - if (sconn->smb1.negprot.encrypted_passwords) { + if (xconn->smb1.negprot.encrypted_passwords) { secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; } - reply_outbuf(req, 13, sconn->smb1.negprot.encrypted_passwords?8:0); + reply_outbuf(req, 13, xconn->smb1.negprot.encrypted_passwords?8:0); SSVAL(req->outbuf,smb_vwv0,choice); SSVAL(req->outbuf,smb_vwv1,secword); /* Create a token value and add it to the outgoing packet. */ - if (sconn->smb1.negprot.encrypted_passwords) { + if (xconn->smb1.negprot.encrypted_passwords) { get_challenge(sconn, (uint8 *)smb_buf(req->outbuf)); SSVAL(req->outbuf,smb_vwv11, 8); } @@ -93,7 +95,7 @@ static void reply_lanman1(struct smb_request *req, uint16 choice) /* Reply, SMBlockread, SMBwritelock supported. */ SCVAL(req->outbuf,smb_flg, FLAG_REPLY|FLAG_SUPPORT_LOCKREAD); - SSVAL(req->outbuf,smb_vwv2, sconn->smb1.negprot.max_recv); + SSVAL(req->outbuf,smb_vwv2, xconn->smb1.negprot.max_recv); SSVAL(req->outbuf,smb_vwv3, lp_max_mux()); /* maxmux */ SSVAL(req->outbuf,smb_vwv4, 1); SSVAL(req->outbuf,smb_vwv5, raw); /* tell redirector we support @@ -115,6 +117,7 @@ static void reply_lanman2(struct smb_request *req, uint16 choice) int secword=0; time_t t = time(NULL); struct smbd_server_connection *sconn = req->sconn; + struct smbXsrv_connection *xconn = sconn->conn; uint16_t raw; if (lp_async_smb_echo_handler()) { raw = 0; @@ -122,21 +125,21 @@ static void reply_lanman2(struct smb_request *req, uint16 choice) raw = (lp_read_raw()?1:0) | (lp_write_raw()?2:0); } - sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); + xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); secword |= NEGOTIATE_SECURITY_USER_LEVEL; - if (sconn->smb1.negprot.encrypted_passwords) { + if (xconn->smb1.negprot.encrypted_passwords) { secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; } - reply_outbuf(req, 13, sconn->smb1.negprot.encrypted_passwords?8:0); + reply_outbuf(req, 13, xconn->smb1.negprot.encrypted_passwords?8:0); SSVAL(req->outbuf,smb_vwv0, choice); SSVAL(req->outbuf,smb_vwv1, secword); SIVAL(req->outbuf,smb_vwv6, getpid()); /* Create a token value and add it to the outgoing packet. */ - if (sconn->smb1.negprot.encrypted_passwords) { + if (xconn->smb1.negprot.encrypted_passwords) { get_challenge(sconn, (uint8 *)smb_buf(req->outbuf)); SSVAL(req->outbuf,smb_vwv11, 8); } @@ -145,7 +148,7 @@ static void reply_lanman2(struct smb_request *req, uint16 choice) /* Reply, SMBlockread, SMBwritelock supported. */ SCVAL(req->outbuf,smb_flg,FLAG_REPLY|FLAG_SUPPORT_LOCKREAD); - SSVAL(req->outbuf,smb_vwv2,sconn->smb1.negprot.max_recv); + SSVAL(req->outbuf,smb_vwv2,xconn->smb1.negprot.max_recv); SSVAL(req->outbuf,smb_vwv3,lp_max_mux()); SSVAL(req->outbuf,smb_vwv4,1); SSVAL(req->outbuf,smb_vwv5,raw); /* readbraw and/or writebraw */ @@ -159,6 +162,7 @@ static void reply_lanman2(struct smb_request *req, uint16 choice) DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) { + struct smbXsrv_connection *xconn = sconn->conn; DATA_BLOB blob = data_blob_null; DATA_BLOB blob_out = data_blob_null; nstring dos_name; @@ -188,7 +192,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) TALLOC_FREE(gensec_security); } - sconn->smb1.negprot.spnego = true; + xconn->smb1.negprot.spnego = true; /* strangely enough, NT does not sent the single OID NTLMSSP when not a ADS member, it sends no OIDs at all @@ -250,10 +254,11 @@ static void reply_nt1(struct smb_request *req, uint16 choice) struct timespec ts; ssize_t ret; struct smbd_server_connection *sconn = req->sconn; + struct smbXsrv_connection *xconn = sconn->conn; bool signing_desired = false; bool signing_required = false; - sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); + xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); /* Check the flags field to see if this is Vista. WinXP sets it and Vista does not. But we have to @@ -273,7 +278,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice) /* do spnego in user level security if the client supports it and we can do encrypted passwords */ - if (sconn->smb1.negprot.encrypted_passwords && + if (xconn->smb1.negprot.encrypted_passwords && lp_use_spnego() && (req->flags2 & FLAGS2_EXTENDED_SECURITY)) { negotiate_spnego = True; @@ -310,7 +315,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice) capabilities |= CAP_DFS; secword |= NEGOTIATE_SECURITY_USER_LEVEL; - if (sconn->smb1.negprot.encrypted_passwords) { + if (xconn->smb1.negprot.encrypted_passwords) { secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; } @@ -334,7 +339,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice) SSVAL(req->outbuf,smb_vwv1+1, lp_max_mux()); /* maxmpx */ SSVAL(req->outbuf,smb_vwv2+1, 1); /* num vcs */ SIVAL(req->outbuf,smb_vwv3+1, - sconn->smb1.negprot.max_recv); /* max buffer. LOTS! */ + xconn->smb1.negprot.max_recv); /* max buffer. LOTS! */ SIVAL(req->outbuf,smb_vwv5+1, 0x10000); /* raw size. full 64k */ SIVAL(req->outbuf,smb_vwv7+1, getpid()); /* session key */ SIVAL(req->outbuf,smb_vwv9+1, capabilities); /* capabilities */ @@ -344,7 +349,7 @@ static void reply_nt1(struct smb_request *req, uint16 choice) if (!negotiate_spnego) { /* Create a token value and add it to the outgoing packet. */ - if (sconn->smb1.negprot.encrypted_passwords) { + if (xconn->smb1.negprot.encrypted_passwords) { uint8 chal[8]; /* note that we do not send a challenge at all if we are using plaintext */ @@ -517,14 +522,15 @@ void reply_negprot(struct smb_request *req) int i; size_t converted_size; struct smbd_server_connection *sconn = req->sconn; + struct smbXsrv_connection *xconn = sconn->conn; START_PROFILE(SMBnegprot); - if (sconn->smb1.negprot.done) { + if (xconn->smb1.negprot.done) { END_PROFILE(SMBnegprot); exit_server_cleanly("multiple negprot's are not permitted"); } - sconn->smb1.negprot.done = true; + xconn->smb1.negprot.done = true; if (req->buflen == 0) { DEBUG(0, ("negprot got no protocols\n")); diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 3fc92a0e622..3c5d025704f 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -3828,7 +3828,7 @@ void smbd_process(struct tevent_context *ev_ctx, tmp = MAX(tmp, SMB_BUFFER_SIZE_MIN); tmp = MIN(tmp, SMB_BUFFER_SIZE_MAX); - sconn->smb1.negprot.max_recv = tmp; + conn->smb1.negprot.max_recv = tmp; sconn->smb1.sessions.done_sesssetup = false; sconn->smb1.sessions.max_send = SMB_BUFFER_SIZE_MAX; diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 784f10ccbfb..72f493194a0 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -694,6 +694,7 @@ void reply_tcon(struct smb_request *req) const char *p2; TALLOC_CTX *ctx = talloc_tos(); struct smbd_server_connection *sconn = req->sconn; + struct smbXsrv_connection *xconn = sconn->conn; NTTIME now = timeval_to_nttime(&req->request_time); START_PROFILE(SMBtcon); @@ -735,7 +736,7 @@ void reply_tcon(struct smb_request *req) } reply_outbuf(req, 2, 0); - SSVAL(req->outbuf,smb_vwv0,sconn->smb1.negprot.max_recv); + SSVAL(req->outbuf,smb_vwv0,xconn->smb1.negprot.max_recv); SSVAL(req->outbuf,smb_vwv1,conn->cnum); SSVAL(req->outbuf,smb_tid,conn->cnum); @@ -771,6 +772,7 @@ void reply_tcon_and_X(struct smb_request *req) bool session_key_updated = false; uint16_t optional_support = 0; struct smbd_server_connection *sconn = req->sconn; + struct smbXsrv_connection *xconn = sconn->conn; START_PROFILE(SMBtconX); @@ -818,7 +820,7 @@ void reply_tcon_and_X(struct smb_request *req) return; } - if (sconn->smb1.negprot.encrypted_passwords) { + if (xconn->smb1.negprot.encrypted_passwords) { p = req->buf + passlen; } else { p = req->buf + passlen + 1; diff --git a/source3/smbd/server_exit.c b/source3/smbd/server_exit.c index 4c91bfbdfd4..077b81a1173 100644 --- a/source3/smbd/server_exit.c +++ b/source3/smbd/server_exit.c @@ -113,7 +113,7 @@ static void exit_server_common(enum server_exit_reason how, } } - TALLOC_FREE(sconn->smb1.negprot.auth_context); + TALLOC_FREE(conn->smb1.negprot.auth_context); if (lp_log_writeable_files_on_exit()) { bool found = false; diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 1a0cb5e29d5..a908f69c78a 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -590,11 +590,10 @@ void reply_sesssetup_and_X(struct smb_request *req) uint16_t action = 0; NTTIME now = timeval_to_nttime(&req->request_time); struct smbXsrv_session *session = NULL; - NTSTATUS nt_status; struct smbd_server_connection *sconn = req->sconn; - - bool doencrypt = sconn->smb1.negprot.encrypted_passwords; + struct smbXsrv_connection *xconn = sconn->conn; + bool doencrypt = xconn->smb1.negprot.encrypted_passwords; bool signing_allowed = false; bool signing_mandatory = false; @@ -627,7 +626,7 @@ void reply_sesssetup_and_X(struct smb_request *req) if (req->wct == 12 && (req->flags2 & FLAGS2_EXTENDED_SECURITY)) { - if (!sconn->smb1.negprot.spnego) { + if (!xconn->smb1.negprot.spnego) { DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt " "at SPNEGO session setup when it was not " "negotiated.\n")); @@ -837,7 +836,7 @@ void reply_sesssetup_and_X(struct smb_request *req) domain, user, get_remote_machine_name())); if (*user) { - if (sconn->smb1.negprot.spnego) { + if (xconn->smb1.negprot.spnego) { /* This has to be here, because this is a perfectly * valid behaviour for guest logons :-( */ @@ -865,7 +864,7 @@ void reply_sesssetup_and_X(struct smb_request *req) } else if (doencrypt) { struct auth4_context *negprot_auth_context = NULL; - negprot_auth_context = sconn->smb1.negprot.auth_context; + negprot_auth_context = xconn->smb1.negprot.auth_context; if (!negprot_auth_context) { DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted " "session setup without negprot denied!\n")); -- 2.11.4.GIT