From e217c2e30aa6f9990f1a1b9a1c67ba79570119a5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 14 May 2017 01:22:32 +0200
Subject: [PATCH] s3:rpc_server: move gensec_update() out of
 auth_generic_server_authtype_start*()

We let the caller use auth_generic_server_step() instead.
This allows us to request GENSEC_FEATURE_SIGN_PKT_HEADER before
starting the gensec_update() dance.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/rpc_server/dcesrv_auth_generic.c | 14 --------------
 source3/rpc_server/dcesrv_auth_generic.h |  2 --
 source3/rpc_server/srv_pipe.c            | 22 ++++++++++++++--------
 3 files changed, 14 insertions(+), 24 deletions(-)

diff --git a/source3/rpc_server/dcesrv_auth_generic.c b/source3/rpc_server/dcesrv_auth_generic.c
index 1092cd3317f..28fe76d6efd 100644
--- a/source3/rpc_server/dcesrv_auth_generic.c
+++ b/source3/rpc_server/dcesrv_auth_generic.c
@@ -26,8 +26,6 @@
 
 static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
 							   uint8_t auth_type, uint8_t auth_level,
-							   DATA_BLOB *token_in,
-							   DATA_BLOB *token_out,
 							   const struct tsocket_address *remote_address,
 							   const struct tsocket_address *local_address,
 							   const char *service_description,
@@ -55,14 +53,6 @@ static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 
-	status = gensec_update(gensec_security, mem_ctx, *token_in, token_out);
-	if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		DEBUG(2, (__location__ ": gensec_update failed: %s\n",
-			  nt_errstr(status)));
-		TALLOC_FREE(gensec_security);
-		return status;
-	}
-
 	/* steal gensec context to the caller */
 	*ctx = talloc_move(mem_ctx, &gensec_security);
 	return status;
@@ -70,8 +60,6 @@ static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
 
 NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
 					    uint8_t auth_type, uint8_t auth_level,
-					    DATA_BLOB *token_in,
-					    DATA_BLOB *token_out,
 					    const struct tsocket_address *remote_address,
 					    const struct tsocket_address *local_address,
 					    const char *service_description,
@@ -83,8 +71,6 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
 	/* this has to be done as root in order to create the messaging socket */
 	status = auth_generic_server_authtype_start_as_root(mem_ctx,
 							    auth_type, auth_level,
-							    token_in,
-							    token_out,
 							    remote_address,
 							    local_address,
 							    service_description,
diff --git a/source3/rpc_server/dcesrv_auth_generic.h b/source3/rpc_server/dcesrv_auth_generic.h
index 4e86eabc953..f5e186bdd15 100644
--- a/source3/rpc_server/dcesrv_auth_generic.h
+++ b/source3/rpc_server/dcesrv_auth_generic.h
@@ -24,8 +24,6 @@ struct gensec_security;
 
 NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
 					    uint8_t auth_type, uint8_t auth_level,
-					    DATA_BLOB *token_in,
-					    DATA_BLOB *token_out,
 					    const struct tsocket_address *remote_address,
 					    const struct tsocket_address *local_address,
 					    const char *service_description,
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 251f8991a60..39f5fb49ec3 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -527,23 +527,16 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
 	status = auth_generic_server_authtype_start(p,
 						    auth_info->auth_type,
 						    auth_info->auth_level,
-						    &auth_info->credentials,
-						    response,
 						    p->remote_address,
 						    p->local_address,
 						    service_description,
 						    &gensec_security);
-	if (!NT_STATUS_IS_OK(status) &&
-	    !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
-	{
+	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, (__location__ ": auth_generic_server_authtype_start[%u/%u] failed: %s\n",
 			  auth_info->auth_type, auth_info->auth_level, nt_errstr(status)));
 		return false;
 	}
 
-	/* Make sure data is bound to the memctx, to be freed the caller */
-	talloc_steal(mem_ctx, response->data);
-
 	p->auth.auth_ctx = gensec_security;
 	p->auth.auth_type = auth_info->auth_type;
 	p->auth.auth_level = auth_info->auth_level;
@@ -560,6 +553,19 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
 				    GENSEC_FEATURE_SIGN_PKT_HEADER);
 	}
 
+	status = auth_generic_server_step(gensec_security, mem_ctx,
+					  &auth_info->credentials,
+					  response);
+	if (!NT_STATUS_IS_OK(status) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
+	{
+		DEBUG(2, (__location__ ": "
+			  "auth_generic_server_step[%u/%u] failed: %s\n",
+			  auth_info->auth_type, auth_info->auth_level,
+			  nt_errstr(status)));
+		return false;
+	}
+
 	if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		return true;
 	}
-- 
2.11.4.GIT