summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-06-30 18:30:57 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-07-03 08:13:01 +1000
commiteba87995145b0e14672c1f6993f7aa3422d62541 (patch)
treecd6be4bd78541ebabb689d3241c7ec1b853728f4 /source3/auth
parentab80b99815a51b07e9e89b423e847824ec71bd3c (diff)
downloadsamba-eba87995145b0e14672c1f6993f7aa3422d62541.tar.gz
samba-eba87995145b0e14672c1f6993f7aa3422d62541.tar.bz2
samba-eba87995145b0e14672c1f6993f7aa3422d62541.zip
auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth.c54
-rw-r--r--source3/auth/auth_builtin.c55
-rw-r--r--source3/auth/auth_generic.c1
-rw-r--r--source3/auth/auth_ntlmssp.c12
4 files changed, 6 insertions, 116 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 671319347f..c3797cf604 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -81,9 +81,8 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name
NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
uint8_t chal[8])
{
- DATA_BLOB challenge = data_blob_null;
- const char *challenge_set_by = NULL;
- auth_methods *auth_method;
+ uchar tmp[8];
+
if (auth_context->challenge.length) {
DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n",
@@ -92,52 +91,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
return NT_STATUS_OK;
}
- auth_context->challenge_may_be_modified = False;
-
- for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) {
- if (auth_method->get_chal == NULL) {
- DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name));
- continue;
- }
-
- DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name));
- if (challenge_set_by != NULL) {
- DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n",
- challenge_set_by, auth_method->name));
- continue;
- }
-
- challenge = auth_method->get_chal(auth_context, &auth_method->private_data,
- auth_context);
- if (!challenge.length) {
- DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n",
- auth_method->name));
- } else {
- DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name));
- auth_context->challenge = challenge;
- challenge_set_by = auth_method->name;
- auth_context->challenge_set_method = auth_method;
- }
- }
-
- if (!challenge_set_by) {
- uchar tmp[8];
-
- generate_random_buffer(tmp, sizeof(tmp));
- auth_context->challenge = data_blob_talloc(auth_context,
- tmp, sizeof(tmp));
-
- challenge_set_by = "random";
- auth_context->challenge_may_be_modified = True;
- }
-
- DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by));
- DEBUG(5, ("challenge is: \n"));
- dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
-
- SMB_ASSERT(auth_context->challenge.length == 8);
+ generate_random_buffer(tmp, sizeof(tmp));
+ auth_context->challenge = data_blob_talloc(auth_context,
+ tmp, sizeof(tmp));
- auth_context->challenge_set_by=challenge_set_by;
+ auth_context->challenge_set_by = "random";
memcpy(chal, auth_context->challenge.data, 8);
return NT_STATUS_OK;
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index cfe89495a0..b757894a7c 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -128,67 +128,12 @@ static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, co
return NT_STATUS_OK;
}
-/**
- * Return a 'fixed' challenge instead of a variable one.
- *
- * The idea of this function is to make packet snifs consistant
- * with a fixed challenge, so as to aid debugging.
- *
- * This module is of no value to end-users.
- *
- * This module does not actually authenticate the user, but
- * just pretenteds to need a specified challenge.
- * This module removes *all* security from the challenge-response system
- *
- * @return NT_STATUS_UNSUCCESSFUL
- **/
-
-static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************************
- Get the challenge out of a password server.
-****************************************************************************/
-
-static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_context,
- void **my_private_data,
- TALLOC_CTX *mem_ctx)
-{
- const char *challenge = "I am a teapot";
- return data_blob(challenge, 8);
-}
-
-
-/** Module initialisation function */
-
-static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- struct auth_methods *result;
-
- result = talloc_zero(auth_context, struct auth_methods);
- if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- result->auth = check_fixed_challenge_security;
- result->get_chal = auth_get_fixed_challenge;
- result->name = "fixed_challenge";
-
- *auth_method = result;
- return NT_STATUS_OK;
-}
#endif /* DEVELOPER */
NTSTATUS auth_builtin_init(void)
{
smb_register_auth(AUTH_INTERFACE_VERSION, "guest", auth_init_guest);
#ifdef DEVELOPER
- smb_register_auth(AUTH_INTERFACE_VERSION, "fixed_challenge", auth_init_fixed_challenge);
smb_register_auth(AUTH_INTERFACE_VERSION, "name_to_ntstatus", auth_init_name_to_ntstatus);
#endif
return NT_STATUS_OK;
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index e941ab9a0e..82b376feb6 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -165,7 +165,6 @@ static struct auth4_context *make_auth4_context_s3(TALLOC_CTX *mem_ctx, struct a
auth4_context->generate_session_info = auth3_generate_session_info;
auth4_context->get_ntlm_challenge = auth3_get_challenge;
auth4_context->set_ntlm_challenge = auth3_set_challenge;
- auth4_context->challenge_may_be_modified = auth3_may_set_challenge;
auth4_context->check_ntlm_password = auth3_check_password;
auth4_context->private_data = talloc_steal(auth4_context, auth_context);
return auth4_context;
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 3437dbfb83..f99bd44d7e 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -64,18 +64,6 @@ NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context,
}
/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-bool auth3_may_set_challenge(struct auth4_context *auth4_context)
-{
- struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
- struct auth_context);
- return auth_context->challenge_may_be_modified;
-}
-
-/**
* NTLM2 authentication modifies the effective challenge,
* @param challenge The new challenge value
*/