diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-06-30 18:30:57 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-07-03 08:13:01 +1000 |
commit | eba87995145b0e14672c1f6993f7aa3422d62541 (patch) | |
tree | cd6be4bd78541ebabb689d3241c7ec1b853728f4 /source3/auth | |
parent | ab80b99815a51b07e9e89b423e847824ec71bd3c (diff) | |
download | samba-eba87995145b0e14672c1f6993f7aa3422d62541.tar.gz samba-eba87995145b0e14672c1f6993f7aa3422d62541.tar.bz2 samba-eba87995145b0e14672c1f6993f7aa3422d62541.zip |
auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.
Now that security=server has been removed, we have no such module.
This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.
Andrew Bartlett
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth.c | 54 | ||||
-rw-r--r-- | source3/auth/auth_builtin.c | 55 | ||||
-rw-r--r-- | source3/auth/auth_generic.c | 1 | ||||
-rw-r--r-- | source3/auth/auth_ntlmssp.c | 12 |
4 files changed, 6 insertions, 116 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 671319347f..c3797cf604 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -81,9 +81,8 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, uint8_t chal[8]) { - DATA_BLOB challenge = data_blob_null; - const char *challenge_set_by = NULL; - auth_methods *auth_method; + uchar tmp[8]; + if (auth_context->challenge.length) { DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n", @@ -92,52 +91,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, return NT_STATUS_OK; } - auth_context->challenge_may_be_modified = False; - - for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) { - if (auth_method->get_chal == NULL) { - DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); - continue; - } - - DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); - if (challenge_set_by != NULL) { - DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n", - challenge_set_by, auth_method->name)); - continue; - } - - challenge = auth_method->get_chal(auth_context, &auth_method->private_data, - auth_context); - if (!challenge.length) { - DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", - auth_method->name)); - } else { - DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name)); - auth_context->challenge = challenge; - challenge_set_by = auth_method->name; - auth_context->challenge_set_method = auth_method; - } - } - - if (!challenge_set_by) { - uchar tmp[8]; - - generate_random_buffer(tmp, sizeof(tmp)); - auth_context->challenge = data_blob_talloc(auth_context, - tmp, sizeof(tmp)); - - challenge_set_by = "random"; - auth_context->challenge_may_be_modified = True; - } - - DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); - DEBUG(5, ("challenge is: \n")); - dump_data(5, auth_context->challenge.data, auth_context->challenge.length); - - SMB_ASSERT(auth_context->challenge.length == 8); + generate_random_buffer(tmp, sizeof(tmp)); + auth_context->challenge = data_blob_talloc(auth_context, + tmp, sizeof(tmp)); - auth_context->challenge_set_by=challenge_set_by; + auth_context->challenge_set_by = "random"; memcpy(chal, auth_context->challenge.data, 8); return NT_STATUS_OK; diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index cfe89495a0..b757894a7c 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -128,67 +128,12 @@ static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, co return NT_STATUS_OK; } -/** - * Return a 'fixed' challenge instead of a variable one. - * - * The idea of this function is to make packet snifs consistant - * with a fixed challenge, so as to aid debugging. - * - * This module is of no value to end-users. - * - * This module does not actually authenticate the user, but - * just pretenteds to need a specified challenge. - * This module removes *all* security from the challenge-response system - * - * @return NT_STATUS_UNSUCCESSFUL - **/ - -static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) -{ - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************************** - Get the challenge out of a password server. -****************************************************************************/ - -static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_context, - void **my_private_data, - TALLOC_CTX *mem_ctx) -{ - const char *challenge = "I am a teapot"; - return data_blob(challenge, 8); -} - - -/** Module initialisation function */ - -static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - struct auth_methods *result; - - result = talloc_zero(auth_context, struct auth_methods); - if (result == NULL) { - return NT_STATUS_NO_MEMORY; - } - result->auth = check_fixed_challenge_security; - result->get_chal = auth_get_fixed_challenge; - result->name = "fixed_challenge"; - - *auth_method = result; - return NT_STATUS_OK; -} #endif /* DEVELOPER */ NTSTATUS auth_builtin_init(void) { smb_register_auth(AUTH_INTERFACE_VERSION, "guest", auth_init_guest); #ifdef DEVELOPER - smb_register_auth(AUTH_INTERFACE_VERSION, "fixed_challenge", auth_init_fixed_challenge); smb_register_auth(AUTH_INTERFACE_VERSION, "name_to_ntstatus", auth_init_name_to_ntstatus); #endif return NT_STATUS_OK; diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index e941ab9a0e..82b376feb6 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -165,7 +165,6 @@ static struct auth4_context *make_auth4_context_s3(TALLOC_CTX *mem_ctx, struct a auth4_context->generate_session_info = auth3_generate_session_info; auth4_context->get_ntlm_challenge = auth3_get_challenge; auth4_context->set_ntlm_challenge = auth3_set_challenge; - auth4_context->challenge_may_be_modified = auth3_may_set_challenge; auth4_context->check_ntlm_password = auth3_check_password; auth4_context->private_data = talloc_steal(auth4_context, auth_context); return auth4_context; diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 3437dbfb83..f99bd44d7e 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -64,18 +64,6 @@ NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context, } /** - * Some authentication methods 'fix' the challenge, so we may not be able to set it - * - * @return If the effective challenge used by the auth subsystem may be modified - */ -bool auth3_may_set_challenge(struct auth4_context *auth4_context) -{ - struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data, - struct auth_context); - return auth_context->challenge_may_be_modified; -} - -/** * NTLM2 authentication modifies the effective challenge, * @param challenge The new challenge value */ |