s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server

This is possible because we now supply the auth4_context abstraction that this
code is looking for.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 2 insertions, 182 deletions

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index f0c96ab168..b9d4b72222 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -24,6 +24,7 @@
 #include "includes.h"
 #include "auth.h"
 #include "../auth/ntlmssp/ntlmssp.h"
+#include "../auth/ntlmssp/ntlmssp_private.h"
 #include "../librpc/gen_ndr/netlogon.h"
 #include "../librpc/gen_ndr/dcerpc.h"
 #include "../lib/tsocket/tsocket.h"
@@ -221,187 +222,6 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 	return nt_status;
 }
 
-/**
- * Return the challenge as determined by the authentication subsystem
- * @return an 8 byte random challenge
- */
-
-static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
-					   uint8_t chal[8])
-{
-	struct gensec_ntlmssp_context *gensec_ntlmssp =
-		talloc_get_type_abort(ntlmssp_state->callback_private,
-				      struct gensec_ntlmssp_context);
-	struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-	NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
-
-	if (auth_context->get_challenge) {
-		status = auth_context->get_challenge(auth_context, chal);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
-				  nt_errstr(status)));
-			return status;
-		}
-	}
-
-	return status;
-}
-
-/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
-{
-	struct gensec_ntlmssp_context *gensec_ntlmssp =
-		talloc_get_type_abort(ntlmssp_state->callback_private,
-				      struct gensec_ntlmssp_context);
-	struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-
-	if (auth_context->challenge_may_be_modified) {
-		return auth_context->challenge_may_be_modified(auth_context);
-	}
-	return false;
-}
-
-/**
- * NTLM2 authentication modifies the effective challenge,
- * @param challenge The new challenge value
- */
-static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
-{
-	struct gensec_ntlmssp_context *gensec_ntlmssp =
-		talloc_get_type_abort(ntlmssp_state->callback_private,
-				      struct gensec_ntlmssp_context);
-	struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
-	const uint8_t *chal;
-
-	if (challenge->length != 8) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	chal = challenge->data;
-
-	if (auth_context->set_challenge) {
-		nt_status = auth_context->set_challenge(auth_context,
-							chal,
-							"NTLMSSP callback (NTLM2)");
-	}
-	return nt_status;
-}
-
-/**
- * Check the password on an NTLMSSP login.
- *
- * Return the session keys used on the connection.
- */
-
-static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
-					    TALLOC_CTX *mem_ctx,
-					    DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
-{
-	struct gensec_ntlmssp_context *gensec_ntlmssp =
-		talloc_get_type_abort(ntlmssp_state->callback_private,
-				      struct gensec_ntlmssp_context);
-	struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
-	struct auth_usersupplied_info *user_info;
-
-	user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
-	if (!user_info) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
-	user_info->flags = 0;
-	user_info->mapped_state = false;
-	user_info->client.account_name = ntlmssp_state->user;
-	user_info->client.domain_name = ntlmssp_state->domain;
-	user_info->workstation_name = ntlmssp_state->client.netbios_name;
-	user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
-
-	user_info->password_state = AUTH_PASSWORD_RESPONSE;
-	user_info->password.response.lanman = ntlmssp_state->lm_resp;
-	user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
-	user_info->password.response.nt = ntlmssp_state->nt_resp;
-	user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
-
-	if (auth_context->check_password) {
-		nt_status = auth_context->check_password(auth_context,
-							 gensec_ntlmssp,
-							 user_info,
-							 &gensec_ntlmssp->server_returned_info,
-							 user_session_key, lm_session_key);
-	}
-	talloc_free(user_info);
-
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(5,("%s: Checking NTLMSSP password for %s\\%s failed: %s\n",
-			 __location__,
-			 user_info->client.domain_name,
-			 user_info->client.account_name,
-			 nt_errstr(nt_status)));
-	}
-
-	NT_STATUS_NOT_OK_RETURN(nt_status);
-
-	talloc_steal(mem_ctx, user_session_key->data);
-	talloc_steal(mem_ctx, lm_session_key->data);
-
-	return nt_status;
-}
-
-/**
- * Return the credentials of a logged on user, including session keys
- * etc.
- *
- * Only valid after a successful authentication
- *
- * May only be called once per authentication.
- *
- */
-
-static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gensec_security,
-						    TALLOC_CTX *mem_ctx,
-						    struct auth_session_info **session_info)
-{
-	NTSTATUS nt_status;
-	struct gensec_ntlmssp_context *gensec_ntlmssp =
-		talloc_get_type_abort(gensec_security->private_data,
-				      struct gensec_ntlmssp_context);
-	uint32_t session_info_flags = 0;
-
-	if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
-		session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
-	}
-
-	session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
-
-	if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
-		nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
-										 gensec_ntlmssp->server_returned_info,
-										 gensec_ntlmssp->ntlmssp_state->user,
-										 session_info_flags,
-										 session_info);
-	} else {
-		DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	NT_STATUS_NOT_OK_RETURN(nt_status);
-
-	nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info,
-					  &(*session_info)->session_key);
-
-	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
-		(*session_info)->session_key = data_blob_null;
-		nt_status = NT_STATUS_OK;
-	}
-	return nt_status;
-}
-
 static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_security)
 {
 	NTSTATUS nt_status;
@@ -487,7 +307,7 @@ const struct gensec_security_ops gensec_ntlmssp3_server_ops = {
 	.wrap           = gensec_ntlmssp_wrap,
 	.unwrap         = gensec_ntlmssp_unwrap,
 	.session_key	= gensec_ntlmssp_session_key,
-	.session_info   = gensec_ntlmssp3_server_session_info,
+	.session_info   = gensec_ntlmssp_session_info,
 	.have_feature   = gensec_ntlmssp_have_feature,
 	.enabled        = true,
 	.priority       = GENSEC_NTLMSSP