summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-01-31 14:39:34 +1100
committerStefan Metzmacher <metze@samba.org>2012-02-17 10:48:09 +0100
commit9c5b26f8647bd31dec9864d8c42959f81e686619 (patch)
treeca7cbc7f3a645a9fa16ebd68d9053cdffee829e0 /source3
parent2f74f2f18056e83c396b196939bc8f89bd4d0702 (diff)
downloadsamba-9c5b26f8647bd31dec9864d8c42959f81e686619.tar.gz
samba-9c5b26f8647bd31dec9864d8c42959f81e686619.tar.bz2
samba-9c5b26f8647bd31dec9864d8c42959f81e686619.zip
s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server
This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3')
-rw-r--r--source3/Makefile.in1
-rw-r--r--source3/auth/auth_ntlmssp.c184
2 files changed, 3 insertions, 182 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index c433961a78..0425cd7b08 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -569,6 +569,7 @@ LIBSMB_OBJ0 = \
../auth/ntlmssp/ntlmssp_util.o \
../auth/ntlmssp/ntlmssp_sign.o \
../auth/ntlmssp/gensec_ntlmssp.o \
+ ../auth/ntlmssp/gensec_ntlmssp_server.o \
$(LIBNDR_NTLMSSP_OBJ) \
../auth/ntlmssp/ntlmssp_ndr.o \
../auth/ntlmssp/ntlmssp_server.o
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index f0c96ab168..b9d4b72222 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -24,6 +24,7 @@
#include "includes.h"
#include "auth.h"
#include "../auth/ntlmssp/ntlmssp.h"
+#include "../auth/ntlmssp/ntlmssp_private.h"
#include "../librpc/gen_ndr/netlogon.h"
#include "../librpc/gen_ndr/dcerpc.h"
#include "../lib/tsocket/tsocket.h"
@@ -221,187 +222,6 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
return nt_status;
}
-/**
- * Return the challenge as determined by the authentication subsystem
- * @return an 8 byte random challenge
- */
-
-static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
- uint8_t chal[8])
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
- NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
-
- if (auth_context->get_challenge) {
- status = auth_context->get_challenge(auth_context, chal);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
- nt_errstr(status)));
- return status;
- }
- }
-
- return status;
-}
-
-/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-
- if (auth_context->challenge_may_be_modified) {
- return auth_context->challenge_may_be_modified(auth_context);
- }
- return false;
-}
-
-/**
- * NTLM2 authentication modifies the effective challenge,
- * @param challenge The new challenge value
- */
-static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
- NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
- const uint8_t *chal;
-
- if (challenge->length != 8) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- chal = challenge->data;
-
- if (auth_context->set_challenge) {
- nt_status = auth_context->set_challenge(auth_context,
- chal,
- "NTLMSSP callback (NTLM2)");
- }
- return nt_status;
-}
-
-/**
- * Check the password on an NTLMSSP login.
- *
- * Return the session keys used on the connection.
- */
-
-static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
- NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
- struct auth_usersupplied_info *user_info;
-
- user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
- if (!user_info) {
- return NT_STATUS_NO_MEMORY;
- }
-
- user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
- user_info->flags = 0;
- user_info->mapped_state = false;
- user_info->client.account_name = ntlmssp_state->user;
- user_info->client.domain_name = ntlmssp_state->domain;
- user_info->workstation_name = ntlmssp_state->client.netbios_name;
- user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
-
- user_info->password_state = AUTH_PASSWORD_RESPONSE;
- user_info->password.response.lanman = ntlmssp_state->lm_resp;
- user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
- user_info->password.response.nt = ntlmssp_state->nt_resp;
- user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
-
- if (auth_context->check_password) {
- nt_status = auth_context->check_password(auth_context,
- gensec_ntlmssp,
- user_info,
- &gensec_ntlmssp->server_returned_info,
- user_session_key, lm_session_key);
- }
- talloc_free(user_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5,("%s: Checking NTLMSSP password for %s\\%s failed: %s\n",
- __location__,
- user_info->client.domain_name,
- user_info->client.account_name,
- nt_errstr(nt_status)));
- }
-
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- talloc_steal(mem_ctx, user_session_key->data);
- talloc_steal(mem_ctx, lm_session_key->data);
-
- return nt_status;
-}
-
-/**
- * Return the credentials of a logged on user, including session keys
- * etc.
- *
- * Only valid after a successful authentication
- *
- * May only be called once per authentication.
- *
- */
-
-static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- struct auth_session_info **session_info)
-{
- NTSTATUS nt_status;
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(gensec_security->private_data,
- struct gensec_ntlmssp_context);
- uint32_t session_info_flags = 0;
-
- if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
- session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
- }
-
- session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
-
- if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
- nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
- gensec_ntlmssp->server_returned_info,
- gensec_ntlmssp->ntlmssp_state->user,
- session_info_flags,
- session_info);
- } else {
- DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info,
- &(*session_info)->session_key);
-
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
- (*session_info)->session_key = data_blob_null;
- nt_status = NT_STATUS_OK;
- }
- return nt_status;
-}
-
static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status;
@@ -487,7 +307,7 @@ const struct gensec_security_ops gensec_ntlmssp3_server_ops = {
.wrap = gensec_ntlmssp_wrap,
.unwrap = gensec_ntlmssp_unwrap,
.session_key = gensec_ntlmssp_session_key,
- .session_info = gensec_ntlmssp3_server_session_info,
+ .session_info = gensec_ntlmssp_session_info,
.have_feature = gensec_ntlmssp_have_feature,
.enabled = true,
.priority = GENSEC_NTLMSSP