diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-01-31 14:39:34 +1100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-02-17 10:48:09 +0100 |
commit | 9c5b26f8647bd31dec9864d8c42959f81e686619 (patch) | |
tree | ca7cbc7f3a645a9fa16ebd68d9053cdffee829e0 /source3 | |
parent | 2f74f2f18056e83c396b196939bc8f89bd4d0702 (diff) | |
download | samba-9c5b26f8647bd31dec9864d8c42959f81e686619.tar.gz samba-9c5b26f8647bd31dec9864d8c42959f81e686619.tar.bz2 samba-9c5b26f8647bd31dec9864d8c42959f81e686619.zip |
s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server
This is possible because we now supply the auth4_context abstraction that this
code is looking for.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/Makefile.in | 1 | ||||
-rw-r--r-- | source3/auth/auth_ntlmssp.c | 184 |
2 files changed, 3 insertions, 182 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index c433961a78..0425cd7b08 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -569,6 +569,7 @@ LIBSMB_OBJ0 = \ ../auth/ntlmssp/ntlmssp_util.o \ ../auth/ntlmssp/ntlmssp_sign.o \ ../auth/ntlmssp/gensec_ntlmssp.o \ + ../auth/ntlmssp/gensec_ntlmssp_server.o \ $(LIBNDR_NTLMSSP_OBJ) \ ../auth/ntlmssp/ntlmssp_ndr.o \ ../auth/ntlmssp/ntlmssp_server.o diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index f0c96ab168..b9d4b72222 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -24,6 +24,7 @@ #include "includes.h" #include "auth.h" #include "../auth/ntlmssp/ntlmssp.h" +#include "../auth/ntlmssp/ntlmssp_private.h" #include "../librpc/gen_ndr/netlogon.h" #include "../librpc/gen_ndr/dcerpc.h" #include "../lib/tsocket/tsocket.h" @@ -221,187 +222,6 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, return nt_status; } -/** - * Return the challenge as determined by the authentication subsystem - * @return an 8 byte random challenge - */ - -static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state, - uint8_t chal[8]) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; - - if (auth_context->get_challenge) { - status = auth_context->get_challenge(auth_context, chal); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n", - nt_errstr(status))); - return status; - } - } - - return status; -} - -/** - * Some authentication methods 'fix' the challenge, so we may not be able to set it - * - * @return If the effective challenge used by the auth subsystem may be modified - */ -static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - - if (auth_context->challenge_may_be_modified) { - return auth_context->challenge_may_be_modified(auth_context); - } - return false; -} - -/** - * NTLM2 authentication modifies the effective challenge, - * @param challenge The new challenge value - */ -static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - const uint8_t *chal; - - if (challenge->length != 8) { - return NT_STATUS_INVALID_PARAMETER; - } - - chal = challenge->data; - - if (auth_context->set_challenge) { - nt_status = auth_context->set_challenge(auth_context, - chal, - "NTLMSSP callback (NTLM2)"); - } - return nt_status; -} - -/** - * Check the password on an NTLMSSP login. - * - * Return the session keys used on the connection. - */ - -static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *mem_ctx, - DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - struct auth_usersupplied_info *user_info; - - user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); - if (!user_info) { - return NT_STATUS_NO_MEMORY; - } - - user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; - user_info->flags = 0; - user_info->mapped_state = false; - user_info->client.account_name = ntlmssp_state->user; - user_info->client.domain_name = ntlmssp_state->domain; - user_info->workstation_name = ntlmssp_state->client.netbios_name; - user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security); - - user_info->password_state = AUTH_PASSWORD_RESPONSE; - user_info->password.response.lanman = ntlmssp_state->lm_resp; - user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data); - user_info->password.response.nt = ntlmssp_state->nt_resp; - user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data); - - if (auth_context->check_password) { - nt_status = auth_context->check_password(auth_context, - gensec_ntlmssp, - user_info, - &gensec_ntlmssp->server_returned_info, - user_session_key, lm_session_key); - } - talloc_free(user_info); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(5,("%s: Checking NTLMSSP password for %s\\%s failed: %s\n", - __location__, - user_info->client.domain_name, - user_info->client.account_name, - nt_errstr(nt_status))); - } - - NT_STATUS_NOT_OK_RETURN(nt_status); - - talloc_steal(mem_ctx, user_session_key->data); - talloc_steal(mem_ctx, lm_session_key->data); - - return nt_status; -} - -/** - * Return the credentials of a logged on user, including session keys - * etc. - * - * Only valid after a successful authentication - * - * May only be called once per authentication. - * - */ - -static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct auth_session_info **session_info) -{ - NTSTATUS nt_status; - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(gensec_security->private_data, - struct gensec_ntlmssp_context); - uint32_t session_info_flags = 0; - - if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { - session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; - } - - session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; - - if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) { - nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context, - gensec_ntlmssp->server_returned_info, - gensec_ntlmssp->ntlmssp_state->user, - session_info_flags, - session_info); - } else { - DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); - return NT_STATUS_INTERNAL_ERROR; - } - - NT_STATUS_NOT_OK_RETURN(nt_status); - - nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info, - &(*session_info)->session_key); - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) { - (*session_info)->session_key = data_blob_null; - nt_status = NT_STATUS_OK; - } - return nt_status; -} - static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_security) { NTSTATUS nt_status; @@ -487,7 +307,7 @@ const struct gensec_security_ops gensec_ntlmssp3_server_ops = { .wrap = gensec_ntlmssp_wrap, .unwrap = gensec_ntlmssp_unwrap, .session_key = gensec_ntlmssp_session_key, - .session_info = gensec_ntlmssp3_server_session_info, + .session_info = gensec_ntlmssp_session_info, .have_feature = gensec_ntlmssp_have_feature, .enabled = true, .priority = GENSEC_NTLMSSP |