s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmssp

This allows the current behaviour of the NTLMSSP code to be unchanged while adding a way to hook in an alternate implementation via an auth module. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2011-07-27 13:34:34 +1000
committer: Andrew Bartlett <abartlet@samba.org> 2011-08-03 18:48:03 +1000
commit: d69843c908d2dab9f5296096eccf8650296b79f4 (patch)
tree: a1881623bac18445011e4a6344568c6dc78cef63 /source3
parent: dee845eb70379feae89940e9535541f7957c60d9 (diff)
download: samba-d69843c908d2dab9f5296096eccf8650296b79f4.tar.gz
samba-d69843c908d2dab9f5296096eccf8650296b79f4.tar.bz2
samba-d69843c908d2dab9f5296096eccf8650296b79f4.zip
5 files changed, 93 insertions, 15 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 9bf3bc0399..927cd0c81a 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -550,6 +550,7 @@ LIBSMB_OBJ0 = \
 	       ../libcli/auth/ntlm_check.o \
 	       libsmb/ntlmssp.o \
 	       libsmb/ntlmssp_wrap.o \
+	       ../auth/gensec/gensec.o \
 	       ../libcli/auth/ntlmssp.o \
 	       ../libcli/auth/ntlmssp_sign.o \
 	       $(LIBNDR_NTLMSSP_OBJ) \
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 2157d355d2..64307bea48 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -26,15 +26,25 @@
 #include "ntlmssp_wrap.h"
 #include "../librpc/gen_ndr/netlogon.h"
 #include "../lib/tsocket/tsocket.h"
+#include "auth/gensec/gensec.h"
 
 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
 					struct auth_ntlmssp_state *auth_ntlmssp_state,
 					struct auth_session_info **session_info)
 {
-	NTSTATUS nt_status = create_local_token(mem_ctx,
-						auth_ntlmssp_state->server_info,
-						&auth_ntlmssp_state->ntlmssp_state->session_key,
+	NTSTATUS nt_status;
+	if (auth_ntlmssp_state->gensec_security) {
+
+		nt_status = gensec_session_info(auth_ntlmssp_state->gensec_security,
+						mem_ctx,
 						session_info);
+		return nt_status;
+	}
+
+	nt_status = create_local_token(mem_ctx,
+				       auth_ntlmssp_state->server_info,
+				       &auth_ntlmssp_state->ntlmssp_state->session_key,
+				       session_info);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(10, ("create_local_token failed: %s\n",
@@ -190,6 +200,29 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
 	struct auth_ntlmssp_state *ans;
 	struct auth_context *auth_context;
 
+	ans = talloc_zero(NULL, struct auth_ntlmssp_state);
+	if (!ans) {
+		DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		TALLOC_FREE(ans);
+		return nt_status;
+	}
+
+	if (auth_context->start_gensec) {
+		nt_status = auth_context->start_gensec(ans, GENSEC_OID_NTLMSSP, &ans->gensec_security);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			TALLOC_FREE(ans);
+			return nt_status;
+		} else {
+			*auth_ntlmssp_state = ans;
+			return NT_STATUS_OK;
+		}
+	}
+
 	if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 		is_standalone = true;
 	} else {
@@ -205,12 +238,6 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
 	}
 	dns_name = get_mydnsfullname();
 
-	ans = talloc_zero(NULL, struct auth_ntlmssp_state);
-	if (!ans) {
-		DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	ans->remote_address = tsocket_address_copy(remote_address, ans);
 	if (ans->remote_address == NULL) {
 		DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
@@ -228,10 +255,6 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
 		return nt_status;
 	}
 
-	nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
 	ans->auth_context = talloc_steal(ans, auth_context);
 
 	ans->ntlmssp_state->callback_private = ans;
diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h
index ed2e82758c..ff534da46f 100644
--- a/source3/include/ntlmssp_wrap.h
+++ b/source3/include/ntlmssp_wrap.h
@@ -21,11 +21,14 @@
 #ifndef _NTLMSSP_WRAP_
 #define _NTLMSSP_WRAP_
 
+struct gensec_security;
+
 struct auth_ntlmssp_state {
 	/* used only by server implementation */
 	struct auth_context *auth_context;
 	struct auth_serversupplied_info *server_info;
 	struct tsocket_address *remote_address;
+	struct gensec_security *gensec_security;
 
 	/* used by both client and server implementation */
 	struct ntlmssp_state *ntlmssp_state;
diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
index de883dd8cb..43cde19b3b 100644
--- a/source3/libsmb/ntlmssp_wrap.c
+++ b/source3/libsmb/ntlmssp_wrap.c
@@ -21,6 +21,7 @@
 #include "includes.h"
 #include "libcli/auth/ntlmssp.h"
 #include "ntlmssp_wrap.h"
+#include "auth/gensec/gensec.h"
 
 NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *ans,
 				  TALLOC_CTX *sig_mem_ctx,
@@ -30,6 +31,10 @@ NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *ans,
 				  size_t pdu_length,
 				  DATA_BLOB *sig)
 {
+	if (ans->gensec_security) {
+		return gensec_sign_packet(ans->gensec_security,
+					  sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
+	}
 	return ntlmssp_sign_packet(ans->ntlmssp_state,
 				   sig_mem_ctx,
 				   data, length,
@@ -44,6 +49,10 @@ NTSTATUS auth_ntlmssp_check_packet(struct auth_ntlmssp_state *ans,
 				   size_t pdu_length,
 				   const DATA_BLOB *sig)
 {
+	if (ans->gensec_security) {
+		return gensec_check_packet(ans->gensec_security,
+					   data, length, whole_pdu, pdu_length, sig);
+	}
 	return ntlmssp_check_packet(ans->ntlmssp_state,
 				    data, length,
 				    whole_pdu, pdu_length,
@@ -58,6 +67,10 @@ NTSTATUS auth_ntlmssp_seal_packet(struct auth_ntlmssp_state *ans,
 				  size_t pdu_length,
 				  DATA_BLOB *sig)
 {
+	if (ans->gensec_security) {
+		return gensec_seal_packet(ans->gensec_security,
+					  sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
+	}
 	return ntlmssp_seal_packet(ans->ntlmssp_state,
 				   sig_mem_ctx,
 				   data, length,
@@ -72,6 +85,10 @@ NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *ans,
 				    size_t pdu_length,
 				    const DATA_BLOB *sig)
 {
+	if (ans->gensec_security) {
+		return gensec_unseal_packet(ans->gensec_security,
+					    data, length, whole_pdu, pdu_length, sig);
+	}
 	return ntlmssp_unseal_packet(ans->ntlmssp_state,
 				     data, length,
 				     whole_pdu, pdu_length,
@@ -80,17 +97,26 @@ NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *ans,
 
 bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *ans)
 {
+	if (ans->gensec_security) {
+		return gensec_have_feature(ans->gensec_security, GENSEC_FEATURE_SIGN);
+	}
 	return ans->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN;
 }
 
 bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *ans)
 {
+	if (ans->gensec_security) {
+		return gensec_have_feature(ans->gensec_security, GENSEC_FEATURE_SEAL);
+	}
 	return ans->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
 }
 
 /* Needed for 'smb username' processing */
 const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *ans)
 {
+	if (ans->gensec_security) {
+		return ""; /* We can't get at this value, and it's just for the %U macros */
+	}
 	return ans->ntlmssp_state->user;
 }
 
@@ -129,17 +155,42 @@ void auth_ntlmssp_or_flags(struct auth_ntlmssp_state *ans, uint32_t flags)
 
 void auth_ntlmssp_want_feature(struct auth_ntlmssp_state *ans, uint32_t feature)
 {
-	ntlmssp_want_feature(ans->ntlmssp_state, feature);
+	if (ans->gensec_security) {
+		/* You need to negotiate signing to get a windows server to calculate a session key */
+		if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+			return gensec_want_feature(ans->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+		}
+		if (feature & NTLMSSP_FEATURE_SIGN) {
+			return gensec_want_feature(ans->gensec_security, GENSEC_FEATURE_SIGN);
+		}
+		if (feature & NTLMSSP_FEATURE_SEAL) {
+			return gensec_want_feature(ans->gensec_security, GENSEC_FEATURE_SEAL);
+		}
+	} else {
+		ntlmssp_want_feature(ans->ntlmssp_state, feature);
+	}
 }
 
 DATA_BLOB auth_ntlmssp_get_session_key(struct auth_ntlmssp_state *ans, TALLOC_CTX *mem_ctx)
 {
+	if (ans->gensec_security) {
+		DATA_BLOB session_key;
+		NTSTATUS status = gensec_session_key(ans->gensec_security, mem_ctx, &session_key);
+		if (NT_STATUS_IS_OK(status)) {
+			return session_key;
+		} else {
+			return data_blob_null;
+		}
+	}
 	return data_blob_talloc(mem_ctx, ans->ntlmssp_state->session_key.data, ans->ntlmssp_state->session_key.length);
 }
 
 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *ans,
 			     const DATA_BLOB request, DATA_BLOB *reply)
 {
+	if (ans->gensec_security) {
+		return gensec_update(ans->gensec_security, ans, request, reply);
+	}
 	return ntlmssp_update(ans->ntlmssp_state, request, reply);
 }
 
diff --git a/source3/wscript_build b/source3/wscript_build
index 266a0e3fad..42a12be0cb 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -817,7 +817,7 @@ bld.SAMBA3_SUBSYSTEM('LIBSMB_ERR',
 
 bld.SAMBA3_SUBSYSTEM('LIBNTLMSSP',
                     source=LIBNTLMSSP_SRC,
-                    deps='LIBSMB_ERR NDR_NTLMSSP NTLMSSP_COMMON',
+                    deps='LIBSMB_ERR NDR_NTLMSSP NTLMSSP_COMMON gensec_runtime',
                     vars=locals())
 
 bld.SAMBA3_LIBRARY('libsmb',
author	Andrew Bartlett <abartlet@samba.org>	2011-07-27 13:34:34 +1000
committer	Andrew Bartlett <abartlet@samba.org>	2011-08-03 18:48:03 +1000
commit	d69843c908d2dab9f5296096eccf8650296b79f4 (patch)
tree	a1881623bac18445011e4a6344568c6dc78cef63 /source3
parent	dee845eb70379feae89940e9535541f7957c60d9 (diff)
download	samba-d69843c908d2dab9f5296096eccf8650296b79f4.tar.gz samba-d69843c908d2dab9f5296096eccf8650296b79f4.tar.bz2 samba-d69843c908d2dab9f5296096eccf8650296b79f4.zip