diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-01-30 22:42:39 +1100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-02-17 10:48:09 +0100 |
commit | 52ac479764e85296a6a6100d143104d78c51aa8b (patch) | |
tree | 782fd512814eb32f50234f45cd74fdb8b85f6411 /source4/auth/ntlmssp/ntlmssp_server.c | |
parent | 8adde1b46b49011298e77f44a2053d0ec735a306 (diff) | |
download | samba-52ac479764e85296a6a6100d143104d78c51aa8b.tar.gz samba-52ac479764e85296a6a6100d143104d78c51aa8b.tar.bz2 samba-52ac479764e85296a6a6100d143104d78c51aa8b.zip |
auth: Move the rest of the source4 gensec_ntlmssp code to the top level
The ntlmssp_server code will be in common shortly, and aside from a
symbol name or two, moving the client code causes no harm and makes
less mess. We will also get the client code in common very soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/auth/ntlmssp/ntlmssp_server.c')
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 357 |
1 files changed, 0 insertions, 357 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c deleted file mode 100644 index 693613f5ec..0000000000 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ /dev/null @@ -1,357 +0,0 @@ -/* - Unix SMB/Netbios implementation. - Version 3.0 - handle NLTMSSP, client server side parsing - - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005 - Copyright (C) Stefan Metzmacher 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "system/network.h" -#include "lib/tsocket/tsocket.h" -#include "auth/ntlmssp/ntlmssp.h" -#include "../librpc/gen_ndr/ndr_ntlmssp.h" -#include "auth/ntlmssp/ntlmssp_ndr.h" -#include "auth/ntlmssp/ntlmssp_private.h" -#include "../libcli/auth/libcli_auth.h" -#include "../lib/crypto/crypto.h" -#include "auth/gensec/gensec.h" -#include "auth/gensec/gensec_proto.h" -#include "auth/auth.h" -#include "param/param.h" -#include "source4/auth/ntlmssp/proto.h" - -/** - * Next state function for the Negotiate packet (GENSEC wrapper) - * - * @param gensec_security GENSEC state - * @param out_mem_ctx Memory context for *out - * @param in The request, as a DATA_BLOB. reply.data must be NULL - * @param out The reply, as an allocated DATA_BLOB, caller to free. - * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required. - */ - -NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security, - TALLOC_CTX *out_mem_ctx, - const DATA_BLOB request, DATA_BLOB *reply) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(gensec_security->private_data, - struct gensec_ntlmssp_context); - struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; - return ntlmssp_server_negotiate(ntlmssp_state, out_mem_ctx, request, reply); -} - -/** - * Next state function for the Authenticate packet (GENSEC wrapper) - * - * @param gensec_security GENSEC state - * @param out_mem_ctx Memory context for *out - * @param in The request, as a DATA_BLOB. reply.data must be NULL - * @param out The reply, as an allocated DATA_BLOB, caller to free. - * @return Errors or NT_STATUS_OK if authentication sucessful - */ - -NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security, - TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(gensec_security->private_data, - struct gensec_ntlmssp_context); - struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; - return ntlmssp_server_auth(ntlmssp_state, out_mem_ctx, in, out); -} - -/** - * Return the challenge as determined by the authentication subsystem - * @return an 8 byte random challenge - */ - -static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state, - uint8_t chal[8]) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; - - if (auth_context->get_challenge) { - status = auth_context->get_challenge(auth_context, chal); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n", - nt_errstr(status))); - return status; - } - } - - return status; -} - -/** - * Some authentication methods 'fix' the challenge, so we may not be able to set it - * - * @return If the effective challenge used by the auth subsystem may be modified - */ -static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - - if (auth_context->challenge_may_be_modified) { - return auth_context->challenge_may_be_modified(auth_context); - } - return false; -} - -/** - * NTLM2 authentication modifies the effective challenge, - * @param challenge The new challenge value - */ -static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - const uint8_t *chal; - - if (challenge->length != 8) { - return NT_STATUS_INVALID_PARAMETER; - } - - chal = challenge->data; - - if (auth_context->set_challenge) { - nt_status = auth_context->set_challenge(auth_context, - chal, - "NTLMSSP callback (NTLM2)"); - } - return nt_status; -} - -/** - * Check the password on an NTLMSSP login. - * - * Return the session keys used on the connection. - */ - -static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *mem_ctx, - DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - struct auth_usersupplied_info *user_info; - - user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); - if (!user_info) { - return NT_STATUS_NO_MEMORY; - } - - user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; - user_info->flags = 0; - user_info->mapped_state = false; - user_info->client.account_name = ntlmssp_state->user; - user_info->client.domain_name = ntlmssp_state->domain; - user_info->workstation_name = ntlmssp_state->client.netbios_name; - user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security); - - user_info->password_state = AUTH_PASSWORD_RESPONSE; - user_info->password.response.lanman = ntlmssp_state->lm_resp; - user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data); - user_info->password.response.nt = ntlmssp_state->nt_resp; - user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data); - - if (auth_context->check_password) { - nt_status = auth_context->check_password(auth_context, - gensec_ntlmssp, - user_info, - &gensec_ntlmssp->server_returned_info, - user_session_key, lm_session_key); - } - talloc_free(user_info); - NT_STATUS_NOT_OK_RETURN(nt_status); - - talloc_steal(mem_ctx, user_session_key->data); - talloc_steal(mem_ctx, lm_session_key->data); - - return nt_status; -} - -/** - * Return the credentials of a logged on user, including session keys - * etc. - * - * Only valid after a successful authentication - * - * May only be called once per authentication. - * - */ - -NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct auth_session_info **session_info) -{ - NTSTATUS nt_status; - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(gensec_security->private_data, - struct gensec_ntlmssp_context); - uint32_t session_info_flags = 0; - - if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { - session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; - } - - session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; - - if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) { - nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context, - gensec_ntlmssp->server_returned_info, - gensec_ntlmssp->ntlmssp_state->user, - session_info_flags, - session_info); - } else { - DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); - return NT_STATUS_INTERNAL_ERROR; - } - - NT_STATUS_NOT_OK_RETURN(nt_status); - - return gensec_ntlmssp_session_key(gensec_security, *session_info, - &(*session_info)->session_key); -} - -/** - * Start NTLMSSP on the server side - * - */ -NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) -{ - NTSTATUS nt_status; - struct ntlmssp_state *ntlmssp_state; - struct gensec_ntlmssp_context *gensec_ntlmssp; - - nt_status = gensec_ntlmssp_start(gensec_security); - NT_STATUS_NOT_OK_RETURN(nt_status); - - gensec_ntlmssp = - talloc_get_type_abort(gensec_security->private_data, - struct gensec_ntlmssp_context); - - ntlmssp_state = talloc_zero(gensec_ntlmssp, - struct ntlmssp_state); - if (!ntlmssp_state) { - return NT_STATUS_NO_MEMORY; - } - - ntlmssp_state->callback_private = gensec_ntlmssp; - - gensec_ntlmssp->ntlmssp_state = ntlmssp_state; - - ntlmssp_state = gensec_ntlmssp->ntlmssp_state; - - ntlmssp_state->role = NTLMSSP_SERVER; - - ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE; - - ntlmssp_state->allow_lm_key = (lpcfg_lanman_auth(gensec_security->settings->lp_ctx) - && gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false)); - - ntlmssp_state->neg_flags = - NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; - - ntlmssp_state->lm_resp = data_blob(NULL, 0); - ntlmssp_state->nt_resp = data_blob(NULL, 0); - - if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; - } - - if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; - } - - if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; - } - - if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; - } - - if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; - } - - if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - } - if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - } - - ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge; - ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge; - ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge; - ntlmssp_state->check_password = auth_ntlmssp_check_password; - if (lpcfg_server_role(gensec_security->settings->lp_ctx) == ROLE_STANDALONE) { - ntlmssp_state->server.is_standalone = true; - } else { - ntlmssp_state->server.is_standalone = false; - } - - ntlmssp_state->server.netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx); - - ntlmssp_state->server.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx); - - { - const char *dnsdomain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx); - char *dnsname, *lower_netbiosname; - lower_netbiosname = strlower_talloc(ntlmssp_state, ntlmssp_state->server.netbios_name); - - /* Find out the DNS host name */ - if (dnsdomain && dnsdomain[0] != '\0') { - dnsname = talloc_asprintf(ntlmssp_state, "%s.%s", - lower_netbiosname, - dnsdomain); - talloc_free(lower_netbiosname); - ntlmssp_state->server.dns_name = dnsname; - } else { - ntlmssp_state->server.dns_name = lower_netbiosname; - } - - NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name); - - ntlmssp_state->server.dns_domain - = talloc_strdup(ntlmssp_state, - lpcfg_dnsdomain(gensec_security->settings->lp_ctx)); - NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain); - } - - return NT_STATUS_OK; -} - |