diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-08-17 00:44:29 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:15:38 -0500 |
commit | 7d6bfb45bae5edfa4f58ef6c40a5cc7d048d6b1a (patch) | |
tree | 0c22c33e047c4cdc33369b5b85542dcc7670c68e /source4/utils | |
parent | ee70f5cd78d3ad087c8547fb0ff88cb57d1bef95 (diff) | |
download | samba-7d6bfb45bae5edfa4f58ef6c40a5cc7d048d6b1a.tar.gz samba-7d6bfb45bae5edfa4f58ef6c40a5cc7d048d6b1a.tar.bz2 samba-7d6bfb45bae5edfa4f58ef6c40a5cc7d048d6b1a.zip |
r17577: Patch from Kai Blin <kai.blin@gmail.com>:
This is the Samba4 version of the ntlm_auth patch that was committed
to Samba3 in revision 17216.
The purpose of this patch is to return session key information, as
well as NTLMSSP negotiated flags to ntlm_auth's caller. This allows
the bulk data signing and sealing to be handled in a library, supplied
by the caller.
This also allows the caller to ask for features, so that the right
flags get negotiated.
(This used to be commit eb28aff4e0c9688ba886c3dd886ab7af81c6326a)
Diffstat (limited to 'source4/utils')
-rw-r--r-- | source4/utils/ntlm_auth.c | 63 |
1 files changed, 62 insertions, 1 deletions
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 9609ce59da..1b25c96ab2 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -34,6 +34,7 @@ #include "lib/events/events.h" #include "lib/messaging/messaging.h" #include "lib/messaging/irpc.h" +#include "auth/ntlmssp/ntlmssp.h" #define SQUID_BUFFER_SIZE 2010 @@ -319,6 +320,22 @@ static const char *get_password(struct cli_credentials *credentials) return password; } +static void gensec_want_feature_list(struct gensec_security *state, char* feature_list) +{ + if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) { + DEBUG(10, ("want GENSEC_FEATURE_SESSION_KEY\n")); + gensec_want_feature(state, GENSEC_FEATURE_SESSION_KEY); + } + if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) { + DEBUG(10, ("want GENSEC_FEATURE_SIGN\n")); + gensec_want_feature(state, GENSEC_FEATURE_SIGN); + } + if (in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) { + DEBUG(10, ("want GENSEC_FEATURE_SEAL\n")); + gensec_want_feature(state, GENSEC_FEATURE_SEAL); + } +} + static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, unsigned int mux_id, void **private2) @@ -340,6 +357,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, const char *reply_code; struct cli_credentials *creds; + static char *want_feature_list = NULL; + static DATA_BLOB session_key; + TALLOC_CTX *mem_ctx; if (*private) { @@ -363,6 +383,13 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } if (strlen(buf) > 3) { + if(strncmp(buf, "SF ", 3) == 0) { + DEBUG(10, ("Setting flags to negotiate\n")); + talloc_free(want_feature_list); + want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3); + mux_printf(mux_id, "OK\n"); + return; + } in = base64_decode_data_blob(NULL, buf + 3); } else { in = data_blob(NULL, 0); @@ -382,7 +409,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, (strncmp(buf, "AF ", 3) != 0) && (strncmp(buf, "NA ", 3) != 0) && (strncmp(buf, "UG", 2) != 0) && - (strncmp(buf, "PW ", 3) != 0)) { + (strncmp(buf, "PW ", 3) != 0) && + (strncmp(buf, "GK", 2) != 0) && + (strncmp(buf, "GF", 2) != 0)) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); mux_printf(mux_id, "BH\n"); data_blob_free(&in); @@ -448,6 +477,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } gensec_set_credentials(state->gensec_state, creds); + gensec_want_feature_list(state->gensec_state, want_feature_list); switch (stdio_helper_mode) { case GSS_SPNEGO_CLIENT: @@ -525,6 +555,37 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } + if (strncmp(buf, "GK", 2) == 0) { + char *base64_key; + DEBUG(10, ("Requested session key\n")); + nt_status = gensec_session_key(state->gensec_state, &session_key); + if(!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status))); + mux_printf(mux_id, "BH No session key\n"); + talloc_free(mem_ctx); + return; + } else { + base64_key = base64_encode_data_blob(state, session_key); + mux_printf(mux_id, "GK %s\n", base64_key); + talloc_free(base64_key); + } + talloc_free(mem_ctx); + return; + } + + if (strncmp(buf, "GF", 2) == 0) { + struct gensec_ntlmssp_state *gensec_ntlmssp_state; + uint32_t neg_flags; + + gensec_ntlmssp_state = talloc_get_type(state->gensec_state->private_data, + struct gensec_ntlmssp_state); + neg_flags = gensec_ntlmssp_state->neg_flags; + + DEBUG(10, ("Requested negotiated feature flags\n")); + mux_printf(mux_id, "GF 0x%08x\n", neg_flags); + return; + } + nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ |