summaryrefslogtreecommitdiff
path: root/source4/utils
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-08-30 01:19:41 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:34:59 -0500
commit6f9b901fa0db18faae603db67d8d31e229d92c27 (patch)
tree8c54a8369d17994a8ef087c95038b81d87f50352 /source4/utils
parentc0293aa7159c8b5c9f1a1b13f64af08e5a55ad6a (diff)
downloadsamba-6f9b901fa0db18faae603db67d8d31e229d92c27.tar.gz
samba-6f9b901fa0db18faae603db67d8d31e229d92c27.tar.bz2
samba-6f9b901fa0db18faae603db67d8d31e229d92c27.zip
r9772: Make credentials callbacks more consistant with the abstraction
function interface used in the credentials code. Fix bug in ntlm_auth, where we would overwrite the PW specified as a first input. (Reported and chased by Kai Blin <blin@gmx.net>, bug #3040) Andrew Bartlett (This used to be commit 04af95bd31de39ad6aff349a4838dd77cb300034)
Diffstat (limited to 'source4/utils')
-rw-r--r--source4/utils/ntlm_auth.c113
1 files changed, 67 insertions, 46 deletions
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index b10d4af6ce..fe29cff021 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -292,13 +292,32 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
DATA_BLOB out = data_blob(NULL, 0);
char *out_base64 = NULL;
const char *reply_arg = NULL;
- struct gensec_security **gensec_state = (struct gensec_security **)private;
+ struct gensec_ntlm_state {
+ struct gensec_security *gensec_state;
+ const char *set_password;
+ };
+ struct gensec_ntlm_state *state;
+
NTSTATUS nt_status;
BOOL first = False;
const char *reply_code;
struct cli_credentials *creds;
TALLOC_CTX *mem_ctx;
+
+ if (*private) {
+ state = *private;
+ } else {
+ state = talloc_zero(NULL, struct gensec_ntlm_state);
+ if (!state) {
+ mux_printf(mux_id, "BH No Memory\n");
+ exit(1);
+ }
+ *private = state;
+ if (opt_password) {
+ state->set_password = opt_password;
+ }
+ }
if (strlen(buf) < 2) {
DEBUG(1, ("query [%s] invalid", buf));
@@ -313,9 +332,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
}
if (strncmp(buf, "YR", 2) == 0) {
- if (gensec_state && *gensec_state) {
- talloc_free(*gensec_state);
- *gensec_state = NULL;
+ if (state->gensec_state) {
+ talloc_free(state->gensec_state);
+ state->gensec_state = NULL;
}
} else if ( (strncmp(buf, "OK", 2) == 0)) {
/* do nothing */
@@ -334,42 +353,21 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
}
/* setup gensec */
- if (!(gensec_state && *gensec_state)) {
+ if (!(state->gensec_state)) {
switch (stdio_helper_mode) {
case GSS_SPNEGO_CLIENT:
case NTLMSSP_CLIENT_1:
/* setup the client side */
- nt_status = gensec_client_start(NULL, gensec_state, NULL);
+ nt_status = gensec_client_start(NULL, &state->gensec_state, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
exit(1);
}
- creds = cli_credentials_init(*gensec_state);
- cli_credentials_set_conf(creds);
- if (opt_username) {
- cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED);
- }
- if (opt_domain) {
- cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED);
- }
- if (opt_password) {
- cli_credentials_set_password(creds, opt_password, CRED_SPECIFIED);
- } else {
- creds->password_obtained = CRED_CALLBACK;
- creds->password_cb = get_password;
- creds->priv_data = (void*)mux_id;
- }
- if (opt_workstation) {
- cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
- }
-
- gensec_set_credentials(*gensec_state, creds);
-
break;
case GSS_SPNEGO_SERVER:
case SQUID_2_5_NTLMSSP:
- if (!NT_STATUS_IS_OK(gensec_server_start(NULL, gensec_state, NULL))) {
+ if (!NT_STATUS_IS_OK(gensec_server_start(NULL, &state->gensec_state, NULL))) {
exit(1);
}
break;
@@ -377,10 +375,29 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
abort();
}
+ creds = cli_credentials_init(state->gensec_state);
+ cli_credentials_set_conf(creds);
+ if (opt_username) {
+ cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED);
+ }
+ if (opt_domain) {
+ cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED);
+ }
+ if (state->set_password) {
+ cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
+ } else {
+ cli_credentials_set_password_callback(creds, get_password);
+ creds->priv_data = (void*)mux_id;
+ }
+ if (opt_workstation) {
+ cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
+ }
+ gensec_set_credentials(state->gensec_state, creds);
+
switch (stdio_helper_mode) {
case GSS_SPNEGO_CLIENT:
case GSS_SPNEGO_SERVER:
- nt_status = gensec_start_mech_by_oid(*gensec_state, GENSEC_OID_SPNEGO);
+ nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_SPNEGO);
if (!in.length) {
first = True;
}
@@ -390,7 +407,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
first = True;
}
case SQUID_2_5_NTLMSSP:
- nt_status = gensec_start_mech_by_oid(*gensec_state, GENSEC_OID_NTLMSSP);
+ nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP);
break;
default:
abort();
@@ -401,32 +418,36 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
mux_printf(mux_id, "BH\n");
return;
}
+
}
+
+ /* update */
+ mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
if (strncmp(buf, "PW ", 3) == 0) {
-
- cli_credentials_set_password((*gensec_state)->credentials,
- talloc_strndup((*gensec_state),
- (const char *)in.data,
- in.length),
+ state->set_password = talloc_strndup(state,
+ (const char *)in.data,
+ in.length);
+
+ cli_credentials_set_password(gensec_get_credentials(state->gensec_state),
+ state->set_password,
CRED_SPECIFIED);
mux_printf(mux_id, "OK\n");
data_blob_free(&in);
+ talloc_free(mem_ctx);
return;
}
- /* update */
- mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
-
if (strncmp(buf, "UG", 2) == 0) {
int i;
char *grouplist = NULL;
struct auth_session_info *session_info;
- if (!NT_STATUS_IS_OK(gensec_session_info(*gensec_state, &session_info))) {
+ if (!NT_STATUS_IS_OK(gensec_session_info(state->gensec_state, &session_info))) {
DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status)));
mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status));
data_blob_free(&in);
+ talloc_free(mem_ctx);
return;
}
@@ -447,7 +468,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
return;
}
- nt_status = gensec_update(*gensec_state, mem_ctx, in, &out);
+ nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out);
/* don't leak 'bad password'/'no such user' info to the network client */
nt_status = auth_nt_status_squash(nt_status);
@@ -462,9 +483,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
reply_arg = "*";
if (first) {
reply_code = "YR";
- } else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) {
+ } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
reply_code = "KK";
- } else if ((*gensec_state)->gensec_role == GENSEC_SERVER) {
+ } else if (state->gensec_state->gensec_role == GENSEC_SERVER) {
reply_code = "TT";
} else {
abort();
@@ -483,10 +504,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
reply_code = "NA";
reply_arg = nt_errstr(nt_status);
DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
- } else if /* OK */ ((*gensec_state)->gensec_role == GENSEC_SERVER) {
+ } else if /* OK */ (state->gensec_state->gensec_role == GENSEC_SERVER) {
struct auth_session_info *session_info;
- nt_status = gensec_session_info(*gensec_state, &session_info);
+ nt_status = gensec_session_info(state->gensec_state, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
reply_code = "BH";
reply_arg = nt_errstr(nt_status);
@@ -494,12 +515,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
} else {
reply_code = "AF";
- reply_arg = talloc_asprintf(*gensec_state,
+ reply_arg = talloc_asprintf(state->gensec_state,
"%s%s%s", session_info->server_info->domain_name,
lp_winbind_separator(), session_info->server_info->account_name);
talloc_free(session_info);
}
- } else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) {
+ } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
reply_code = "AF";
reply_arg = out_base64;
} else {