summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth/common_auth.h4
-rw-r--r--auth/ntlmssp/ntlmssp_server.c7
-rw-r--r--source3/auth/auth.c54
-rw-r--r--source3/auth/auth_builtin.c55
-rw-r--r--source3/auth/auth_generic.c1
-rw-r--r--source3/auth/auth_ntlmssp.c12
-rw-r--r--source3/include/auth.h11
-rw-r--r--source3/utils/ntlm_auth.c13
-rw-r--r--source4/auth/auth.h7
-rw-r--r--source4/auth/ntlm/auth.c30
-rw-r--r--source4/auth/ntlm/auth_anonymous.c1
-rw-r--r--source4/auth/ntlm/auth_developer.c54
-rw-r--r--source4/auth/ntlm/auth_sam.c2
-rw-r--r--source4/auth/ntlm/auth_unix.c1
-rw-r--r--source4/auth/ntlm/auth_winbind.c2
15 files changed, 6 insertions, 248 deletions
diff --git a/auth/common_auth.h b/auth/common_auth.h
index cf21543a91..a40f7c2b3d 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -82,8 +82,6 @@ struct auth4_context {
/* Who set this up in the first place? */
const char *set_by;
- bool may_be_modified;
-
DATA_BLOB data;
} challenge;
@@ -113,8 +111,6 @@ struct auth4_context {
NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]);
- bool (*challenge_may_be_modified)(struct auth4_context *auth_ctx);
-
NTSTATUS (*set_ntlm_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by);
NTSTATUS (*generate_session_info)(struct auth4_context *auth_context,
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index bb86c9cf20..d9bea1cde4 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -131,13 +131,6 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
return NT_STATUS_NOT_IMPLEMENTED;
}
- /* Check if we may set the challenge */
- if (auth_context->challenge_may_be_modified) {
- if (!auth_context->challenge_may_be_modified(auth_context)) {
- ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
- }
- }
-
/* The flags we send back are not just the negotiated flags,
* they are also 'what is in this packet'. Therfore, we
* operate on 'chal_flags' from here on
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 671319347f..c3797cf604 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -81,9 +81,8 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name
NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
uint8_t chal[8])
{
- DATA_BLOB challenge = data_blob_null;
- const char *challenge_set_by = NULL;
- auth_methods *auth_method;
+ uchar tmp[8];
+
if (auth_context->challenge.length) {
DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n",
@@ -92,52 +91,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
return NT_STATUS_OK;
}
- auth_context->challenge_may_be_modified = False;
-
- for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) {
- if (auth_method->get_chal == NULL) {
- DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name));
- continue;
- }
-
- DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name));
- if (challenge_set_by != NULL) {
- DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n",
- challenge_set_by, auth_method->name));
- continue;
- }
-
- challenge = auth_method->get_chal(auth_context, &auth_method->private_data,
- auth_context);
- if (!challenge.length) {
- DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n",
- auth_method->name));
- } else {
- DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name));
- auth_context->challenge = challenge;
- challenge_set_by = auth_method->name;
- auth_context->challenge_set_method = auth_method;
- }
- }
-
- if (!challenge_set_by) {
- uchar tmp[8];
-
- generate_random_buffer(tmp, sizeof(tmp));
- auth_context->challenge = data_blob_talloc(auth_context,
- tmp, sizeof(tmp));
-
- challenge_set_by = "random";
- auth_context->challenge_may_be_modified = True;
- }
-
- DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by));
- DEBUG(5, ("challenge is: \n"));
- dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
-
- SMB_ASSERT(auth_context->challenge.length == 8);
+ generate_random_buffer(tmp, sizeof(tmp));
+ auth_context->challenge = data_blob_talloc(auth_context,
+ tmp, sizeof(tmp));
- auth_context->challenge_set_by=challenge_set_by;
+ auth_context->challenge_set_by = "random";
memcpy(chal, auth_context->challenge.data, 8);
return NT_STATUS_OK;
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index cfe89495a0..b757894a7c 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -128,67 +128,12 @@ static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, co
return NT_STATUS_OK;
}
-/**
- * Return a 'fixed' challenge instead of a variable one.
- *
- * The idea of this function is to make packet snifs consistant
- * with a fixed challenge, so as to aid debugging.
- *
- * This module is of no value to end-users.
- *
- * This module does not actually authenticate the user, but
- * just pretenteds to need a specified challenge.
- * This module removes *all* security from the challenge-response system
- *
- * @return NT_STATUS_UNSUCCESSFUL
- **/
-
-static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************************
- Get the challenge out of a password server.
-****************************************************************************/
-
-static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_context,
- void **my_private_data,
- TALLOC_CTX *mem_ctx)
-{
- const char *challenge = "I am a teapot";
- return data_blob(challenge, 8);
-}
-
-
-/** Module initialisation function */
-
-static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- struct auth_methods *result;
-
- result = talloc_zero(auth_context, struct auth_methods);
- if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- result->auth = check_fixed_challenge_security;
- result->get_chal = auth_get_fixed_challenge;
- result->name = "fixed_challenge";
-
- *auth_method = result;
- return NT_STATUS_OK;
-}
#endif /* DEVELOPER */
NTSTATUS auth_builtin_init(void)
{
smb_register_auth(AUTH_INTERFACE_VERSION, "guest", auth_init_guest);
#ifdef DEVELOPER
- smb_register_auth(AUTH_INTERFACE_VERSION, "fixed_challenge", auth_init_fixed_challenge);
smb_register_auth(AUTH_INTERFACE_VERSION, "name_to_ntstatus", auth_init_name_to_ntstatus);
#endif
return NT_STATUS_OK;
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index e941ab9a0e..82b376feb6 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -165,7 +165,6 @@ static struct auth4_context *make_auth4_context_s3(TALLOC_CTX *mem_ctx, struct a
auth4_context->generate_session_info = auth3_generate_session_info;
auth4_context->get_ntlm_challenge = auth3_get_challenge;
auth4_context->set_ntlm_challenge = auth3_set_challenge;
- auth4_context->challenge_may_be_modified = auth3_may_set_challenge;
auth4_context->check_ntlm_password = auth3_check_password;
auth4_context->private_data = talloc_steal(auth4_context, auth_context);
return auth4_context;
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 3437dbfb83..f99bd44d7e 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -64,18 +64,6 @@ NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context,
}
/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-bool auth3_may_set_challenge(struct auth4_context *auth4_context)
-{
- struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
- struct auth_context);
- return auth_context->challenge_may_be_modified;
-}
-
-/**
* NTLM2 authentication modifies the effective challenge,
* @param challenge The new challenge value
*/
diff --git a/source3/include/auth.h b/source3/include/auth.h
index 693a0df383..07f8b9eee1 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -78,9 +78,6 @@ struct auth_context {
/* Who set this up in the first place? */
const char *challenge_set_by;
- bool challenge_may_be_modified;
-
- struct auth_methods *challenge_set_method;
/* What order are the various methods in? Try to stop it changing under us */
struct auth_methods *auth_method_list;
@@ -99,14 +96,6 @@ typedef struct auth_methods
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info);
- /* If you are using this interface, then you are probably
- * getting something wrong. This interface is only for
- * security=server, and makes a number of compromises to allow
- * that. It is not compatible with being a PDC. */
- DATA_BLOB (*get_chal)(const struct auth_context *auth_context,
- void **my_private_data,
- TALLOC_CTX *mem_ctx);
-
/* Optional methods allowing this module to provide a way to get a gensec context and an auth4_context */
prepare_gensec_fn prepare_gensec;
make_auth4_context_fn make_auth4_context;
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 5bf2a7be02..a832b5bc60 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -866,8 +866,6 @@ static NTSTATUS ntlm_auth_get_challenge(struct auth4_context *auth_ctx,
auth_ctx->challenge.data = data_blob_talloc(auth_ctx, chal, 8);
NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
auth_ctx->challenge.set_by = "random";
-
- auth_ctx->challenge.may_be_modified = true;
}
DEBUG(10,("auth_get_challenge: challenge set by %s\n",
@@ -877,16 +875,6 @@ static NTSTATUS ntlm_auth_get_challenge(struct auth4_context *auth_ctx,
}
/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-static bool ntlm_auth_may_set_challenge(struct auth4_context *auth_ctx)
-{
- return auth_ctx->challenge.may_be_modified;
-}
-
-/**
* NTLM2 authentication modifies the effective challenge,
* @param challenge The new challenge value
*/
@@ -1055,7 +1043,6 @@ static struct auth4_context *make_auth4_context_ntlm_auth(TALLOC_CTX *mem_ctx, b
auth4_context->generate_session_info_pac = ntlm_auth_generate_session_info_pac;
auth4_context->get_ntlm_challenge = ntlm_auth_get_challenge;
auth4_context->set_ntlm_challenge = ntlm_auth_set_challenge;
- auth4_context->challenge_may_be_modified = ntlm_auth_may_set_challenge;
if (local_pw) {
auth4_context->check_ntlm_password = local_pw_check;
} else {
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 1b22701499..503bae9d4a 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -55,13 +55,6 @@ struct smb_krb5_context;
struct auth_operations {
const char *name;
- /* If you are using this interface, then you are probably
- * getting something wrong. This interface is only for
- * security=server, and makes a number of compromises to allow
- * that. It is not compatible with being a PDC. */
-
- NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8]);
-
/* Given the user supplied info, check if this backend want to handle the password checking */
NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index d0ff50afc6..263dc8031d 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -54,22 +54,12 @@ _PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, con
return NT_STATUS_OK;
}
-/***************************************************************************
- Set a fixed challenge
-***************************************************************************/
-_PUBLIC_ bool auth_challenge_may_be_modified(struct auth4_context *auth_ctx)
-{
- return auth_ctx->challenge.may_be_modified;
-}
-
/****************************************************************************
Try to get a challenge out of the various authentication modules.
Returns a const char of length 8 bytes.
****************************************************************************/
_PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8])
{
- NTSTATUS nt_status;
- struct auth_method_context *method;
if (auth_ctx->challenge.data.length == 8) {
DEBUG(5, ("auth_get_challenge: returning previous challenge by module %s (normal)\n",
@@ -78,29 +68,12 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
return NT_STATUS_OK;
}
- for (method = auth_ctx->methods; method; method = method->next) {
- nt_status = method->ops->get_challenge(method, auth_ctx, chal);
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
- continue;
- }
-
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- auth_ctx->challenge.data = data_blob_talloc(auth_ctx, chal, 8);
- NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
- auth_ctx->challenge.set_by = method->ops->name;
-
- break;
- }
-
if (!auth_ctx->challenge.set_by) {
generate_random_buffer(chal, 8);
auth_ctx->challenge.data = data_blob_talloc(auth_ctx, chal, 8);
NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
auth_ctx->challenge.set_by = "random";
-
- auth_ctx->challenge.may_be_modified = true;
}
DEBUG(10,("auth_get_challenge: challenge set by %s\n",
@@ -574,8 +547,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
ctx = talloc_zero(mem_ctx, struct auth4_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
- ctx->challenge.set_by = NULL;
- ctx->challenge.may_be_modified = false;
ctx->challenge.data = data_blob(NULL, 0);
ctx->methods = NULL;
ctx->event_ctx = ev;
@@ -608,7 +579,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
ctx->check_ntlm_password = auth_check_password_wrapper;
ctx->get_ntlm_challenge = auth_get_challenge;
ctx->set_ntlm_challenge = auth_context_set_challenge;
- ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
ctx->generate_session_info = auth_generate_session_info_wrapper;
ctx->generate_session_info_pac = auth_generate_session_info_pac;
diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c
index 4b0fff03cc..28cbfe831e 100644
--- a/source4/auth/ntlm/auth_anonymous.c
+++ b/source4/auth/ntlm/auth_anonymous.c
@@ -61,7 +61,6 @@ static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
static const struct auth_operations anonymous_auth_ops = {
.name = "anonymous",
- .get_challenge = auth_get_challenge_not_implemented,
.want_check = anonymous_want_check,
.check_password = anonymous_check_password
};
diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c
index bc27f27fa2..58ccc2db28 100644
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -133,58 +133,10 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
static const struct auth_operations name_to_ntstatus_auth_ops = {
.name = "name_to_ntstatus",
- .get_challenge = auth_get_challenge_not_implemented,
.want_check = name_to_ntstatus_want_check,
.check_password = name_to_ntstatus_check_password
};
-/**
- * Return a 'fixed' challenge instead of a variable one.
- *
- * The idea of this function is to make packet snifs consistant
- * with a fixed challenge, so as to aid debugging.
- *
- * This module is of no value to end-users.
- *
- * This module does not actually authenticate the user, but
- * just pretenteds to need a specified challenge.
- * This module removes *all* security from the challenge-response system
- *
- * @return NT_STATUS_UNSUCCESSFUL
- **/
-static NTSTATUS fixed_challenge_get_challenge(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8])
-{
- const char *challenge = "I am a teapot";
-
- memcpy(chal, challenge, 8);
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info)
-{
- /* don't handle any users */
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_user_info_dc **_user_info_dc)
-{
- /* don't handle any users */
- return NT_STATUS_NO_SUCH_USER;
-}
-
-static const struct auth_operations fixed_challenge_auth_ops = {
- .name = "fixed_challenge",
- .get_challenge = fixed_challenge_get_challenge,
- .want_check = fixed_challenge_want_check,
- .check_password = fixed_challenge_check_password
-};
-
_PUBLIC_ NTSTATUS auth4_developer_init(void)
{
NTSTATUS ret;
@@ -195,11 +147,5 @@ _PUBLIC_ NTSTATUS auth4_developer_init(void)
return ret;
}
- ret = auth_register(&fixed_challenge_auth_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register 'fixed_challenge' auth backend!\n"));
- return ret;
- }
-
return ret;
}
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 4a4307c895..f234f7229c 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -367,7 +367,6 @@ static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
}
static const struct auth_operations sam_ignoredomain_ops = {
.name = "sam_ignoredomain",
- .get_challenge = auth_get_challenge_not_implemented,
.want_check = authsam_ignoredomain_want_check,
.check_password = authsam_check_password_internals,
.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper
@@ -375,7 +374,6 @@ static const struct auth_operations sam_ignoredomain_ops = {
static const struct auth_operations sam_ops = {
.name = "sam",
- .get_challenge = auth_get_challenge_not_implemented,
.want_check = authsam_want_check,
.check_password = authsam_check_password_internals,
.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper
diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c
index d79ebc1772..57bca6cc5b 100644
--- a/source4/auth/ntlm/auth_unix.c
+++ b/source4/auth/ntlm/auth_unix.c
@@ -797,7 +797,6 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
static const struct auth_operations unix_ops = {
.name = "unix",
- .get_challenge = auth_get_challenge_not_implemented,
.want_check = authunix_want_check,
.check_password = authunix_check_password
};
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 34fe6f870c..dba90ab039 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -319,14 +319,12 @@ static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
static const struct auth_operations winbind_ops = {
.name = "winbind",
- .get_challenge = auth_get_challenge_not_implemented,
.want_check = winbind_want_check,
.check_password = winbind_check_password
};
static const struct auth_operations winbind_wbclient_ops = {
.name = "winbind_wbclient",
- .get_challenge = auth_get_challenge_not_implemented,
.want_check = winbind_want_check,
.check_password = winbind_check_password_wbclient
};