diff options
-rw-r--r-- | auth/ntlmssp/gensec_ntlmssp_server.c | 23 | ||||
-rw-r--r-- | auth/ntlmssp/ntlmssp_private.h | 31 | ||||
-rw-r--r-- | source3/Makefile.in | 1 | ||||
-rw-r--r-- | source3/auth/auth_ntlmssp.c | 184 |
4 files changed, 50 insertions, 189 deletions
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index f37f2e716e..841e6a67f0 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -81,8 +81,8 @@ NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security, * @return an 8 byte random challenge */ -static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state, - uint8_t chal[8]) +NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state, + uint8_t chal[8]) { struct gensec_ntlmssp_context *gensec_ntlmssp = talloc_get_type_abort(ntlmssp_state->callback_private, @@ -107,7 +107,7 @@ static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_s * * @return If the effective challenge used by the auth subsystem may be modified */ -static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) +bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) { struct gensec_ntlmssp_context *gensec_ntlmssp = talloc_get_type_abort(ntlmssp_state->callback_private, @@ -124,7 +124,7 @@ static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_s * NTLM2 authentication modifies the effective challenge, * @param challenge The new challenge value */ -static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) +NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) { struct gensec_ntlmssp_context *gensec_ntlmssp = talloc_get_type_abort(ntlmssp_state->callback_private, @@ -153,9 +153,9 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, * Return the session keys used on the connection. */ -static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *mem_ctx, - DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) +NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *mem_ctx, + DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { struct gensec_ntlmssp_context *gensec_ntlmssp = talloc_get_type_abort(ntlmssp_state->callback_private, @@ -191,6 +191,15 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, user_session_key, lm_session_key); } talloc_free(user_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(5,("%s: Checking NTLMSSP password for %s\\%s failed: %s\n", + __location__, + user_info->client.domain_name, + user_info->client.account_name, + nt_errstr(nt_status))); + } + NT_STATUS_NOT_OK_RETURN(nt_status); talloc_steal(mem_ctx, user_session_key->data); diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h index 431626c34d..e7fa3d5539 100644 --- a/auth/ntlmssp/ntlmssp_private.h +++ b/auth/ntlmssp/ntlmssp_private.h @@ -134,3 +134,34 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, * */ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security); + +/** + * Return the challenge as determined by the authentication subsystem + * @return an 8 byte random challenge + */ + +NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state, + uint8_t chal[8]); + +/** + * Some authentication methods 'fix' the challenge, so we may not be able to set it + * + * @return If the effective challenge used by the auth subsystem may be modified + */ +bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state); + +/** + * NTLM2 authentication modifies the effective challenge, + * @param challenge The new challenge value + */ +NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge); + +/** + * Check the password on an NTLMSSP login. + * + * Return the session keys used on the connection. + */ + +NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *mem_ctx, + DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key); diff --git a/source3/Makefile.in b/source3/Makefile.in index c433961a78..0425cd7b08 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -569,6 +569,7 @@ LIBSMB_OBJ0 = \ ../auth/ntlmssp/ntlmssp_util.o \ ../auth/ntlmssp/ntlmssp_sign.o \ ../auth/ntlmssp/gensec_ntlmssp.o \ + ../auth/ntlmssp/gensec_ntlmssp_server.o \ $(LIBNDR_NTLMSSP_OBJ) \ ../auth/ntlmssp/ntlmssp_ndr.o \ ../auth/ntlmssp/ntlmssp_server.o diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index f0c96ab168..b9d4b72222 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -24,6 +24,7 @@ #include "includes.h" #include "auth.h" #include "../auth/ntlmssp/ntlmssp.h" +#include "../auth/ntlmssp/ntlmssp_private.h" #include "../librpc/gen_ndr/netlogon.h" #include "../librpc/gen_ndr/dcerpc.h" #include "../lib/tsocket/tsocket.h" @@ -221,187 +222,6 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, return nt_status; } -/** - * Return the challenge as determined by the authentication subsystem - * @return an 8 byte random challenge - */ - -static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state, - uint8_t chal[8]) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; - - if (auth_context->get_challenge) { - status = auth_context->get_challenge(auth_context, chal); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n", - nt_errstr(status))); - return status; - } - } - - return status; -} - -/** - * Some authentication methods 'fix' the challenge, so we may not be able to set it - * - * @return If the effective challenge used by the auth subsystem may be modified - */ -static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - - if (auth_context->challenge_may_be_modified) { - return auth_context->challenge_may_be_modified(auth_context); - } - return false; -} - -/** - * NTLM2 authentication modifies the effective challenge, - * @param challenge The new challenge value - */ -static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - const uint8_t *chal; - - if (challenge->length != 8) { - return NT_STATUS_INVALID_PARAMETER; - } - - chal = challenge->data; - - if (auth_context->set_challenge) { - nt_status = auth_context->set_challenge(auth_context, - chal, - "NTLMSSP callback (NTLM2)"); - } - return nt_status; -} - -/** - * Check the password on an NTLMSSP login. - * - * Return the session keys used on the connection. - */ - -static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *mem_ctx, - DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) -{ - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(ntlmssp_state->callback_private, - struct gensec_ntlmssp_context); - struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context; - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - struct auth_usersupplied_info *user_info; - - user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); - if (!user_info) { - return NT_STATUS_NO_MEMORY; - } - - user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; - user_info->flags = 0; - user_info->mapped_state = false; - user_info->client.account_name = ntlmssp_state->user; - user_info->client.domain_name = ntlmssp_state->domain; - user_info->workstation_name = ntlmssp_state->client.netbios_name; - user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security); - - user_info->password_state = AUTH_PASSWORD_RESPONSE; - user_info->password.response.lanman = ntlmssp_state->lm_resp; - user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data); - user_info->password.response.nt = ntlmssp_state->nt_resp; - user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data); - - if (auth_context->check_password) { - nt_status = auth_context->check_password(auth_context, - gensec_ntlmssp, - user_info, - &gensec_ntlmssp->server_returned_info, - user_session_key, lm_session_key); - } - talloc_free(user_info); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(5,("%s: Checking NTLMSSP password for %s\\%s failed: %s\n", - __location__, - user_info->client.domain_name, - user_info->client.account_name, - nt_errstr(nt_status))); - } - - NT_STATUS_NOT_OK_RETURN(nt_status); - - talloc_steal(mem_ctx, user_session_key->data); - talloc_steal(mem_ctx, lm_session_key->data); - - return nt_status; -} - -/** - * Return the credentials of a logged on user, including session keys - * etc. - * - * Only valid after a successful authentication - * - * May only be called once per authentication. - * - */ - -static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct auth_session_info **session_info) -{ - NTSTATUS nt_status; - struct gensec_ntlmssp_context *gensec_ntlmssp = - talloc_get_type_abort(gensec_security->private_data, - struct gensec_ntlmssp_context); - uint32_t session_info_flags = 0; - - if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { - session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; - } - - session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; - - if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) { - nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context, - gensec_ntlmssp->server_returned_info, - gensec_ntlmssp->ntlmssp_state->user, - session_info_flags, - session_info); - } else { - DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); - return NT_STATUS_INTERNAL_ERROR; - } - - NT_STATUS_NOT_OK_RETURN(nt_status); - - nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info, - &(*session_info)->session_key); - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) { - (*session_info)->session_key = data_blob_null; - nt_status = NT_STATUS_OK; - } - return nt_status; -} - static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_security) { NTSTATUS nt_status; @@ -487,7 +307,7 @@ const struct gensec_security_ops gensec_ntlmssp3_server_ops = { .wrap = gensec_ntlmssp_wrap, .unwrap = gensec_ntlmssp_unwrap, .session_key = gensec_ntlmssp_session_key, - .session_info = gensec_ntlmssp3_server_session_info, + .session_info = gensec_ntlmssp_session_info, .have_feature = gensec_ntlmssp_have_feature, .enabled = true, .priority = GENSEC_NTLMSSP |