diff options
Diffstat (limited to 'source4/libcli/auth')
-rw-r--r-- | source4/libcli/auth/gensec_krb5.c | 61 | ||||
-rw-r--r-- | source4/libcli/auth/gensec_ntlmssp.c | 154 |
2 files changed, 83 insertions, 132 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index 0ab32318aa..aaf892e1e6 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -6,6 +6,7 @@ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 Copyright (C) Andrew Tridgell 2001 Copyright (C) Luke Howard 2002-2003 + Copyright (C) Stefan Metzmacher 2004-2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -30,9 +31,6 @@ #include "librpc/gen_ndr/ndr_krb5pac.h" #include "auth/auth.h" -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_AUTH - enum GENSEC_KRB5_STATE { GENSEC_KRB5_SERVER_START, GENSEC_KRB5_CLIENT_START, @@ -620,7 +618,7 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, } static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security, - struct auth_session_info **session_info_out) + struct auth_session_info **_session_info) { NTSTATUS nt_status; struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; @@ -629,20 +627,22 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security struct PAC_LOGON_INFO *logon_info; char *p; char *principal; - const char *username; + const char *account_name; const char *realm; - *session_info_out = NULL; - principal = talloc_strdup(gensec_krb5_state, gensec_krb5_state->peer_principal); + NT_STATUS_HAVE_NO_MEMORY(principal); + p = strchr(principal, '@'); if (p) { *p = '\0'; + p++; + realm = p; + } else { + realm = lp_realm(); } - p++; - username = principal; - realm = p; - + account_name = principal; + /* decode and verify the pac */ nt_status = gensec_krb5_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac, gensec_krb5_state); @@ -659,36 +659,33 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security union netr_Validation validation; validation.sam3 = &logon_info->info3; nt_status = make_server_info_netlogon_validation(gensec_krb5_state, - username, - &server_info, - 3, - &validation); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + account_name, + 3, &validation, + &server_info); + talloc_free(principal); + NT_STATUS_NOT_OK_RETURN(nt_status); } else { - nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + DATA_BLOB user_sess_key = data_blob(NULL, 0); + DATA_BLOB lm_sess_key = data_blob(NULL, 0); + /* TODO: should we pass the krb5 session key in here? */ + nt_status = sam_get_server_info(gensec_krb5_state, account_name, realm, + user_sess_key, lm_sess_key, + &server_info); + talloc_free(principal); + NT_STATUS_NOT_OK_RETURN(nt_status); } /* references the server_info into the session_info */ - nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); + nt_status = auth_generate_session_info(gensec_krb5_state, server_info, &session_info); talloc_free(server_info); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - talloc_free(principal); + NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key); + NT_STATUS_NOT_OK_RETURN(nt_status); - session_info->workstation = NULL; + *_session_info = session_info; - *session_info_out = session_info; - - return nt_status; + return NT_STATUS_OK; } static BOOL gensec_krb5_have_feature(struct gensec_security *gensec_security, diff --git a/source4/libcli/auth/gensec_ntlmssp.c b/source4/libcli/auth/gensec_ntlmssp.c index a91c2817af..ae97803ef7 100644 --- a/source4/libcli/auth/gensec_ntlmssp.c +++ b/source4/libcli/auth/gensec_ntlmssp.c @@ -5,6 +5,7 @@ Copyright (C) Andrew Tridgell 2003 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 + Copyright (C) Stefan Metzmacher 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -40,8 +41,15 @@ struct gensec_ntlmssp_state { static const uint8_t *auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = ntlmssp_state->auth_context; + NTSTATUS status; + const uint8_t *chal; + + status = auth_get_challenge(gensec_ntlmssp_state->auth_context, &chal); + if (!NT_STATUS_IS_OK(status)) { + return NULL; + } - return gensec_ntlmssp_state->auth_context->get_ntlm_challenge(gensec_ntlmssp_state->auth_context); + return chal; } /** @@ -53,7 +61,7 @@ static BOOL auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_s { struct gensec_ntlmssp_state *gensec_ntlmssp_state = ntlmssp_state->auth_context; - return gensec_ntlmssp_state->auth_context->challenge_may_be_modified; + return auth_challenge_may_be_modified(gensec_ntlmssp_state->auth_context); } /** @@ -62,20 +70,20 @@ static BOOL auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_s */ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) { + NTSTATUS nt_status; struct gensec_ntlmssp_state *gensec_ntlmssp_state = ntlmssp_state->auth_context; struct auth_context *auth_context = gensec_ntlmssp_state->auth_context; + const uint8_t *chal; - SMB_ASSERT(challenge->length == 8); + if (challenge->length != 8) { + return NT_STATUS_INVALID_PARAMETER; + } - auth_context->challenge = data_blob_talloc(auth_context, - challenge->data, challenge->length); + chal = challenge->data; - auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)"; + nt_status = auth_context_set_challenge(auth_context, chal, "NTLMSSP callback (NTLM2)"); - DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by)); - DEBUG(5, ("challenge is: \n")); - dump_data(5, auth_context->challenge.data, auth_context->challenge.length); - return NT_STATUS_OK; + return nt_status; } /** @@ -90,44 +98,21 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, struct auth_usersupplied_info *user_info = NULL; NTSTATUS nt_status; -#if 0 - /* the client has given us its machine name (which we otherwise would not get on port 445). - we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ - - set_remote_machine_name(gensec_ntlmssp_state->ntlmssp_state->workstation, True); - - /* setup the string used by %U */ - /* sub_set_smb_name checks for weird internally */ - sub_set_smb_name(gensec_ntlmssp_state->ntlmssp_state->user); - - reload_services(True); - -#endif - nt_status = make_user_info_map(ntlmssp_state, - &user_info, + nt_status = make_user_info_map(ntlmssp_state, gensec_ntlmssp_state->ntlmssp_state->user, gensec_ntlmssp_state->ntlmssp_state->domain, gensec_ntlmssp_state->ntlmssp_state->workstation, gensec_ntlmssp_state->ntlmssp_state->lm_resp.data ? &gensec_ntlmssp_state->ntlmssp_state->lm_resp : NULL, gensec_ntlmssp_state->ntlmssp_state->nt_resp.data ? &gensec_ntlmssp_state->ntlmssp_state->nt_resp : NULL, - NULL, NULL, NULL, - True); - - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - nt_status = gensec_ntlmssp_state-> - auth_context->check_ntlm_password(gensec_ntlmssp_state->auth_context, - user_info, - gensec_ntlmssp_state, - &gensec_ntlmssp_state->server_info); + NULL, NULL, NULL, True, + &user_info); + NT_STATUS_NOT_OK_RETURN(nt_status); - free_user_info(&user_info); + nt_status = auth_check_password(gensec_ntlmssp_state->auth_context, gensec_ntlmssp_state, + user_info, &gensec_ntlmssp_state->server_info); + talloc_free(user_info); + NT_STATUS_NOT_OK_RETURN(nt_status); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } if (gensec_ntlmssp_state->server_info->user_session_key.length) { DEBUG(10, ("Got NT session key of length %u\n", gensec_ntlmssp_state->server_info->user_session_key.length)); *user_session_key = data_blob_talloc(ntlmssp_state, @@ -151,12 +136,6 @@ static int gensec_ntlmssp_destroy(void *ptr) ntlmssp_end(&gensec_ntlmssp_state->ntlmssp_state); } - if (gensec_ntlmssp_state->auth_context) { - free_auth_context(&gensec_ntlmssp_state->auth_context); - } - if (gensec_ntlmssp_state->server_info) { - free_server_info(&gensec_ntlmssp_state->server_info); - } return 0; } @@ -183,21 +162,16 @@ static NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security) static NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) { NTSTATUS nt_status; - NTSTATUS status; struct ntlmssp_state *ntlmssp_state; struct gensec_ntlmssp_state *gensec_ntlmssp_state; - status = gensec_ntlmssp_start(gensec_security); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + nt_status = gensec_ntlmssp_start(gensec_security); + NT_STATUS_NOT_OK_RETURN(nt_status); gensec_ntlmssp_state = gensec_security->private_data; - if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_start(gensec_ntlmssp_state, - &gensec_ntlmssp_state->ntlmssp_state))) { - return nt_status; - } + nt_status = ntlmssp_server_start(gensec_ntlmssp_state, &gensec_ntlmssp_state->ntlmssp_state); + NT_STATUS_NOT_OK_RETURN(nt_status); if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; @@ -206,19 +180,17 @@ static NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_secur gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } - ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state; - nt_status = make_auth_context_subsystem(gensec_ntlmssp_state, &gensec_ntlmssp_state->auth_context); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + nt_status = auth_context_create(gensec_ntlmssp_state, lp_auth_methods(), &gensec_ntlmssp_state->auth_context); + NT_STATUS_NOT_OK_RETURN(nt_status); + ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state; ntlmssp_state->auth_context = gensec_ntlmssp_state; ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge; ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge; ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge; ntlmssp_state->check_password = auth_ntlmssp_check_password; ntlmssp_state->server_role = lp_server_role(); - + return NT_STATUS_OK; } @@ -226,19 +198,15 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur { struct gensec_ntlmssp_state *gensec_ntlmssp_state; char *password = NULL; - - NTSTATUS status; - status = gensec_ntlmssp_start(gensec_security); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NTSTATUS nt_status; + + nt_status = gensec_ntlmssp_start(gensec_security); + NT_STATUS_NOT_OK_RETURN(nt_status); gensec_ntlmssp_state = gensec_security->private_data; - status = ntlmssp_client_start(gensec_ntlmssp_state, - &gensec_ntlmssp_state->ntlmssp_state); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + nt_status = ntlmssp_client_start(gensec_ntlmssp_state, + &gensec_ntlmssp_state->ntlmssp_state); + NT_STATUS_NOT_OK_RETURN(nt_status); if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { /* @@ -259,36 +227,27 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } - status = ntlmssp_set_domain(gensec_ntlmssp_state->ntlmssp_state, - gensec_security->user.domain); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + nt_status = ntlmssp_set_domain(gensec_ntlmssp_state->ntlmssp_state, + gensec_security->user.domain); + NT_STATUS_NOT_OK_RETURN(nt_status); - status = ntlmssp_set_username(gensec_ntlmssp_state->ntlmssp_state, - gensec_security->user.name); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + nt_status = ntlmssp_set_username(gensec_ntlmssp_state->ntlmssp_state, + gensec_security->user.name); + NT_STATUS_NOT_OK_RETURN(nt_status); if (gensec_security->user.name) { - status = gensec_get_password(gensec_security, gensec_ntlmssp_state, &password); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + nt_status = gensec_get_password(gensec_security, gensec_ntlmssp_state, &password); + NT_STATUS_NOT_OK_RETURN(nt_status); } if (password) { - status = ntlmssp_set_password(gensec_ntlmssp_state->ntlmssp_state, - password); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + nt_status = ntlmssp_set_password(gensec_ntlmssp_state->ntlmssp_state, password); + NT_STATUS_NOT_OK_RETURN(nt_status); } gensec_security->private_data = gensec_ntlmssp_state; - return status; + return NT_STATUS_OK; } /* @@ -499,19 +458,14 @@ static NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_secur { NTSTATUS nt_status; struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data; - nt_status = make_session_info(gensec_ntlmssp_state, gensec_ntlmssp_state->server_info, session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_ntlmssp_state->server_info, session_info); + NT_STATUS_NOT_OK_RETURN(nt_status); (*session_info)->session_key = data_blob_talloc(*session_info, gensec_ntlmssp_state->ntlmssp_state->session_key.data, gensec_ntlmssp_state->ntlmssp_state->session_key.length); - (*session_info)->workstation = talloc_strdup(*session_info, - gensec_ntlmssp_state->ntlmssp_state->workstation); - return NT_STATUS_OK; } |