From d69843c908d2dab9f5296096eccf8650296b79f4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 27 Jul 2011 13:34:34 +1000 Subject: s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmssp This allows the current behaviour of the NTLMSSP code to be unchanged while adding a way to hook in an alternate implementation via an auth module. Andrew Bartlett Signed-off-by: Andrew Tridgell --- source3/Makefile.in | 1 + source3/auth/auth_ntlmssp.c | 49 +++++++++++++++++++++++++++----------- source3/include/ntlmssp_wrap.h | 3 +++ source3/libsmb/ntlmssp_wrap.c | 53 +++++++++++++++++++++++++++++++++++++++++- source3/wscript_build | 2 +- source4/auth/gensec/schannel.c | 1 + source4/auth/gensec/socket.c | 1 + 7 files changed, 95 insertions(+), 15 deletions(-) diff --git a/source3/Makefile.in b/source3/Makefile.in index 9bf3bc0399..927cd0c81a 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -550,6 +550,7 @@ LIBSMB_OBJ0 = \ ../libcli/auth/ntlm_check.o \ libsmb/ntlmssp.o \ libsmb/ntlmssp_wrap.o \ + ../auth/gensec/gensec.o \ ../libcli/auth/ntlmssp.o \ ../libcli/auth/ntlmssp_sign.o \ $(LIBNDR_NTLMSSP_OBJ) \ diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 2157d355d2..64307bea48 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -26,15 +26,25 @@ #include "ntlmssp_wrap.h" #include "../librpc/gen_ndr/netlogon.h" #include "../lib/tsocket/tsocket.h" +#include "auth/gensec/gensec.h" NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx, struct auth_ntlmssp_state *auth_ntlmssp_state, struct auth_session_info **session_info) { - NTSTATUS nt_status = create_local_token(mem_ctx, - auth_ntlmssp_state->server_info, - &auth_ntlmssp_state->ntlmssp_state->session_key, + NTSTATUS nt_status; + if (auth_ntlmssp_state->gensec_security) { + + nt_status = gensec_session_info(auth_ntlmssp_state->gensec_security, + mem_ctx, session_info); + return nt_status; + } + + nt_status = create_local_token(mem_ctx, + auth_ntlmssp_state->server_info, + &auth_ntlmssp_state->ntlmssp_state->session_key, + session_info); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(10, ("create_local_token failed: %s\n", @@ -190,6 +200,29 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address, struct auth_ntlmssp_state *ans; struct auth_context *auth_context; + ans = talloc_zero(NULL, struct auth_ntlmssp_state); + if (!ans) { + DEBUG(0,("auth_ntlmssp_start: talloc failed!\n")); + return NT_STATUS_NO_MEMORY; + } + + nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(ans); + return nt_status; + } + + if (auth_context->start_gensec) { + nt_status = auth_context->start_gensec(ans, GENSEC_OID_NTLMSSP, &ans->gensec_security); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(ans); + return nt_status; + } else { + *auth_ntlmssp_state = ans; + return NT_STATUS_OK; + } + } + if ((enum server_role)lp_server_role() == ROLE_STANDALONE) { is_standalone = true; } else { @@ -205,12 +238,6 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address, } dns_name = get_mydnsfullname(); - ans = talloc_zero(NULL, struct auth_ntlmssp_state); - if (!ans) { - DEBUG(0,("auth_ntlmssp_start: talloc failed!\n")); - return NT_STATUS_NO_MEMORY; - } - ans->remote_address = tsocket_address_copy(remote_address, ans); if (ans->remote_address == NULL) { DEBUG(0,("auth_ntlmssp_start: talloc failed!\n")); @@ -228,10 +255,6 @@ NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address, return nt_status; } - nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } ans->auth_context = talloc_steal(ans, auth_context); ans->ntlmssp_state->callback_private = ans; diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h index ed2e82758c..ff534da46f 100644 --- a/source3/include/ntlmssp_wrap.h +++ b/source3/include/ntlmssp_wrap.h @@ -21,11 +21,14 @@ #ifndef _NTLMSSP_WRAP_ #define _NTLMSSP_WRAP_ +struct gensec_security; + struct auth_ntlmssp_state { /* used only by server implementation */ struct auth_context *auth_context; struct auth_serversupplied_info *server_info; struct tsocket_address *remote_address; + struct gensec_security *gensec_security; /* used by both client and server implementation */ struct ntlmssp_state *ntlmssp_state; diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c index de883dd8cb..43cde19b3b 100644 --- a/source3/libsmb/ntlmssp_wrap.c +++ b/source3/libsmb/ntlmssp_wrap.c @@ -21,6 +21,7 @@ #include "includes.h" #include "libcli/auth/ntlmssp.h" #include "ntlmssp_wrap.h" +#include "auth/gensec/gensec.h" NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *ans, TALLOC_CTX *sig_mem_ctx, @@ -30,6 +31,10 @@ NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *ans, size_t pdu_length, DATA_BLOB *sig) { + if (ans->gensec_security) { + return gensec_sign_packet(ans->gensec_security, + sig_mem_ctx, data, length, whole_pdu, pdu_length, sig); + } return ntlmssp_sign_packet(ans->ntlmssp_state, sig_mem_ctx, data, length, @@ -44,6 +49,10 @@ NTSTATUS auth_ntlmssp_check_packet(struct auth_ntlmssp_state *ans, size_t pdu_length, const DATA_BLOB *sig) { + if (ans->gensec_security) { + return gensec_check_packet(ans->gensec_security, + data, length, whole_pdu, pdu_length, sig); + } return ntlmssp_check_packet(ans->ntlmssp_state, data, length, whole_pdu, pdu_length, @@ -58,6 +67,10 @@ NTSTATUS auth_ntlmssp_seal_packet(struct auth_ntlmssp_state *ans, size_t pdu_length, DATA_BLOB *sig) { + if (ans->gensec_security) { + return gensec_seal_packet(ans->gensec_security, + sig_mem_ctx, data, length, whole_pdu, pdu_length, sig); + } return ntlmssp_seal_packet(ans->ntlmssp_state, sig_mem_ctx, data, length, @@ -72,6 +85,10 @@ NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *ans, size_t pdu_length, const DATA_BLOB *sig) { + if (ans->gensec_security) { + return gensec_unseal_packet(ans->gensec_security, + data, length, whole_pdu, pdu_length, sig); + } return ntlmssp_unseal_packet(ans->ntlmssp_state, data, length, whole_pdu, pdu_length, @@ -80,17 +97,26 @@ NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *ans, bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *ans) { + if (ans->gensec_security) { + return gensec_have_feature(ans->gensec_security, GENSEC_FEATURE_SIGN); + } return ans->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN; } bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *ans) { + if (ans->gensec_security) { + return gensec_have_feature(ans->gensec_security, GENSEC_FEATURE_SEAL); + } return ans->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL; } /* Needed for 'smb username' processing */ const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *ans) { + if (ans->gensec_security) { + return ""; /* We can't get at this value, and it's just for the %U macros */ + } return ans->ntlmssp_state->user; } @@ -129,17 +155,42 @@ void auth_ntlmssp_or_flags(struct auth_ntlmssp_state *ans, uint32_t flags) void auth_ntlmssp_want_feature(struct auth_ntlmssp_state *ans, uint32_t feature) { - ntlmssp_want_feature(ans->ntlmssp_state, feature); + if (ans->gensec_security) { + /* You need to negotiate signing to get a windows server to calculate a session key */ + if (feature & NTLMSSP_FEATURE_SESSION_KEY) { + return gensec_want_feature(ans->gensec_security, GENSEC_FEATURE_SESSION_KEY); + } + if (feature & NTLMSSP_FEATURE_SIGN) { + return gensec_want_feature(ans->gensec_security, GENSEC_FEATURE_SIGN); + } + if (feature & NTLMSSP_FEATURE_SEAL) { + return gensec_want_feature(ans->gensec_security, GENSEC_FEATURE_SEAL); + } + } else { + ntlmssp_want_feature(ans->ntlmssp_state, feature); + } } DATA_BLOB auth_ntlmssp_get_session_key(struct auth_ntlmssp_state *ans, TALLOC_CTX *mem_ctx) { + if (ans->gensec_security) { + DATA_BLOB session_key; + NTSTATUS status = gensec_session_key(ans->gensec_security, mem_ctx, &session_key); + if (NT_STATUS_IS_OK(status)) { + return session_key; + } else { + return data_blob_null; + } + } return data_blob_talloc(mem_ctx, ans->ntlmssp_state->session_key.data, ans->ntlmssp_state->session_key.length); } NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *ans, const DATA_BLOB request, DATA_BLOB *reply) { + if (ans->gensec_security) { + return gensec_update(ans->gensec_security, ans, request, reply); + } return ntlmssp_update(ans->ntlmssp_state, request, reply); } diff --git a/source3/wscript_build b/source3/wscript_build index 266a0e3fad..42a12be0cb 100755 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -817,7 +817,7 @@ bld.SAMBA3_SUBSYSTEM('LIBSMB_ERR', bld.SAMBA3_SUBSYSTEM('LIBNTLMSSP', source=LIBNTLMSSP_SRC, - deps='LIBSMB_ERR NDR_NTLMSSP NTLMSSP_COMMON', + deps='LIBSMB_ERR NDR_NTLMSSP NTLMSSP_COMMON gensec_runtime', vars=locals()) bld.SAMBA3_LIBRARY('libsmb', diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index 67d928e710..4587d43184 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -29,6 +29,7 @@ #include "../libcli/auth/schannel.h" #include "librpc/rpc/dcerpc.h" #include "param/param.h" +#include "auth/gensec/schannel.h" _PUBLIC_ NTSTATUS gensec_schannel_init(void); diff --git a/source4/auth/gensec/socket.c b/source4/auth/gensec/socket.c index 8ee6cbc552..38eab6ac44 100644 --- a/source4/auth/gensec/socket.c +++ b/source4/auth/gensec/socket.c @@ -25,6 +25,7 @@ #include "lib/stream/packet.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" +#include "auth/gensec/gensec_socket.h" static const struct socket_ops gensec_socket_ops; -- cgit