From eba87995145b0e14672c1f6993f7aa3422d62541 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 30 Jun 2012 18:30:57 +1000 Subject: auth: Remove .get_challenge (only used for security=server) With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett --- auth/common_auth.h | 4 --- auth/ntlmssp/ntlmssp_server.c | 7 ----- source3/auth/auth.c | 54 +++++-------------------------------- source3/auth/auth_builtin.c | 55 -------------------------------------- source3/auth/auth_generic.c | 1 - source3/auth/auth_ntlmssp.c | 12 --------- source3/include/auth.h | 11 -------- source3/utils/ntlm_auth.c | 13 --------- source4/auth/auth.h | 7 ----- source4/auth/ntlm/auth.c | 30 --------------------- source4/auth/ntlm/auth_anonymous.c | 1 - source4/auth/ntlm/auth_developer.c | 54 ------------------------------------- source4/auth/ntlm/auth_sam.c | 2 -- source4/auth/ntlm/auth_unix.c | 1 - source4/auth/ntlm/auth_winbind.c | 2 -- 15 files changed, 6 insertions(+), 248 deletions(-) diff --git a/auth/common_auth.h b/auth/common_auth.h index cf21543a91..a40f7c2b3d 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -82,8 +82,6 @@ struct auth4_context { /* Who set this up in the first place? */ const char *set_by; - bool may_be_modified; - DATA_BLOB data; } challenge; @@ -113,8 +111,6 @@ struct auth4_context { NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]); - bool (*challenge_may_be_modified)(struct auth4_context *auth_ctx); - NTSTATUS (*set_ntlm_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by); NTSTATUS (*generate_session_info)(struct auth4_context *auth_context, diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index bb86c9cf20..d9bea1cde4 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -131,13 +131,6 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security return NT_STATUS_NOT_IMPLEMENTED; } - /* Check if we may set the challenge */ - if (auth_context->challenge_may_be_modified) { - if (!auth_context->challenge_may_be_modified(auth_context)) { - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; - } - } - /* The flags we send back are not just the negotiated flags, * they are also 'what is in this packet'. Therfore, we * operate on 'chal_flags' from here on diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 671319347f..c3797cf604 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -81,9 +81,8 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, uint8_t chal[8]) { - DATA_BLOB challenge = data_blob_null; - const char *challenge_set_by = NULL; - auth_methods *auth_method; + uchar tmp[8]; + if (auth_context->challenge.length) { DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n", @@ -92,52 +91,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, return NT_STATUS_OK; } - auth_context->challenge_may_be_modified = False; - - for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) { - if (auth_method->get_chal == NULL) { - DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); - continue; - } - - DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); - if (challenge_set_by != NULL) { - DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n", - challenge_set_by, auth_method->name)); - continue; - } - - challenge = auth_method->get_chal(auth_context, &auth_method->private_data, - auth_context); - if (!challenge.length) { - DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", - auth_method->name)); - } else { - DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name)); - auth_context->challenge = challenge; - challenge_set_by = auth_method->name; - auth_context->challenge_set_method = auth_method; - } - } - - if (!challenge_set_by) { - uchar tmp[8]; - - generate_random_buffer(tmp, sizeof(tmp)); - auth_context->challenge = data_blob_talloc(auth_context, - tmp, sizeof(tmp)); - - challenge_set_by = "random"; - auth_context->challenge_may_be_modified = True; - } - - DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); - DEBUG(5, ("challenge is: \n")); - dump_data(5, auth_context->challenge.data, auth_context->challenge.length); - - SMB_ASSERT(auth_context->challenge.length == 8); + generate_random_buffer(tmp, sizeof(tmp)); + auth_context->challenge = data_blob_talloc(auth_context, + tmp, sizeof(tmp)); - auth_context->challenge_set_by=challenge_set_by; + auth_context->challenge_set_by = "random"; memcpy(chal, auth_context->challenge.data, 8); return NT_STATUS_OK; diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index cfe89495a0..b757894a7c 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -128,67 +128,12 @@ static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, co return NT_STATUS_OK; } -/** - * Return a 'fixed' challenge instead of a variable one. - * - * The idea of this function is to make packet snifs consistant - * with a fixed challenge, so as to aid debugging. - * - * This module is of no value to end-users. - * - * This module does not actually authenticate the user, but - * just pretenteds to need a specified challenge. - * This module removes *all* security from the challenge-response system - * - * @return NT_STATUS_UNSUCCESSFUL - **/ - -static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) -{ - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************************** - Get the challenge out of a password server. -****************************************************************************/ - -static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_context, - void **my_private_data, - TALLOC_CTX *mem_ctx) -{ - const char *challenge = "I am a teapot"; - return data_blob(challenge, 8); -} - - -/** Module initialisation function */ - -static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - struct auth_methods *result; - - result = talloc_zero(auth_context, struct auth_methods); - if (result == NULL) { - return NT_STATUS_NO_MEMORY; - } - result->auth = check_fixed_challenge_security; - result->get_chal = auth_get_fixed_challenge; - result->name = "fixed_challenge"; - - *auth_method = result; - return NT_STATUS_OK; -} #endif /* DEVELOPER */ NTSTATUS auth_builtin_init(void) { smb_register_auth(AUTH_INTERFACE_VERSION, "guest", auth_init_guest); #ifdef DEVELOPER - smb_register_auth(AUTH_INTERFACE_VERSION, "fixed_challenge", auth_init_fixed_challenge); smb_register_auth(AUTH_INTERFACE_VERSION, "name_to_ntstatus", auth_init_name_to_ntstatus); #endif return NT_STATUS_OK; diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index e941ab9a0e..82b376feb6 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -165,7 +165,6 @@ static struct auth4_context *make_auth4_context_s3(TALLOC_CTX *mem_ctx, struct a auth4_context->generate_session_info = auth3_generate_session_info; auth4_context->get_ntlm_challenge = auth3_get_challenge; auth4_context->set_ntlm_challenge = auth3_set_challenge; - auth4_context->challenge_may_be_modified = auth3_may_set_challenge; auth4_context->check_ntlm_password = auth3_check_password; auth4_context->private_data = talloc_steal(auth4_context, auth_context); return auth4_context; diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 3437dbfb83..f99bd44d7e 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -63,18 +63,6 @@ NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context, return NT_STATUS_OK; } -/** - * Some authentication methods 'fix' the challenge, so we may not be able to set it - * - * @return If the effective challenge used by the auth subsystem may be modified - */ -bool auth3_may_set_challenge(struct auth4_context *auth4_context) -{ - struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data, - struct auth_context); - return auth_context->challenge_may_be_modified; -} - /** * NTLM2 authentication modifies the effective challenge, * @param challenge The new challenge value diff --git a/source3/include/auth.h b/source3/include/auth.h index 693a0df383..07f8b9eee1 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -78,9 +78,6 @@ struct auth_context { /* Who set this up in the first place? */ const char *challenge_set_by; - bool challenge_may_be_modified; - - struct auth_methods *challenge_set_method; /* What order are the various methods in? Try to stop it changing under us */ struct auth_methods *auth_method_list; @@ -99,14 +96,6 @@ typedef struct auth_methods const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info); - /* If you are using this interface, then you are probably - * getting something wrong. This interface is only for - * security=server, and makes a number of compromises to allow - * that. It is not compatible with being a PDC. */ - DATA_BLOB (*get_chal)(const struct auth_context *auth_context, - void **my_private_data, - TALLOC_CTX *mem_ctx); - /* Optional methods allowing this module to provide a way to get a gensec context and an auth4_context */ prepare_gensec_fn prepare_gensec; make_auth4_context_fn make_auth4_context; diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 5bf2a7be02..a832b5bc60 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -866,8 +866,6 @@ static NTSTATUS ntlm_auth_get_challenge(struct auth4_context *auth_ctx, auth_ctx->challenge.data = data_blob_talloc(auth_ctx, chal, 8); NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data); auth_ctx->challenge.set_by = "random"; - - auth_ctx->challenge.may_be_modified = true; } DEBUG(10,("auth_get_challenge: challenge set by %s\n", @@ -876,16 +874,6 @@ static NTSTATUS ntlm_auth_get_challenge(struct auth4_context *auth_ctx, return NT_STATUS_OK; } -/** - * Some authentication methods 'fix' the challenge, so we may not be able to set it - * - * @return If the effective challenge used by the auth subsystem may be modified - */ -static bool ntlm_auth_may_set_challenge(struct auth4_context *auth_ctx) -{ - return auth_ctx->challenge.may_be_modified; -} - /** * NTLM2 authentication modifies the effective challenge, * @param challenge The new challenge value @@ -1055,7 +1043,6 @@ static struct auth4_context *make_auth4_context_ntlm_auth(TALLOC_CTX *mem_ctx, b auth4_context->generate_session_info_pac = ntlm_auth_generate_session_info_pac; auth4_context->get_ntlm_challenge = ntlm_auth_get_challenge; auth4_context->set_ntlm_challenge = ntlm_auth_set_challenge; - auth4_context->challenge_may_be_modified = ntlm_auth_may_set_challenge; if (local_pw) { auth4_context->check_ntlm_password = local_pw_check; } else { diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 1b22701499..503bae9d4a 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -55,13 +55,6 @@ struct smb_krb5_context; struct auth_operations { const char *name; - /* If you are using this interface, then you are probably - * getting something wrong. This interface is only for - * security=server, and makes a number of compromises to allow - * that. It is not compatible with being a PDC. */ - - NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8]); - /* Given the user supplied info, check if this backend want to handle the password checking */ NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index d0ff50afc6..263dc8031d 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -54,22 +54,12 @@ _PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, con return NT_STATUS_OK; } -/*************************************************************************** - Set a fixed challenge -***************************************************************************/ -_PUBLIC_ bool auth_challenge_may_be_modified(struct auth4_context *auth_ctx) -{ - return auth_ctx->challenge.may_be_modified; -} - /**************************************************************************** Try to get a challenge out of the various authentication modules. Returns a const char of length 8 bytes. ****************************************************************************/ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8]) { - NTSTATUS nt_status; - struct auth_method_context *method; if (auth_ctx->challenge.data.length == 8) { DEBUG(5, ("auth_get_challenge: returning previous challenge by module %s (normal)\n", @@ -78,29 +68,12 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha return NT_STATUS_OK; } - for (method = auth_ctx->methods; method; method = method->next) { - nt_status = method->ops->get_challenge(method, auth_ctx, chal); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { - continue; - } - - NT_STATUS_NOT_OK_RETURN(nt_status); - - auth_ctx->challenge.data = data_blob_talloc(auth_ctx, chal, 8); - NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data); - auth_ctx->challenge.set_by = method->ops->name; - - break; - } - if (!auth_ctx->challenge.set_by) { generate_random_buffer(chal, 8); auth_ctx->challenge.data = data_blob_talloc(auth_ctx, chal, 8); NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data); auth_ctx->challenge.set_by = "random"; - - auth_ctx->challenge.may_be_modified = true; } DEBUG(10,("auth_get_challenge: challenge set by %s\n", @@ -574,8 +547,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** ctx = talloc_zero(mem_ctx, struct auth4_context); NT_STATUS_HAVE_NO_MEMORY(ctx); - ctx->challenge.set_by = NULL; - ctx->challenge.may_be_modified = false; ctx->challenge.data = data_blob(NULL, 0); ctx->methods = NULL; ctx->event_ctx = ev; @@ -608,7 +579,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** ctx->check_ntlm_password = auth_check_password_wrapper; ctx->get_ntlm_challenge = auth_get_challenge; ctx->set_ntlm_challenge = auth_context_set_challenge; - ctx->challenge_may_be_modified = auth_challenge_may_be_modified; ctx->generate_session_info = auth_generate_session_info_wrapper; ctx->generate_session_info_pac = auth_generate_session_info_pac; diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c index 4b0fff03cc..28cbfe831e 100644 --- a/source4/auth/ntlm/auth_anonymous.c +++ b/source4/auth/ntlm/auth_anonymous.c @@ -61,7 +61,6 @@ static NTSTATUS anonymous_check_password(struct auth_method_context *ctx, static const struct auth_operations anonymous_auth_ops = { .name = "anonymous", - .get_challenge = auth_get_challenge_not_implemented, .want_check = anonymous_want_check, .check_password = anonymous_check_password }; diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c index bc27f27fa2..58ccc2db28 100644 --- a/source4/auth/ntlm/auth_developer.c +++ b/source4/auth/ntlm/auth_developer.c @@ -133,58 +133,10 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, static const struct auth_operations name_to_ntstatus_auth_ops = { .name = "name_to_ntstatus", - .get_challenge = auth_get_challenge_not_implemented, .want_check = name_to_ntstatus_want_check, .check_password = name_to_ntstatus_check_password }; -/** - * Return a 'fixed' challenge instead of a variable one. - * - * The idea of this function is to make packet snifs consistant - * with a fixed challenge, so as to aid debugging. - * - * This module is of no value to end-users. - * - * This module does not actually authenticate the user, but - * just pretenteds to need a specified challenge. - * This module removes *all* security from the challenge-response system - * - * @return NT_STATUS_UNSUCCESSFUL - **/ -static NTSTATUS fixed_challenge_get_challenge(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8]) -{ - const char *challenge = "I am a teapot"; - - memcpy(chal, challenge, 8); - - return NT_STATUS_OK; -} - -static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info) -{ - /* don't handle any users */ - return NT_STATUS_NOT_IMPLEMENTED; -} - -static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **_user_info_dc) -{ - /* don't handle any users */ - return NT_STATUS_NO_SUCH_USER; -} - -static const struct auth_operations fixed_challenge_auth_ops = { - .name = "fixed_challenge", - .get_challenge = fixed_challenge_get_challenge, - .want_check = fixed_challenge_want_check, - .check_password = fixed_challenge_check_password -}; - _PUBLIC_ NTSTATUS auth4_developer_init(void) { NTSTATUS ret; @@ -195,11 +147,5 @@ _PUBLIC_ NTSTATUS auth4_developer_init(void) return ret; } - ret = auth_register(&fixed_challenge_auth_ops); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(0,("Failed to register 'fixed_challenge' auth backend!\n")); - return ret; - } - return ret; } diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 4a4307c895..f234f7229c 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -367,7 +367,6 @@ static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx, } static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", - .get_challenge = auth_get_challenge_not_implemented, .want_check = authsam_ignoredomain_want_check, .check_password = authsam_check_password_internals, .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper @@ -375,7 +374,6 @@ static const struct auth_operations sam_ignoredomain_ops = { static const struct auth_operations sam_ops = { .name = "sam", - .get_challenge = auth_get_challenge_not_implemented, .want_check = authsam_want_check, .check_password = authsam_check_password_internals, .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c index d79ebc1772..57bca6cc5b 100644 --- a/source4/auth/ntlm/auth_unix.c +++ b/source4/auth/ntlm/auth_unix.c @@ -797,7 +797,6 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx, static const struct auth_operations unix_ops = { .name = "unix", - .get_challenge = auth_get_challenge_not_implemented, .want_check = authunix_want_check, .check_password = authunix_check_password }; diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index 34fe6f870c..dba90ab039 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -319,14 +319,12 @@ static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx, static const struct auth_operations winbind_ops = { .name = "winbind", - .get_challenge = auth_get_challenge_not_implemented, .want_check = winbind_want_check, .check_password = winbind_check_password }; static const struct auth_operations winbind_wbclient_ops = { .name = "winbind_wbclient", - .get_challenge = auth_get_challenge_not_implemented, .want_check = winbind_want_check, .check_password = winbind_check_password_wbclient }; -- cgit