From 2e28f8ff0e3bb50ac5b2742c7678c39cb65bcd95 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 5 Jan 2002 04:55:41 +0000
Subject: I've decided to move the auth code around a bit more...

The auth_authsupplied_info typedef is now just a plain struct - auth_context,
but it has been modified to contain the function pointers to the rest
of the auth subsystem's components.

(Who needs non-static functions anyway?)

In working all this mess out, I fixed a number of memory leaks and moved the
entire auth subsystem over to talloc().

Note that the TALLOC_CTX attached to the auth_context can be rather long-lived,
it is provided for things that are intended to live as long.  (The
global_negprot_auth_context lasts the whole life of the smbd).

I've also adjusted a few things in auth_domain.c, mainly passing the domain as
a paramater to a few functions instead of looking up lp_workgroup().  I'm
hopign to make this entire thing a bit more trusted domains (as PDC) freindly
in the near future.

Other than that, I moved a bit of the code around, hence the rather messy diff.

Andrew Bartlett
(This used to be commit 12f5515f556cf39fea98134fe3e2ac4540501048)
---
 source3/auth/auth_util.c | 63 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 50 insertions(+), 13 deletions(-)

(limited to 'source3/auth/auth_util.c')

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d9f3098e7c..a479f52ab2 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -276,13 +276,13 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
 ****************************************************************************/
 
 BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, 
-					 char *smb_name, 
-					 char *client_domain, 
-					 char *wksta_name, 
-					 uchar chal[8], 
-					 uchar lm_interactive_pwd[16], 
-					 uchar nt_interactive_pwd[16], 
-					 uchar *dc_sess_key)
+					 const char *smb_name, 
+					 const char *client_domain, 
+					 const char *wksta_name, 
+					 const uchar chal[8], 
+					 const uchar lm_interactive_pwd[16], 
+					 const uchar nt_interactive_pwd[16], 
+					 const uchar *dc_sess_key)
 {
 	char lm_pwd[16];
 	char nt_pwd[16];
@@ -360,7 +360,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
 BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, 
 			      char *smb_name, 
 			      char *client_domain,
-			      unsigned char chal[8],
+			      const uint8 chal[8],
 			      DATA_BLOB plaintext_password)
 {
 
@@ -383,7 +383,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
 		dump_data(100, plaintext_password.data, plaintext_password.length);
 #endif
 
-		SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response);
+		SMBencrypt( (const uchar *)plaintext_password.data, (const uchar*)chal, local_lm_response);
 		local_lm_blob = data_blob(local_lm_response, 24);
 		
 		/* We can't do an NT hash here, as the password needs to be
@@ -415,8 +415,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
 BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, 
 			      char *smb_name,
 			      char *client_domain, 
-			      DATA_BLOB lm_resp, DATA_BLOB nt_resp,
-			      DATA_BLOB plaintext_password)
+			      DATA_BLOB lm_resp, DATA_BLOB nt_resp)
 {
 	uint32 ntlmssp_flags = 0;
 
@@ -572,9 +571,17 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info)
  Make an auth_methods struct
 ***************************************************************************/
 
-BOOL make_auth_methods(auth_methods **auth_method) 
+BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) 
 {
-	*auth_method = malloc(sizeof(**auth_method));
+	if (!auth_context) {
+		smb_panic("no auth_context supplied to make_auth_methods()!\n");
+	}
+
+	if (!auth_method) {
+		smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n");
+	}
+
+	*auth_method = talloc(auth_context->mem_ctx, sizeof(**auth_method));
 	if (!*auth_method) {
 		DEBUG(0,("make_auth_method: malloc failed!\n"));
 		return False;
@@ -623,3 +630,33 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
 
 	return token;
 }
+
+/**
+ * Squash an NT_STATUS in line with security requirements.
+ * In an attempt to avoid giving the whole game away when users
+ * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and 
+ * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations 
+ * (session setups in particular).
+ *
+ * @param nt_status NTSTATUS input for squashing.
+ * @return the 'squashed' nt_status
+ **/
+
+NTSTATUS nt_status_squash(NTSTATUS nt_status)
+{
+	if NT_STATUS_IS_OK(nt_status) {
+		return nt_status;		
+	} else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
+		/* Match WinXP and don't give the game away */
+		return NT_STATUS_LOGON_FAILURE;
+		
+	} else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
+		/* Match WinXP and don't give the game away */
+		return NT_STATUS_LOGON_FAILURE;
+	} else {
+		return nt_status;
+	}  
+}
+
+
+
-- 
cgit