From a00032a92d9c0fcd4fa3f551abb901e5240f780f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 27 Dec 2011 10:25:55 +1100 Subject: s3-libsmb Make auth_ntlmssp client more generic As well as renaming, this allows us to start the mech by DCE/RPC auth type or OID. Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source3/include/auth_generic.h | 48 ++++++++++++++++++++++++++++++++++++++ source3/include/ntlmssp_wrap.h | 44 ---------------------------------- source3/librpc/crypto/cli_spnego.c | 25 ++++++++++---------- source3/libsmb/clifsinfo.c | 27 ++++++++++----------- source3/libsmb/ntlmssp_wrap.c | 43 +++++++++++++++++++++++++++------- source3/rpc_client/cli_pipe.c | 19 ++++++--------- 6 files changed, 116 insertions(+), 90 deletions(-) create mode 100644 source3/include/auth_generic.h delete mode 100644 source3/include/ntlmssp_wrap.h (limited to 'source3') diff --git a/source3/include/auth_generic.h b/source3/include/auth_generic.h new file mode 100644 index 0000000000..faea6106ad --- /dev/null +++ b/source3/include/auth_generic.h @@ -0,0 +1,48 @@ +/* + NLTMSSP wrappers + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2001-2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _AUTH_GENERIC_ +#define _AUTH_GENERIC_ + +struct gensec_security; + +struct auth_generic_state { + /* used only by the client implementation */ + struct cli_credentials *credentials; + + /* used by both */ + struct gensec_security *gensec_security; +}; + +NTSTATUS auth_generic_set_username(struct auth_generic_state *ans, + const char *user); +NTSTATUS auth_generic_set_domain(struct auth_generic_state *ans, + const char *domain); +NTSTATUS auth_generic_set_password(struct auth_generic_state *ans, + const char *password); +NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, + struct auth_generic_state **_ans); +NTSTATUS auth_generic_client_start(struct auth_generic_state *ans, const char *oid); + +NTSTATUS auth_generic_client_start_by_authtype(struct auth_generic_state *ans, + uint8_t auth_type, + uint8_t auth_level); + +#endif /* _AUTH_GENERIC_ */ diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h deleted file mode 100644 index ac2c77da37..0000000000 --- a/source3/include/ntlmssp_wrap.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - NLTMSSP wrappers - - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Andrew Bartlett 2001-2003 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#ifndef _NTLMSSP_WRAP_ -#define _NTLMSSP_WRAP_ - -struct gensec_security; - -struct auth_generic_state { - /* used only by the client implementation */ - struct cli_credentials *credentials; - - /* used by both */ - struct gensec_security *gensec_security; -}; - -NTSTATUS auth_ntlmssp_set_username(struct auth_generic_state *ans, - const char *user); -NTSTATUS auth_ntlmssp_set_domain(struct auth_generic_state *ans, - const char *domain); -NTSTATUS auth_ntlmssp_set_password(struct auth_generic_state *ans, - const char *password); -NTSTATUS auth_ntlmssp_client_prepare(TALLOC_CTX *mem_ctx, - struct auth_generic_state **_ans); -NTSTATUS auth_ntlmssp_client_start(struct auth_generic_state *ans); - -#endif /* _NTLMSSP_WRAP_ */ diff --git a/source3/librpc/crypto/cli_spnego.c b/source3/librpc/crypto/cli_spnego.c index 827b135b22..54ea99b8e8 100644 --- a/source3/librpc/crypto/cli_spnego.c +++ b/source3/librpc/crypto/cli_spnego.c @@ -2,6 +2,7 @@ * SPNEGO Encapsulation * Client functions * Copyright (C) Simo Sorce 2010. + * Copyright (C) Andrew Bartlett 2011. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -19,7 +20,7 @@ #include "includes.h" #include "../libcli/auth/spnego.h" -#include "include/ntlmssp_wrap.h" +#include "include/auth_generic.h" #include "librpc/gen_ndr/ntlmssp.h" #include "auth/ntlmssp/ntlmssp.h" #include "librpc/crypto/gse.h" @@ -92,7 +93,7 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx, struct spnego_context **spnego_ctx) { struct spnego_context *sp_ctx = NULL; - struct auth_generic_state *auth_ntlmssp_state; + struct auth_generic_state *auth_generic_state; NTSTATUS status; status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx); @@ -101,28 +102,28 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx, } sp_ctx->mech = SPNEGO_NTLMSSP; - status = auth_ntlmssp_client_prepare(sp_ctx, - &auth_ntlmssp_state); + status = auth_generic_client_prepare(sp_ctx, + &auth_generic_state); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sp_ctx); return status; } - status = auth_ntlmssp_set_username(auth_ntlmssp_state, + status = auth_generic_set_username(auth_generic_state, username); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sp_ctx); return status; } - status = auth_ntlmssp_set_domain(auth_ntlmssp_state, + status = auth_generic_set_domain(auth_generic_state, domain); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sp_ctx); return status; } - status = auth_ntlmssp_set_password(auth_ntlmssp_state, + status = auth_generic_set_password(auth_generic_state, password); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sp_ctx); @@ -130,21 +131,21 @@ NTSTATUS spnego_ntlmssp_init_client(TALLOC_CTX *mem_ctx, } if (do_sign) { - gensec_want_feature(auth_ntlmssp_state->gensec_security, + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); } else if (do_seal) { - gensec_want_feature(auth_ntlmssp_state->gensec_security, + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL); } - status = auth_ntlmssp_client_start(auth_ntlmssp_state); + status = auth_generic_client_start(auth_generic_state, GENSEC_OID_NTLMSSP); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sp_ctx); return status; } - sp_ctx->mech_ctx.gensec_security = talloc_move(sp_ctx, &auth_ntlmssp_state->gensec_security); - TALLOC_FREE(auth_ntlmssp_state); + sp_ctx->mech_ctx.gensec_security = talloc_move(sp_ctx, &auth_generic_state->gensec_security); + TALLOC_FREE(auth_generic_state); *spnego_ctx = sp_ctx; return NT_STATUS_OK; } diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index ff15624c60..5c86c5d288 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -3,6 +3,7 @@ FS info functions Copyright (C) Stefan (metze) Metzmacher 2003 Copyright (C) Jeremy Allison 2007 + Copyright (C) Andrew Bartlett 2011 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,7 +27,7 @@ #include "async_smb.h" #include "../libcli/smb/smb_seal.h" #include "trans2.h" -#include "ntlmssp_wrap.h" +#include "auth_generic.h" #include "auth/gensec/gensec.h" #include "../libcli/smb/smbXcli_base.h" @@ -610,37 +611,37 @@ NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli, DATA_BLOB blob_out = data_blob_null; DATA_BLOB param_out = data_blob_null; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - struct auth_generic_state *auth_ntlmssp_state; + struct auth_generic_state *auth_generic_state; struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_NTLM); if (!es) { return NT_STATUS_NO_MEMORY; } - status = auth_ntlmssp_client_prepare(NULL, - &auth_ntlmssp_state); + status = auth_generic_client_prepare(NULL, + &auth_generic_state); if (!NT_STATUS_IS_OK(status)) { goto fail; } - gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); - gensec_want_feature(auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SEAL); + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL); - if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_username(auth_ntlmssp_state, user))) { + if (!NT_STATUS_IS_OK(status = auth_generic_set_username(auth_generic_state, user))) { goto fail; } - if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_domain(auth_ntlmssp_state, domain))) { + if (!NT_STATUS_IS_OK(status = auth_generic_set_domain(auth_generic_state, domain))) { goto fail; } - if (!NT_STATUS_IS_OK(status = auth_ntlmssp_set_password(auth_ntlmssp_state, pass))) { + if (!NT_STATUS_IS_OK(status = auth_generic_set_password(auth_generic_state, pass))) { goto fail; } - if (!NT_STATUS_IS_OK(status = auth_ntlmssp_client_start(auth_ntlmssp_state))) { + if (!NT_STATUS_IS_OK(status = auth_generic_client_start(auth_generic_state, GENSEC_OID_NTLMSSP))) { goto fail; } do { - status = gensec_update(auth_ntlmssp_state->gensec_security, auth_ntlmssp_state, + status = gensec_update(auth_generic_state->gensec_security, auth_generic_state, NULL, blob_in, &blob_out); data_blob_free(&blob_in); data_blob_free(¶m_out); @@ -671,13 +672,13 @@ NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli, * es is a malloc()ed pointer, so we cannot make * gensec_security a talloc child */ es->s.gensec_security = talloc_move(NULL, - &auth_ntlmssp_state->gensec_security); + &auth_generic_state->gensec_security); smb1cli_conn_set_encryption(cli->conn, es); es = NULL; } fail: - TALLOC_FREE(auth_ntlmssp_state); + TALLOC_FREE(auth_generic_state); common_free_encryption_state(&es); return status; } diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c index e2d1bc636f..36508129ae 100644 --- a/source3/libsmb/ntlmssp_wrap.c +++ b/source3/libsmb/ntlmssp_wrap.c @@ -20,27 +20,27 @@ #include "includes.h" #include "auth/ntlmssp/ntlmssp.h" -#include "ntlmssp_wrap.h" +#include "auth_generic.h" #include "auth/gensec/gensec.h" #include "auth/credentials/credentials.h" #include "librpc/rpc/dcerpc.h" #include "lib/param/param.h" -NTSTATUS auth_ntlmssp_set_username(struct auth_generic_state *ans, +NTSTATUS auth_generic_set_username(struct auth_generic_state *ans, const char *user) { cli_credentials_set_username(ans->credentials, user, CRED_SPECIFIED); return NT_STATUS_OK; } -NTSTATUS auth_ntlmssp_set_domain(struct auth_generic_state *ans, +NTSTATUS auth_generic_set_domain(struct auth_generic_state *ans, const char *domain) { cli_credentials_set_domain(ans->credentials, domain, CRED_SPECIFIED); return NT_STATUS_OK; } -NTSTATUS auth_ntlmssp_set_password(struct auth_generic_state *ans, +NTSTATUS auth_generic_set_password(struct auth_generic_state *ans, const char *password) { cli_credentials_set_password(ans->credentials, password, CRED_SPECIFIED); @@ -153,7 +153,7 @@ static const struct gensec_security_ops gensec_ntlmssp3_client_ops = { .priority = GENSEC_NTLMSSP }; -NTSTATUS auth_ntlmssp_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **auth_ntlmssp_state) +NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **auth_generic_state) { struct auth_generic_state *ans; NTSTATUS nt_status; @@ -163,7 +163,7 @@ NTSTATUS auth_ntlmssp_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st ans = talloc_zero(mem_ctx, struct auth_generic_state); if (!ans) { - DEBUG(0,("auth_ntlmssp_start: talloc failed!\n")); + DEBUG(0,("auth_generic_start: talloc failed!\n")); return NT_STATUS_NO_MEMORY; } @@ -207,11 +207,11 @@ NTSTATUS auth_ntlmssp_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st talloc_unlink(ans, lp_ctx); talloc_unlink(ans, gensec_settings); - *auth_ntlmssp_state = ans; + *auth_generic_state = ans; return NT_STATUS_OK; } -NTSTATUS auth_ntlmssp_client_start(struct auth_generic_state *ans) +NTSTATUS auth_generic_client_start(struct auth_generic_state *ans, const char *oid) { NTSTATUS status; @@ -226,7 +226,32 @@ NTSTATUS auth_ntlmssp_client_start(struct auth_generic_state *ans) ans->credentials = NULL; status = gensec_start_mech_by_oid(ans->gensec_security, - GENSEC_OID_NTLMSSP); + oid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; +} + +NTSTATUS auth_generic_client_start_by_authtype(struct auth_generic_state *ans, + uint8_t auth_type, + uint8_t auth_level) +{ + NTSTATUS status; + + /* Transfer the credentials to gensec */ + status = gensec_set_credentials(ans->gensec_security, ans->credentials); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to set GENSEC credentials: %s\n", + nt_errstr(status))); + return status; + } + talloc_unlink(ans, ans->credentials); + ans->credentials = NULL; + + status = gensec_start_mech_by_authtype(ans->gensec_security, + auth_type, auth_level); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 8ea500db70..93e1357733 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3,6 +3,7 @@ * RPC Pipe client routines * Largely rewritten by Jeremy Allison 2005. * Heavily modified by Simo Sorce 2010. + * Copyright Andrew Bartlett 2011. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -26,7 +27,7 @@ #include "../libcli/auth/schannel.h" #include "../libcli/auth/spnego.h" #include "../auth/ntlmssp/ntlmssp.h" -#include "ntlmssp_wrap.h" +#include "auth_generic.h" #include "librpc/gen_ndr/ndr_dcerpc.h" #include "librpc/rpc/dcerpc.h" #include "librpc/crypto/gse.h" @@ -2284,34 +2285,28 @@ static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx, goto fail; } - status = auth_ntlmssp_client_prepare(result, + status = auth_generic_client_prepare(result, &ntlmssp_ctx); if (!NT_STATUS_IS_OK(status)) { goto fail; } - status = auth_ntlmssp_set_username(ntlmssp_ctx, username); + status = auth_generic_set_username(ntlmssp_ctx, username); if (!NT_STATUS_IS_OK(status)) { goto fail; } - status = auth_ntlmssp_set_domain(ntlmssp_ctx, domain); + status = auth_generic_set_domain(ntlmssp_ctx, domain); if (!NT_STATUS_IS_OK(status)) { goto fail; } - status = auth_ntlmssp_set_password(ntlmssp_ctx, password); + status = auth_generic_set_password(ntlmssp_ctx, password); if (!NT_STATUS_IS_OK(status)) { goto fail; } - if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { - gensec_want_feature(ntlmssp_ctx->gensec_security, GENSEC_FEATURE_SIGN); - } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { - gensec_want_feature(ntlmssp_ctx->gensec_security, GENSEC_FEATURE_SEAL); - } - - status = auth_ntlmssp_client_start(ntlmssp_ctx); + status = auth_generic_client_start_by_authtype(ntlmssp_ctx, auth_type, auth_level); if (!NT_STATUS_IS_OK(status)) { goto fail; } -- cgit