#include "../libcli/auth/libcli_auth.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
/**
* Callbacks for NTLMSSP - for both client and server operating modes
.role = NTLMSSP_CLIENT,
.command = NTLMSSP_INITIAL,
.sync_fn = ntlmssp_client_initial,
+ },{
+ .role = NTLMSSP_CLIENT,
+ .command = NTLMSSP_NEGOTIATE,
+ .sync_fn = gensec_ntlmssp_resume_ccache,
},{
.role = NTLMSSP_SERVER,
.command = NTLMSSP_NEGOTIATE,
};
-static NTSTATUS gensec_ntlmssp_update_find(struct ntlmssp_state *ntlmssp_state,
+static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_security,
+ struct gensec_ntlmssp_context *gensec_ntlmssp,
const DATA_BLOB input, uint32_t *idx)
{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct gensec_security *gensec_security = gensec_ntlmssp->gensec_security;
uint32_t ntlmssp_command;
uint32_t i;
- if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
+ if (gensec_ntlmssp->ntlmssp_state->expected_state == NTLMSSP_DONE) {
/* We are strict here because other modules, which we
* don't fully control (such as GSSAPI) are also
* strict, but are tested less often */
}
if (!input.length) {
- switch (ntlmssp_state->role) {
+ switch (gensec_ntlmssp->ntlmssp_state->role) {
case NTLMSSP_CLIENT:
+ if (gensec_ntlmssp->ntlmssp_state->resume_ccache) {
+ /*
+ * make sure gensec_ntlmssp_resume_ccache()
+ * will be called
+ */
+ ntlmssp_command = NTLMSSP_NEGOTIATE;
+ break;
+ }
+
ntlmssp_command = NTLMSSP_INITIAL;
break;
case NTLMSSP_SERVER:
return NT_STATUS_INVALID_PARAMETER;
}
break;
+ default:
+ DEBUG(1, ("NTLMSSP state has invalid role %d\n",
+ gensec_ntlmssp->ntlmssp_state->role));
+ return NT_STATUS_INVALID_PARAMETER;
}
} else {
- if (!msrpc_parse(ntlmssp_state,
+ if (!msrpc_parse(gensec_ntlmssp->ntlmssp_state,
&input, "Cd",
"NTLMSSP",
&ntlmssp_command)) {
}
}
- if (ntlmssp_command != ntlmssp_state->expected_state) {
- DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
+ if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
+ DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command,
+ gensec_ntlmssp->ntlmssp_state->expected_state));
return NT_STATUS_INVALID_PARAMETER;
}
for (i=0; i < ARRAY_SIZE(ntlmssp_callbacks); i++) {
- if (ntlmssp_callbacks[i].role == ntlmssp_state->role &&
+ if (ntlmssp_callbacks[i].role == gensec_ntlmssp->ntlmssp_state->role &&
ntlmssp_callbacks[i].command == ntlmssp_command) {
*idx = i;
return NT_STATUS_OK;
}
DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
- ntlmssp_state->role, ntlmssp_command));
+ gensec_ntlmssp->ntlmssp_state->role, ntlmssp_command));
return NT_STATUS_INVALID_PARAMETER;
}
out_mem_ctx = ntlmssp_state;
}
- status = gensec_ntlmssp_update_find(ntlmssp_state, input, &i);
+ status = gensec_ntlmssp_update_find(gensec_security, gensec_ntlmssp, input, &i);
NT_STATUS_NOT_OK_RETURN(status);
status = ntlmssp_callbacks[i].sync_fn(gensec_security, out_mem_ctx, input, out);
return NT_STATUS_OK;
}
+static NTSTATUS gensec_ntlmssp_may_reset_crypto(struct gensec_security *gensec_security,
+ bool full_reset)
+{
+ struct gensec_ntlmssp_context *gensec_ntlmssp =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
+ NTSTATUS status;
+ bool reset_seqnums = full_reset;
+
+ if (!gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+ return NT_STATUS_OK;
+ }
+
+ status = ntlmssp_sign_reset(ntlmssp_state, reset_seqnums);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not reset NTLMSSP signing/sealing system (error was: %s)\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static const char *gensec_ntlmssp_final_auth_type(struct gensec_security *gensec_security)
+{
+ return GENSEC_FINAL_AUTH_TYPE_NTLMSSP;
+}
+
static const char *gensec_ntlmssp_oids[] = {
GENSEC_OID_NTLMSSP,
NULL
.server_start = gensec_ntlmssp_server_start,
.magic = gensec_ntlmssp_magic,
.update = gensec_ntlmssp_update,
+ .may_reset_crypto= gensec_ntlmssp_may_reset_crypto,
.sig_size = gensec_ntlmssp_sig_size,
.sign_packet = gensec_ntlmssp_sign_packet,
.check_packet = gensec_ntlmssp_check_packet,
.session_key = gensec_ntlmssp_session_key,
.session_info = gensec_ntlmssp_session_info,
.have_feature = gensec_ntlmssp_have_feature,
+ .final_auth_type = gensec_ntlmssp_final_auth_type,
.enabled = true,
.priority = GENSEC_NTLMSSP
};
+static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = {
+ .name = "ntlmssp_resume_ccache",
+ .client_start = gensec_ntlmssp_resume_ccache_start,
+ .update = gensec_ntlmssp_update,
+ .session_key = gensec_ntlmssp_session_key,
+ .have_feature = gensec_ntlmssp_have_feature,
+ .enabled = true,
+ .priority = GENSEC_NTLMSSP
+};
-_PUBLIC_ NTSTATUS gensec_ntlmssp_init(void)
+_PUBLIC_ NTSTATUS gensec_ntlmssp_init(TALLOC_CTX *ctx)
{
NTSTATUS ret;
return ret;
}
+ ret = gensec_register(&gensec_ntlmssp_resume_ccache_ops);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
+ gensec_ntlmssp_resume_ccache_ops.name));
+ return ret;
+ }
+
return ret;
}
+
+static struct gensec_security *gensec_find_child_by_ops(struct gensec_security *gensec_security,
+ const struct gensec_security_ops *ops)
+{
+ struct gensec_security *current = gensec_security;
+
+ while (current != NULL) {
+ if (current->ops == ops) {
+ return current;
+ }
+
+ current = current->child_security;
+ }
+
+ return NULL;
+}
+
+uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security)
+{
+ struct gensec_ntlmssp_context *gensec_ntlmssp;
+
+ gensec_security = gensec_find_child_by_ops(gensec_security,
+ &gensec_ntlmssp_security_ops);
+ if (gensec_security == NULL) {
+ return 0;
+ }
+
+ gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ return gensec_ntlmssp->ntlmssp_state->neg_flags;
+}
+
+const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security)
+{
+ struct gensec_ntlmssp_context *gensec_ntlmssp;
+
+ gensec_security = gensec_find_child_by_ops(gensec_security,
+ &gensec_ntlmssp_security_ops);
+ if (gensec_security == NULL) {
+ return NULL;
+ }
+
+ gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ return gensec_ntlmssp->ntlmssp_state->server.netbios_domain;
+}