git.samba.org / amitay / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
s3-ntlmssp Split calls to gensec plugin into prepare and start
[amitay/samba.git] / source3 / auth / auth_ntlmssp.c
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index bebb86ee174417beaa47155ddaee035eac6868ce..c078416aad0fa456b2dedf203756dc47d2d8c368 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -21,107 +21,36 @@
 */
 
 #include "includes.h"
+#include "auth.h"
 #include "../libcli/auth/ntlmssp.h"
-
-struct auth_ntlmssp_state {
-       struct auth_context *auth_context;
-       struct auth_serversupplied_info *server_info;
-       struct ntlmssp_state *ntlmssp_state;
-};
-
-NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
-                                 TALLOC_CTX *sig_mem_ctx,
-                                 const uint8_t *data, size_t length,
-                                 const uint8_t *whole_pdu, size_t pdu_length,
-                                 DATA_BLOB *sig)
-{
-       return ntlmssp_sign_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
-}
-
-NTSTATUS auth_ntlmssp_check_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
-                                  const uint8_t *data, size_t length,
-                                  const uint8_t *whole_pdu, size_t pdu_length,
-                                  const DATA_BLOB *sig)
-{
-       return ntlmssp_check_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
-}
-
-NTSTATUS auth_ntlmssp_seal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
-                                 TALLOC_CTX *sig_mem_ctx,
-                                 uint8_t *data, size_t length,
-                                 const uint8_t *whole_pdu, size_t pdu_length,
-                                 DATA_BLOB *sig)
-{
-       return ntlmssp_seal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
-}
-
-NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
-                                   uint8_t *data, size_t length,
-                                   const uint8_t *whole_pdu, size_t pdu_length,
-                                   const DATA_BLOB *sig)
-{
-       return ntlmssp_unseal_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
-}
-
-bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-       return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN;
-}
-
-bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-       return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
-}
-
-void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-
-}
-
-void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
+#include "ntlmssp_wrap.h"
+#include "../librpc/gen_ndr/netlogon.h"
+#include "../lib/tsocket/tsocket.h"
+#include "auth/gensec/gensec.h"
+
+NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
+                                       struct auth_ntlmssp_state *auth_ntlmssp_state,
+                                       struct auth_session_info **session_info)
 {
+       NTSTATUS nt_status;
+       if (auth_ntlmssp_state->gensec_security) {
 
-}
-
-NTSTATUS auth_ntlmssp_server_info(TALLOC_CTX *mem_ctx,
-                                 struct auth_ntlmssp_state *auth_ntlmssp_state,
-                                 struct auth_serversupplied_info **_server_info)
-{
-       struct auth_serversupplied_info *server_info = auth_ntlmssp_state->server_info;
-       data_blob_free(&server_info->user_session_key);
-       server_info->user_session_key =
-               data_blob_talloc(
-                       server_info,
-                       auth_ntlmssp_state->ntlmssp_state->session_key.data,
-                       auth_ntlmssp_state->ntlmssp_state->session_key.length);
-       if (auth_ntlmssp_state->ntlmssp_state->session_key.length && !server_info->user_session_key.data) {
-               *_server_info = NULL;
-               return NT_STATUS_NO_MEMORY;
+               nt_status = gensec_session_info(auth_ntlmssp_state->gensec_security,
+                                               mem_ctx,
+                                               session_info);
+               return nt_status;
        }
-       auth_ntlmssp_state->server_info = NULL;
-       *_server_info = talloc_steal(mem_ctx, server_info);
-       return NT_STATUS_OK;
-}
 
-struct ntlmssp_state *auth_ntlmssp_get_ntlmssp_state(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-       return auth_ntlmssp_state->ntlmssp_state;
-}
+       nt_status = create_local_token(mem_ctx,
+                                      auth_ntlmssp_state->server_info,
+                                      &auth_ntlmssp_state->ntlmssp_state->session_key,
+                                      session_info);
 
-/* Needed for 'map to guest' and 'smb username' processing */
-const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-       return auth_ntlmssp_state->ntlmssp_state->user;
-}
-
-const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-       return auth_ntlmssp_state->ntlmssp_state->domain;
-}
-
-const char *auth_ntlmssp_get_client(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-       return auth_ntlmssp_state->ntlmssp_state->client.netbios_name;
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               DEBUG(10, ("create_local_token failed: %s\n",
+                          nt_errstr(nt_status)));
+       }
+       return nt_status;
 }
 
 /**
@@ -182,7 +111,8 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state,
  * Return the session keys used on the connection.
  */
 
-static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) 
+static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
+                                           DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 {
        struct auth_ntlmssp_state *auth_ntlmssp_state =
                (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
@@ -199,23 +129,24 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
        /* sub_set_smb_name checks for weird internally */
        sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 
-       reload_services(True);
+       lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 
-       nt_status = make_user_info_map(&user_info, 
+       nt_status = make_user_info_map(&user_info,
                                       auth_ntlmssp_state->ntlmssp_state->user, 
                                       auth_ntlmssp_state->ntlmssp_state->domain, 
                                       auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
+                                      auth_ntlmssp_state->remote_address,
                                       auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, 
                                       auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, 
                                       NULL, NULL, NULL,
-                                      True);
-
-       user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+                                      AUTH_PASSWORD_RESPONSE);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }
 
+       user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+
        nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, 
                                                                          user_info, &auth_ntlmssp_state->server_info); 
 
@@ -224,39 +155,41 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
        free_user_info(&user_info);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
+               nt_status = do_map_to_guest_server_info(nt_status,
+                                                       &auth_ntlmssp_state->server_info,
+                                                       auth_ntlmssp_state->ntlmssp_state->user,
+                                                       auth_ntlmssp_state->ntlmssp_state->domain);
                return nt_status;
        }
 
        auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 
-       nt_status = create_local_token(auth_ntlmssp_state->server_info);
-
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               DEBUG(10, ("create_local_token failed: %s\n",
-                       nt_errstr(nt_status)));
-               return nt_status;
-       }
-
-       if (auth_ntlmssp_state->server_info->user_session_key.length) {
+       /* Clear out the session keys, and pass them to the caller.
+        * They will not be used in this form again - instead the
+        * NTLMSSP code will decide on the final correct session key,
+        * and put it back here at the end of
+        * auth_ntlmssp_steal_server_info */
+       if (auth_ntlmssp_state->server_info->session_key.length) {
                DEBUG(10, ("Got NT session key of length %u\n",
-                       (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
-               *user_session_key = data_blob_talloc(auth_ntlmssp_state,
-                                                  auth_ntlmssp_state->server_info->user_session_key.data,
-                                                  auth_ntlmssp_state->server_info->user_session_key.length);
+                       (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
+               *session_key = auth_ntlmssp_state->server_info->session_key;
+               talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
+               auth_ntlmssp_state->server_info->session_key = data_blob_null;
        }
        if (auth_ntlmssp_state->server_info->lm_session_key.length) {
                DEBUG(10, ("Got LM session key of length %u\n",
                        (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
-               *lm_session_key = data_blob_talloc(auth_ntlmssp_state,
-                                                  auth_ntlmssp_state->server_info->lm_session_key.data,
-                                                  auth_ntlmssp_state->server_info->lm_session_key.length);
+               *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
+               talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
+               auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
        }
        return nt_status;
 }
 
 static int auth_ntlmssp_state_destructor(void *ptr);
 
-NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
+NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
+                           struct auth_ntlmssp_state **auth_ntlmssp_state)
 {
        NTSTATUS nt_status;
        bool is_standalone;
@@ -265,16 +198,44 @@ NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
        const char *dns_name;
        char *dns_domain;
        struct auth_ntlmssp_state *ans;
-       struct ntlmssp_state *ntlmssp_state;
        struct auth_context *auth_context;
 
-       if ((enum server_types)lp_server_role() == ROLE_STANDALONE) {
+       ans = talloc_zero(NULL, struct auth_ntlmssp_state);
+       if (!ans) {
+               DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               TALLOC_FREE(ans);
+               return nt_status;
+       }
+
+       if (auth_context->prepare_gensec) {
+               nt_status = auth_context->prepare_gensec(ans, &ans->gensec_security);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       TALLOC_FREE(ans);
+                       return nt_status;
+               } else {
+                       nt_status = auth_context->gensec_start_mech_by_oid(ans->gensec_security, GENSEC_OID_NTLMSSP);
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               TALLOC_FREE(ans);
+                               return nt_status;
+                       } else {
+                               *auth_ntlmssp_state = ans;
+                               return NT_STATUS_OK;
+                       }
+               }
+       }
+
+       if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
                is_standalone = true;
        } else {
                is_standalone = false;
        }
 
-       netbios_name = global_myname();
+       netbios_name = lp_netbios_name();
        netbios_domain = lp_workgroup();
        /* This should be a 'netbios domain -> DNS domain' mapping */
        dns_domain = get_mydnsdomname(talloc_tos());
@@ -283,10 +244,9 @@ NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
        }
        dns_name = get_mydnsfullname();
 
-       ans = talloc_zero(NULL, struct auth_ntlmssp_state);
-       if (!ans) {
+       ans->remote_address = tsocket_address_copy(remote_address, ans);
+       if (ans->remote_address == NULL) {
                DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
-               TALLOC_FREE(ntlmssp_state);
                return NT_STATUS_NO_MEMORY;
        }
 
@@ -301,10 +261,6 @@ NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
                return nt_status;
        }
 
-       nt_status = make_auth_context_subsystem(&auth_context);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               return nt_status;
-       }
        ans->auth_context = talloc_steal(ans, auth_context);
 
        ans->ntlmssp_state->callback_private = ans;
@@ -325,13 +281,8 @@ static int auth_ntlmssp_state_destructor(void *ptr)
 
        ans = talloc_get_type(ptr, struct auth_ntlmssp_state);
 
+       TALLOC_FREE(ans->remote_address);
        TALLOC_FREE(ans->server_info);
        TALLOC_FREE(ans->ntlmssp_state);
        return 0;
 }
-
-NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *auth_ntlmssp_state,
-                            const DATA_BLOB request, DATA_BLOB *reply) 
-{
-       return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
-}
Amitay's Samba development tree