s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server
authorAndrew Bartlett <abartlet@samba.org>
Tue, 31 Jan 2012 03:39:34 +0000 (14:39 +1100)
committerStefan Metzmacher <metze@samba.org>
Fri, 17 Feb 2012 09:48:09 +0000 (10:48 +0100)
This is possible because we now supply the auth4_context abstraction that this
code is looking for.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
auth/ntlmssp/gensec_ntlmssp_server.c
auth/ntlmssp/ntlmssp_private.h
source3/Makefile.in
source3/auth/auth_ntlmssp.c

index f37f2e7..841e6a6 100644 (file)
@@ -81,8 +81,8 @@ NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
  * @return an 8 byte random challenge
  */
 
-static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
-                                          uint8_t chal[8])
+NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
+                                   uint8_t chal[8])
 {
        struct gensec_ntlmssp_context *gensec_ntlmssp =
                talloc_get_type_abort(ntlmssp_state->callback_private,
@@ -107,7 +107,7 @@ static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_s
  *
  * @return If the effective challenge used by the auth subsystem may be modified
  */
-static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
+bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
 {
        struct gensec_ntlmssp_context *gensec_ntlmssp =
                talloc_get_type_abort(ntlmssp_state->callback_private,
@@ -124,7 +124,7 @@ static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_s
  * NTLM2 authentication modifies the effective challenge,
  * @param challenge The new challenge value
  */
-static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
+NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
 {
        struct gensec_ntlmssp_context *gensec_ntlmssp =
                talloc_get_type_abort(ntlmssp_state->callback_private,
@@ -153,9 +153,9 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state,
  * Return the session keys used on the connection.
  */
 
-static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
-                                           TALLOC_CTX *mem_ctx,
-                                           DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
+NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
+                                    TALLOC_CTX *mem_ctx,
+                                    DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 {
        struct gensec_ntlmssp_context *gensec_ntlmssp =
                talloc_get_type_abort(ntlmssp_state->callback_private,
@@ -191,6 +191,15 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
                                                         user_session_key, lm_session_key);
        }
        talloc_free(user_info);
+
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               DEBUG(5,("%s: Checking NTLMSSP password for %s\\%s failed: %s\n",
+                        __location__,
+                        user_info->client.domain_name,
+                        user_info->client.account_name,
+                        nt_errstr(nt_status)));
+       }
+
        NT_STATUS_NOT_OK_RETURN(nt_status);
 
        talloc_steal(mem_ctx, user_session_key->data);
index 431626c..e7fa3d5 100644 (file)
@@ -134,3 +134,34 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
  *
  */
 NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security);
+
+/**
+ * Return the challenge as determined by the authentication subsystem
+ * @return an 8 byte random challenge
+ */
+
+NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
+                                   uint8_t chal[8]);
+
+/**
+ * Some authentication methods 'fix' the challenge, so we may not be able to set it
+ *
+ * @return If the effective challenge used by the auth subsystem may be modified
+ */
+bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state);
+
+/**
+ * NTLM2 authentication modifies the effective challenge,
+ * @param challenge The new challenge value
+ */
+NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge);
+
+/**
+ * Check the password on an NTLMSSP login.
+ *
+ * Return the session keys used on the connection.
+ */
+
+NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
+                                    TALLOC_CTX *mem_ctx,
+                                    DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key);
index c433961..0425cd7 100644 (file)
@@ -569,6 +569,7 @@ LIBSMB_OBJ0 = \
               ../auth/ntlmssp/ntlmssp_util.o \
               ../auth/ntlmssp/ntlmssp_sign.o \
               ../auth/ntlmssp/gensec_ntlmssp.o \
+              ../auth/ntlmssp/gensec_ntlmssp_server.o \
               $(LIBNDR_NTLMSSP_OBJ) \
               ../auth/ntlmssp/ntlmssp_ndr.o \
               ../auth/ntlmssp/ntlmssp_server.o
index f0c96ab..b9d4b72 100644 (file)
@@ -24,6 +24,7 @@
 #include "includes.h"
 #include "auth.h"
 #include "../auth/ntlmssp/ntlmssp.h"
+#include "../auth/ntlmssp/ntlmssp_private.h"
 #include "../librpc/gen_ndr/netlogon.h"
 #include "../librpc/gen_ndr/dcerpc.h"
 #include "../lib/tsocket/tsocket.h"
@@ -221,187 +222,6 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
        return nt_status;
 }
 
-/**
- * Return the challenge as determined by the authentication subsystem
- * @return an 8 byte random challenge
- */
-
-static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
-                                          uint8_t chal[8])
-{
-       struct gensec_ntlmssp_context *gensec_ntlmssp =
-               talloc_get_type_abort(ntlmssp_state->callback_private,
-                                     struct gensec_ntlmssp_context);
-       struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-       NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
-
-       if (auth_context->get_challenge) {
-               status = auth_context->get_challenge(auth_context, chal);
-               if (!NT_STATUS_IS_OK(status)) {
-                       DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
-                                 nt_errstr(status)));
-                       return status;
-               }
-       }
-
-       return status;
-}
-
-/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
-{
-       struct gensec_ntlmssp_context *gensec_ntlmssp =
-               talloc_get_type_abort(ntlmssp_state->callback_private,
-                                     struct gensec_ntlmssp_context);
-       struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-
-       if (auth_context->challenge_may_be_modified) {
-               return auth_context->challenge_may_be_modified(auth_context);
-       }
-       return false;
-}
-
-/**
- * NTLM2 authentication modifies the effective challenge,
- * @param challenge The new challenge value
- */
-static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
-{
-       struct gensec_ntlmssp_context *gensec_ntlmssp =
-               talloc_get_type_abort(ntlmssp_state->callback_private,
-                                     struct gensec_ntlmssp_context);
-       struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-       NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
-       const uint8_t *chal;
-
-       if (challenge->length != 8) {
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-
-       chal = challenge->data;
-
-       if (auth_context->set_challenge) {
-               nt_status = auth_context->set_challenge(auth_context,
-                                                       chal,
-                                                       "NTLMSSP callback (NTLM2)");
-       }
-       return nt_status;
-}
-
-/**
- * Check the password on an NTLMSSP login.
- *
- * Return the session keys used on the connection.
- */
-
-static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
-                                           TALLOC_CTX *mem_ctx,
-                                           DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
-{
-       struct gensec_ntlmssp_context *gensec_ntlmssp =
-               talloc_get_type_abort(ntlmssp_state->callback_private,
-                                     struct gensec_ntlmssp_context);
-       struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
-       NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
-       struct auth_usersupplied_info *user_info;
-
-       user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
-       if (!user_info) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
-       user_info->flags = 0;
-       user_info->mapped_state = false;
-       user_info->client.account_name = ntlmssp_state->user;
-       user_info->client.domain_name = ntlmssp_state->domain;
-       user_info->workstation_name = ntlmssp_state->client.netbios_name;
-       user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
-
-       user_info->password_state = AUTH_PASSWORD_RESPONSE;
-       user_info->password.response.lanman = ntlmssp_state->lm_resp;
-       user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
-       user_info->password.response.nt = ntlmssp_state->nt_resp;
-       user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
-
-       if (auth_context->check_password) {
-               nt_status = auth_context->check_password(auth_context,
-                                                        gensec_ntlmssp,
-                                                        user_info,
-                                                        &gensec_ntlmssp->server_returned_info,
-                                                        user_session_key, lm_session_key);
-       }
-       talloc_free(user_info);
-
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               DEBUG(5,("%s: Checking NTLMSSP password for %s\\%s failed: %s\n",
-                        __location__,
-                        user_info->client.domain_name,
-                        user_info->client.account_name,
-                        nt_errstr(nt_status)));
-       }
-
-       NT_STATUS_NOT_OK_RETURN(nt_status);
-
-       talloc_steal(mem_ctx, user_session_key->data);
-       talloc_steal(mem_ctx, lm_session_key->data);
-
-       return nt_status;
-}
-
-/**
- * Return the credentials of a logged on user, including session keys
- * etc.
- *
- * Only valid after a successful authentication
- *
- * May only be called once per authentication.
- *
- */
-
-static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gensec_security,
-                                                   TALLOC_CTX *mem_ctx,
-                                                   struct auth_session_info **session_info)
-{
-       NTSTATUS nt_status;
-       struct gensec_ntlmssp_context *gensec_ntlmssp =
-               talloc_get_type_abort(gensec_security->private_data,
-                                     struct gensec_ntlmssp_context);
-       uint32_t session_info_flags = 0;
-
-       if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
-               session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
-       }
-
-       session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
-
-       if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
-               nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
-                                                                                gensec_ntlmssp->server_returned_info,
-                                                                                gensec_ntlmssp->ntlmssp_state->user,
-                                                                                session_info_flags,
-                                                                                session_info);
-       } else {
-               DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
-               return NT_STATUS_INTERNAL_ERROR;
-       }
-
-       NT_STATUS_NOT_OK_RETURN(nt_status);
-
-       nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info,
-                                         &(*session_info)->session_key);
-
-       if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
-               (*session_info)->session_key = data_blob_null;
-               nt_status = NT_STATUS_OK;
-       }
-       return nt_status;
-}
-
 static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_security)
 {
        NTSTATUS nt_status;
@@ -487,7 +307,7 @@ const struct gensec_security_ops gensec_ntlmssp3_server_ops = {
        .wrap           = gensec_ntlmssp_wrap,
        .unwrap         = gensec_ntlmssp_unwrap,
        .session_key    = gensec_ntlmssp_session_key,
-       .session_info   = gensec_ntlmssp3_server_session_info,
+       .session_info   = gensec_ntlmssp_session_info,
        .have_feature   = gensec_ntlmssp_have_feature,
        .enabled        = true,
        .priority       = GENSEC_NTLMSSP