r17577: Patch from Kai Blin <kai.blin@gmail.com>:

This is the Samba4 version of the ntlm_auth patch that was committed
to Samba3 in revision 17216.

The purpose of this patch is to return session key information, as
well as NTLMSSP negotiated flags to ntlm_auth's caller.  This allows
the bulk data signing and sealing to be handled in a library, supplied
by the caller.

This also allows the caller to ask for features, so that the right
flags get negotiated.
(This used to be commit eb28aff4e0c9688ba886c3dd886ab7af81c6326a)

diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index 9609ce59daab0218e8a7dedc0884ce6b5d81806f..1b25c96ab27d2441a4ec7e8bc672b39cbc5c1eea 100644 (file)
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -34,6 +34,7 @@
 #include "lib/events/events.h"
 #include "lib/messaging/messaging.h"
 #include "lib/messaging/irpc.h"
+#include "auth/ntlmssp/ntlmssp.h"
 
 #define SQUID_BUFFER_SIZE 2010
 
@@ -319,6 +320,22 @@ static const char *get_password(struct cli_credentials *credentials)
        return password;
 }
 
+static void gensec_want_feature_list(struct gensec_security *state, char* feature_list)
+{
+       if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
+               DEBUG(10, ("want GENSEC_FEATURE_SESSION_KEY\n"));
+               gensec_want_feature(state, GENSEC_FEATURE_SESSION_KEY);
+       }
+       if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
+               DEBUG(10, ("want GENSEC_FEATURE_SIGN\n"));
+               gensec_want_feature(state, GENSEC_FEATURE_SIGN);
+       }
+       if (in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
+               DEBUG(10, ("want GENSEC_FEATURE_SEAL\n"));
+               gensec_want_feature(state, GENSEC_FEATURE_SEAL);
+       }
+}
+
 static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, 
                                  char *buf, int length, void **private,
                                  unsigned int mux_id, void **private2) 
@@ -340,6 +357,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
        const char *reply_code;
        struct cli_credentials *creds;
 
+       static char *want_feature_list = NULL;
+       static DATA_BLOB session_key;
+
        TALLOC_CTX *mem_ctx;
 
        if (*private) {
@@ -363,6 +383,13 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
        }
 
        if (strlen(buf) > 3) {
+               if(strncmp(buf, "SF ", 3) == 0) {
+                       DEBUG(10, ("Setting flags to negotiate\n"));
+                       talloc_free(want_feature_list);
+                       want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3);
+                       mux_printf(mux_id, "OK\n");
+                       return;
+               }
                in = base64_decode_data_blob(NULL, buf + 3);
        } else {
                in = data_blob(NULL, 0);
@@ -382,7 +409,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                    (strncmp(buf, "AF ", 3) != 0) &&
                    (strncmp(buf, "NA ", 3) != 0) && 
                    (strncmp(buf, "UG", 2) != 0) && 
-                   (strncmp(buf, "PW ", 3) != 0)) {
+                   (strncmp(buf, "PW ", 3) != 0) &&
+                   (strncmp(buf, "GK", 2) != 0) &&
+                   (strncmp(buf, "GF", 2) != 0)) {
                DEBUG(1, ("SPNEGO request [%s] invalid\n", buf));
                mux_printf(mux_id, "BH\n");
                data_blob_free(&in);
@@ -448,6 +477,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                }
 
                gensec_set_credentials(state->gensec_state, creds);
+               gensec_want_feature_list(state->gensec_state, want_feature_list);
 
                switch (stdio_helper_mode) {
                case GSS_SPNEGO_CLIENT:
@@ -525,6 +555,37 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                return;
        }
 
+       if (strncmp(buf, "GK", 2) == 0) {
+               char *base64_key;
+               DEBUG(10, ("Requested session key\n"));
+               nt_status = gensec_session_key(state->gensec_state, &session_key);
+               if(!NT_STATUS_IS_OK(nt_status)) {
+                       DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status)));
+                       mux_printf(mux_id, "BH No session key\n");
+                       talloc_free(mem_ctx);
+                       return;
+               } else {
+                       base64_key = base64_encode_data_blob(state, session_key);
+                       mux_printf(mux_id, "GK %s\n", base64_key);
+                       talloc_free(base64_key);
+               }
+               talloc_free(mem_ctx);
+               return;
+       }
+
+       if (strncmp(buf, "GF", 2) == 0) {
+               struct gensec_ntlmssp_state *gensec_ntlmssp_state;
+               uint32_t neg_flags;
+
+               gensec_ntlmssp_state = talloc_get_type(state->gensec_state->private_data, 
+                               struct gensec_ntlmssp_state);
+               neg_flags = gensec_ntlmssp_state->neg_flags;
+
+               DEBUG(10, ("Requested negotiated feature flags\n"));
+               mux_printf(mux_id, "GF 0x%08x\n", neg_flags);
+               return;
+       }
+
        nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out);
        
        /* don't leak 'bad password'/'no such user' info to the network client */