s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.c
[nivanova/samba-autobuild/.git] / source4 / utils / ntlm_auth.c
index 0c9a41fd70d7143cc550acc5783e7dfd81b3320c..34f79715ff225be10c30ba2469f4fcc3f57c92e6 100644 (file)
 #include "includes.h"
 #include "system/filesys.h"
 #include "lib/cmdline/popt_common.h"
-#include "lib/ldb/include/ldb.h"
+#include <ldb.h>
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
 #include "auth/auth.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
 #include "auth/auth_sam.h"
-#include "pstring.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/security/security.h"
 #include "lib/events/events.h"
@@ -59,22 +58,22 @@ enum stdio_helper_mode {
 
 typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode, 
                                      struct loadparm_context *lp_ctx,
-                                     char *buf, int length, void **private,
+                                     char *buf, int length, void **private1,
                                      unsigned int mux_id, void **private2);
 
 static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode, 
                                        struct loadparm_context *lp_ctx,
-                                       char *buf, int length, void **private,
+                                       char *buf, int length, void **private1,
                                        unsigned int mux_id, void **private2);
 
 static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode, 
                                   struct loadparm_context *lp_ctx,
-                                  char *buf, int length, void **private,
+                                  char *buf, int length, void **private1,
                                   unsigned int mux_id, void **private2);
 
 static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, 
                                          struct loadparm_context *lp_ctx,
-                                         char *buf, int length, void **private,
+                                         char *buf, int length, void **private1,
                                          unsigned int mux_id, void **private2);
 
 static void manage_squid_request(struct loadparm_context *lp_ctx,
@@ -126,8 +125,8 @@ static void mux_printf(unsigned int mux_id, const char *format, ...)
 /* Copy of parse_domain_user from winbindd_util.c.  Parse a string of the
    form DOMAIN/user into a domain and a user */
 
-static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, 
-                                       fstring user, char winbind_separator)
+static bool parse_ntlm_auth_domain_user(const char *domuser, char **domain, 
+                                                                               char **user, char winbind_separator)
 {
 
        char *p = strchr(domuser, winbind_separator);
@@ -136,9 +135,9 @@ static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain,
                return false;
        }
         
-       fstrcpy(user, p+1);
-       fstrcpy(domain, domuser);
-       domain[PTR_DIFF(p, domuser)] = 0;
+       *user = smb_xstrdup(p+1);
+       *domain = smb_xstrdup(domuser);
+       (*domain)[PTR_DIFF(p, domuser)] = 0;
 
        return true;
 }
@@ -212,7 +211,8 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
                
                
                nt_status = ntlm_password_check(mem_ctx, 
-                                               lp_ctx,
+                                               lpcfg_lanman_auth(lp_ctx),
+                                               lpcfg_ntlm_auth(lp_ctx),
                                                MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
                                                MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
                                                challenge,
@@ -225,10 +225,11 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
                
                if (NT_STATUS_IS_OK(nt_status)) {
                        if (unix_name) {
-                               asprintf(unix_name, 
-                                        "%s%c%s", domain,
-                                        *lp_winbind_separator(lp_ctx), 
-                                        username);
+                               if (asprintf(unix_name, "%s%c%s", domain,
+                                            *lpcfg_winbind_separator(lp_ctx),
+                                            username) < 0) {
+                                       nt_status = NT_STATUS_NO_MEMORY;
+                               }
                        }
                } else {
                        DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", 
@@ -247,7 +248,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
 
 static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, 
                                       struct loadparm_context *lp_ctx,
-                                      char *buf, int length, void **private,
+                                      char *buf, int length, void **private1,
                                       unsigned int mux_id, void **private2) 
 {
        char *user, *pass;      
@@ -279,7 +280,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
 
 static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode, 
                                         struct loadparm_context *lp_ctx,
-                                        char *buf, int length, void **private,
+                                        char *buf, int length, void **private1,
                                         unsigned int mux_id, void **password)  
 {
        DATA_BLOB in;
@@ -297,7 +298,7 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod
 
        if (strncmp(buf, "PW ", 3) == 0) {
 
-               *password = talloc_strndup(*private /* hopefully the right gensec context, useful to use for talloc */,
+               *password = talloc_strndup(*private1 /* hopefully the right gensec context, useful to use for talloc */,
                                           (const char *)in.data, in.length);
                
                if (*password == NULL) {
@@ -327,7 +328,7 @@ static const char *get_password(struct cli_credentials *credentials)
        char *password = NULL;
        
        /* Ask for a password */
-       mux_printf((unsigned int)credentials->priv_data, "PW\n");
+       mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n");
        credentials->priv_data = NULL;
 
        manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
@@ -379,7 +380,7 @@ static void gensec_want_feature_list(struct gensec_security *state, char* featur
 
 static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, 
                                  struct loadparm_context *lp_ctx,
-                                 char *buf, int length, void **private,
+                                 char *buf, int length, void **private1,
                                  unsigned int mux_id, void **private2) 
 {
        DATA_BLOB in;
@@ -391,7 +392,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                const char *set_password;
        };
        struct gensec_ntlm_state *state;
-       struct event_context *ev;
+       struct tevent_context *ev;
        struct messaging_context *msg;
 
        NTSTATUS nt_status;
@@ -404,15 +405,15 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 
        TALLOC_CTX *mem_ctx;
 
-       if (*private) {
-               state = (struct gensec_ntlm_state *)*private;
+       if (*private1) {
+               state = (struct gensec_ntlm_state *)*private1;
        } else {
                state = talloc_zero(NULL, struct gensec_ntlm_state);
                if (!state) {
                        mux_printf(mux_id, "BH No Memory\n");
                        exit(1);
                }
-               *private = state;
+               *private1 = state;
                if (opt_password) {
                        state->set_password = opt_password;
                }
@@ -461,6 +462,13 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                return;
        }
 
+       ev = s4_event_context_init(state);
+       if (!ev) {
+               exit(1);
+       }
+
+       mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
+
        /* setup gensec */
        if (!(state->gensec_state)) {
                switch (stdio_helper_mode) {
@@ -468,28 +476,48 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                case NTLMSSP_CLIENT_1:
                        /* setup the client side */
 
-                       nt_status = gensec_client_start(NULL, &state->gensec_state, NULL, lp_ctx);
+                       nt_status = gensec_client_start(NULL, &state->gensec_state, ev, 
+                                                       lpcfg_gensec_settings(NULL, lp_ctx));
                        if (!NT_STATUS_IS_OK(nt_status)) {
+                               talloc_free(mem_ctx);
                                exit(1);
                        }
 
                        break;
                case GSS_SPNEGO_SERVER:
                case SQUID_2_5_NTLMSSP:
-                       ev = event_context_init(state);
-                       if (!ev) {
+               {
+                       const char *winbind_method[] = { "winbind", NULL };
+                       struct auth_context *auth_context;
+
+                       msg = messaging_client_init(state, lpcfg_messaging_path(state, lp_ctx), ev);
+                       if (!msg) {
+                               talloc_free(mem_ctx);
                                exit(1);
                        }
-                       msg = messaging_client_init(state, lp_messaging_path(state, lp_ctx), 
-                                                   lp_iconv_convenience(lp_ctx), ev);
-                       if (!msg) {
+                       nt_status = auth_context_create_methods(mem_ctx, 
+                                                               winbind_method,
+                                                               ev, 
+                                                               msg, 
+                                                               lp_ctx,
+                                                               NULL,
+                                                               &auth_context);
+       
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               talloc_free(mem_ctx);
                                exit(1);
                        }
-                       if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lp_ctx, msg, &state->gensec_state))) {
+                       
+                       if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, 
+                                                                lpcfg_gensec_settings(state, lp_ctx),
+                                                                auth_context, &state->gensec_state))) {
+                               talloc_free(mem_ctx);
                                exit(1);
                        }
                        break;
+               }
                default:
+                       talloc_free(mem_ctx);
                        abort();
                }
 
@@ -505,7 +533,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                        cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
                } else {
                        cli_credentials_set_password_callback(creds, get_password);
-                       creds->priv_data = (void*)mux_id;
+                       creds->priv_data = (void*)(uintptr_t)mux_id;
                }
                if (opt_workstation) {
                        cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
@@ -540,20 +568,21 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                        nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP);
                        break;
                default:
+                       talloc_free(mem_ctx);
                        abort();
                }
 
                if (!NT_STATUS_IS_OK(nt_status)) {
                        DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status)));
                        mux_printf(mux_id, "BH GENSEC mech failed to start\n");
+                       talloc_free(mem_ctx);
                        return;
                }
 
        }
 
        /* update */
-       mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
-       
+
        if (strncmp(buf, "PW ", 3) == 0) {
                state->set_password = talloc_strndup(state,
                                                     (const char *)in.data, 
@@ -588,7 +617,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                for (i=0; i<session_info->security_token->num_sids; i++) {
                        struct security_token *token = session_info->security_token; 
                        const char *sidstr = dom_sid_string(session_info, 
-                                                           token->sids[i]);
+                                                           &token->sids[i]);
                        grouplist = talloc_asprintf_append_buffer(grouplist, "%s,", sidstr);
                }
 
@@ -618,12 +647,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
        }
 
        if (strncmp(buf, "GF", 2) == 0) {
-               struct gensec_ntlmssp_state *gensec_ntlmssp_state;
+               struct ntlmssp_state *ntlmssp_state;
                uint32_t neg_flags;
 
-               gensec_ntlmssp_state = talloc_get_type(state->gensec_state->private_data, 
-                               struct gensec_ntlmssp_state);
-               neg_flags = gensec_ntlmssp_state->neg_flags;
+               ntlmssp_state = talloc_get_type(state->gensec_state->private_data,
+                               struct ntlmssp_state);
+               neg_flags = ntlmssp_state->neg_flags;
 
                DEBUG(10, ("Requested negotiated feature flags\n"));
                mux_printf(mux_id, "GF 0x%08x\n", neg_flags);
@@ -633,7 +662,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
        nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out);
        
        /* don't leak 'bad password'/'no such user' info to the network client */
-       nt_status = auth_nt_status_squash(nt_status);
+       nt_status = nt_status_squash(nt_status);
 
        if (out.length) {
                out_base64 = base64_encode_data_blob(mem_ctx, out);
@@ -673,13 +702,13 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                if (!NT_STATUS_IS_OK(nt_status)) {
                        reply_code = "BH Failed to retrive session info";
                        reply_arg = nt_errstr(nt_status);
-                       DEBUG(1, ("GENSEC failed to retreive the session info: %s\n", nt_errstr(nt_status)));
+                       DEBUG(1, ("GENSEC failed to retrieve the session info: %s\n", nt_errstr(nt_status)));
                } else {
 
                        reply_code = "AF";
                        reply_arg = talloc_asprintf(state->gensec_state, 
-                                                   "%s%s%s", session_info->server_info->domain_name, 
-                                                   lp_winbind_separator(lp_ctx), session_info->server_info->account_name);
+                                                   "%s%s%s", session_info->info->domain_name,
+                                                   lpcfg_winbind_separator(lp_ctx), session_info->info->account_name);
                        talloc_free(session_info);
                }
        } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
@@ -711,7 +740,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 
 static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode, 
                                         struct loadparm_context *lp_ctx,
-                                        char *buf, int length, void **private,
+                                        char *buf, int length, void **private1,
                                         unsigned int mux_id, void **private2) 
 {
        char *request, *parameter;      
@@ -731,7 +760,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                } else if (plaintext_password) {
                        /* handle this request as plaintext */
                        if (!full_username) {
-                               if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(lp_ctx), username) == -1) {
+                               if (asprintf(&full_username, "%s%c%s", domain, *lpcfg_winbind_separator(lp_ctx), username) < 0) {
                                        mux_printf(mux_id, "Error: Out of memory in asprintf!\n.\n");
                                        return;
                                }
@@ -752,22 +781,18 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                        uint32_t flags = 0;
 
                        if (full_username && !username) {
-                               fstring fstr_user;
-                               fstring fstr_domain;
-                               
-                               if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain, 
-                                                                *lp_winbind_separator(lp_ctx))) {
+                               SAFE_FREE(username);
+                               SAFE_FREE(domain);
+                               if (!parse_ntlm_auth_domain_user(full_username, &username, 
+                                                                                                &domain, 
+                                                                                                *lpcfg_winbind_separator(lp_ctx))) {
                                        /* username might be 'tainted', don't print into our new-line deleimianted stream */
                                        mux_printf(mux_id, "Error: Could not parse into domain and username\n");
                                }
-                               SAFE_FREE(username);
-                               SAFE_FREE(domain);
-                               username = smb_xstrdup(fstr_user);
-                               domain = smb_xstrdup(fstr_domain);
                        }
 
                        if (!domain) {
-                               domain = smb_xstrdup(lp_workgroup(lp_ctx));
+                               domain = smb_xstrdup(lpcfg_workgroup(lp_ctx));
                        }
 
                        if (ntlm_server_1_lm_session_key) 
@@ -780,7 +805,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                                    local_pw_check_specified(lp_ctx,
                                                             username, 
                                                              domain, 
-                                                             lp_netbios_name(lp_ctx),
+                                                             lpcfg_netbios_name(lp_ctx),
                                                              &challenge, 
                                                              &lm_response, 
                                                              &nt_response, 
@@ -868,7 +893,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
        }
 
        if (strequal(request, "LANMAN-Challenge")) {
-               challenge = strhex_to_data_blob(parameter);
+               challenge = strhex_to_data_blob(NULL, parameter);
                if (challenge.length != 8) {
                        mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n", 
                                  parameter,
@@ -876,7 +901,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                        challenge = data_blob(NULL, 0);
                }
        } else if (strequal(request, "NT-Response")) {
-               nt_response = strhex_to_data_blob(parameter);
+               nt_response = strhex_to_data_blob(NULL, parameter);
                if (nt_response.length < 24) {
                        mux_printf(mux_id, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n", 
                                  parameter,
@@ -884,7 +909,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
                        nt_response = data_blob(NULL, 0);
                }
        } else if (strequal(request, "LANMAN-Response")) {
-               lm_response = strhex_to_data_blob(parameter);
+               lm_response = strhex_to_data_blob(NULL, parameter);
                if (lm_response.length != 24) {
                        mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n", 
                                  parameter,
@@ -908,7 +933,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
        }
 }
 
-static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_helper_mode helper_mode, 
+static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_helper_mode helper_mode,
                                 stdio_helper_function fn, void **private2) 
 {
        char *buf;
@@ -923,7 +948,7 @@ static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_hel
 
        static struct mux_private *mux_private;
        static void *normal_private;
-       void **private;
+       void **private1;
 
        buf = talloc_strdup(NULL, "");
 
@@ -1005,17 +1030,17 @@ static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_hel
                               (sizeof(*mux_private->private_pointers) * (mux_private->max_mux - prev_max))); 
                };
 
-               private = &mux_private->private_pointers[mux_id];
+               private1 = &mux_private->private_pointers[mux_id];
        } else {
                c = buf;
-               private = &normal_private;
+               private1 = &normal_private;
        }
 
-       fn(helper_mode, lp_ctx, c, length, private, mux_id, private2);
+       fn(helper_mode, lp_ctx, c, length, private1, mux_id, private2);
        talloc_free(buf);
 }
 
-static void squid_stream(struct loadparm_context *lp_ctx, 
+static void squid_stream(struct loadparm_context *lp_ctx,
                         enum stdio_helper_mode stdio_mode, 
                         stdio_helper_function fn) {
        /* initialize FDescs */
@@ -1108,7 +1133,7 @@ int main(int argc, const char **argv)
        gensec_init(cmdline_lp_ctx);
 
        if (opt_domain == NULL) {
-               opt_domain = lp_workgroup(cmdline_lp_ctx);
+               opt_domain = lpcfg_workgroup(cmdline_lp_ctx);
        }
 
        if (helper_protocol) {
@@ -1135,7 +1160,7 @@ int main(int argc, const char **argv)
        }
 
        if (opt_workstation == NULL) {
-               opt_workstation = lp_netbios_name(cmdline_lp_ctx);
+               opt_workstation = lpcfg_netbios_name(cmdline_lp_ctx);
        }
 
        if (!opt_password) {
@@ -1145,7 +1170,11 @@ int main(int argc, const char **argv)
        {
                char *user;
 
-               asprintf(&user, "%s%c%s", opt_domain, *lp_winbind_separator(cmdline_lp_ctx), opt_username);
+               if (asprintf(&user, "%s%c%s", opt_domain,
+                            *lpcfg_winbind_separator(cmdline_lp_ctx),
+                            opt_username) < 0) {
+                       return 1;
+               }
                if (!check_plaintext_auth(user, opt_password, true)) {
                        return 1;
                }