X-Git-Url: http://git.samba.org/samba.git/?p=nivanova%2Fsamba-autobuild%2F.git;a=blobdiff_plain;f=source4%2Futils%2Fntlm_auth.c;h=34f79715ff225be10c30ba2469f4fcc3f57c92e6;hp=0c9a41fd70d7143cc550acc5783e7dfd81b3320c;hb=dc35442fb163c6f14cf8c5730056a4a094ead85a;hpb=18d80bdf1fc5a281358aef29324230698eb434d4 diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 0c9a41fd70d..34f79715ff2 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -24,13 +24,12 @@ #include "includes.h" #include "system/filesys.h" #include "lib/cmdline/popt_common.h" -#include "lib/ldb/include/ldb.h" +#include #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "auth/auth.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "auth/auth_sam.h" -#include "pstring.h" #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" #include "lib/events/events.h" @@ -59,22 +58,22 @@ enum stdio_helper_mode { typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, - char *buf, int length, void **private, + char *buf, int length, void **private1, unsigned int mux_id, void **private2); static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, - char *buf, int length, void **private, + char *buf, int length, void **private1, unsigned int mux_id, void **private2); static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, - char *buf, int length, void **private, + char *buf, int length, void **private1, unsigned int mux_id, void **private2); static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, - char *buf, int length, void **private, + char *buf, int length, void **private1, unsigned int mux_id, void **private2); static void manage_squid_request(struct loadparm_context *lp_ctx, @@ -126,8 +125,8 @@ static void mux_printf(unsigned int mux_id, const char *format, ...) /* Copy of parse_domain_user from winbindd_util.c. Parse a string of the form DOMAIN/user into a domain and a user */ -static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, - fstring user, char winbind_separator) +static bool parse_ntlm_auth_domain_user(const char *domuser, char **domain, + char **user, char winbind_separator) { char *p = strchr(domuser, winbind_separator); @@ -136,9 +135,9 @@ static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, return false; } - fstrcpy(user, p+1); - fstrcpy(domain, domuser); - domain[PTR_DIFF(p, domuser)] = 0; + *user = smb_xstrdup(p+1); + *domain = smb_xstrdup(domuser); + (*domain)[PTR_DIFF(p, domuser)] = 0; return true; } @@ -212,7 +211,8 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, nt_status = ntlm_password_check(mem_ctx, - lp_ctx, + lpcfg_lanman_auth(lp_ctx), + lpcfg_ntlm_auth(lp_ctx), MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, challenge, @@ -225,10 +225,11 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, if (NT_STATUS_IS_OK(nt_status)) { if (unix_name) { - asprintf(unix_name, - "%s%c%s", domain, - *lp_winbind_separator(lp_ctx), - username); + if (asprintf(unix_name, "%s%c%s", domain, + *lpcfg_winbind_separator(lp_ctx), + username) < 0) { + nt_status = NT_STATUS_NO_MEMORY; + } } } else { DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", @@ -247,7 +248,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, - char *buf, int length, void **private, + char *buf, int length, void **private1, unsigned int mux_id, void **private2) { char *user, *pass; @@ -279,7 +280,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, - char *buf, int length, void **private, + char *buf, int length, void **private1, unsigned int mux_id, void **password) { DATA_BLOB in; @@ -297,7 +298,7 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod if (strncmp(buf, "PW ", 3) == 0) { - *password = talloc_strndup(*private /* hopefully the right gensec context, useful to use for talloc */, + *password = talloc_strndup(*private1 /* hopefully the right gensec context, useful to use for talloc */, (const char *)in.data, in.length); if (*password == NULL) { @@ -327,7 +328,7 @@ static const char *get_password(struct cli_credentials *credentials) char *password = NULL; /* Ask for a password */ - mux_printf((unsigned int)credentials->priv_data, "PW\n"); + mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n"); credentials->priv_data = NULL; manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password); @@ -379,7 +380,7 @@ static void gensec_want_feature_list(struct gensec_security *state, char* featur static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, - char *buf, int length, void **private, + char *buf, int length, void **private1, unsigned int mux_id, void **private2) { DATA_BLOB in; @@ -391,7 +392,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, const char *set_password; }; struct gensec_ntlm_state *state; - struct event_context *ev; + struct tevent_context *ev; struct messaging_context *msg; NTSTATUS nt_status; @@ -404,15 +405,15 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, TALLOC_CTX *mem_ctx; - if (*private) { - state = (struct gensec_ntlm_state *)*private; + if (*private1) { + state = (struct gensec_ntlm_state *)*private1; } else { state = talloc_zero(NULL, struct gensec_ntlm_state); if (!state) { mux_printf(mux_id, "BH No Memory\n"); exit(1); } - *private = state; + *private1 = state; if (opt_password) { state->set_password = opt_password; } @@ -461,6 +462,13 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } + ev = s4_event_context_init(state); + if (!ev) { + exit(1); + } + + mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx"); + /* setup gensec */ if (!(state->gensec_state)) { switch (stdio_helper_mode) { @@ -468,28 +476,48 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case NTLMSSP_CLIENT_1: /* setup the client side */ - nt_status = gensec_client_start(NULL, &state->gensec_state, NULL, lp_ctx); + nt_status = gensec_client_start(NULL, &state->gensec_state, ev, + lpcfg_gensec_settings(NULL, lp_ctx)); if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); exit(1); } break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: - ev = event_context_init(state); - if (!ev) { + { + const char *winbind_method[] = { "winbind", NULL }; + struct auth_context *auth_context; + + msg = messaging_client_init(state, lpcfg_messaging_path(state, lp_ctx), ev); + if (!msg) { + talloc_free(mem_ctx); exit(1); } - msg = messaging_client_init(state, lp_messaging_path(state, lp_ctx), - lp_iconv_convenience(lp_ctx), ev); - if (!msg) { + nt_status = auth_context_create_methods(mem_ctx, + winbind_method, + ev, + msg, + lp_ctx, + NULL, + &auth_context); + + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); exit(1); } - if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lp_ctx, msg, &state->gensec_state))) { + + if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, + lpcfg_gensec_settings(state, lp_ctx), + auth_context, &state->gensec_state))) { + talloc_free(mem_ctx); exit(1); } break; + } default: + talloc_free(mem_ctx); abort(); } @@ -505,7 +533,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED); } else { cli_credentials_set_password_callback(creds, get_password); - creds->priv_data = (void*)mux_id; + creds->priv_data = (void*)(uintptr_t)mux_id; } if (opt_workstation) { cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED); @@ -540,20 +568,21 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP); break; default: + talloc_free(mem_ctx); abort(); } if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH GENSEC mech failed to start\n"); + talloc_free(mem_ctx); return; } } /* update */ - mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx"); - + if (strncmp(buf, "PW ", 3) == 0) { state->set_password = talloc_strndup(state, (const char *)in.data, @@ -588,7 +617,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, for (i=0; isecurity_token->num_sids; i++) { struct security_token *token = session_info->security_token; const char *sidstr = dom_sid_string(session_info, - token->sids[i]); + &token->sids[i]); grouplist = talloc_asprintf_append_buffer(grouplist, "%s,", sidstr); } @@ -618,12 +647,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } if (strncmp(buf, "GF", 2) == 0) { - struct gensec_ntlmssp_state *gensec_ntlmssp_state; + struct ntlmssp_state *ntlmssp_state; uint32_t neg_flags; - gensec_ntlmssp_state = talloc_get_type(state->gensec_state->private_data, - struct gensec_ntlmssp_state); - neg_flags = gensec_ntlmssp_state->neg_flags; + ntlmssp_state = talloc_get_type(state->gensec_state->private_data, + struct ntlmssp_state); + neg_flags = ntlmssp_state->neg_flags; DEBUG(10, ("Requested negotiated feature flags\n")); mux_printf(mux_id, "GF 0x%08x\n", neg_flags); @@ -633,7 +662,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ - nt_status = auth_nt_status_squash(nt_status); + nt_status = nt_status_squash(nt_status); if (out.length) { out_base64 = base64_encode_data_blob(mem_ctx, out); @@ -673,13 +702,13 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!NT_STATUS_IS_OK(nt_status)) { reply_code = "BH Failed to retrive session info"; reply_arg = nt_errstr(nt_status); - DEBUG(1, ("GENSEC failed to retreive the session info: %s\n", nt_errstr(nt_status))); + DEBUG(1, ("GENSEC failed to retrieve the session info: %s\n", nt_errstr(nt_status))); } else { reply_code = "AF"; reply_arg = talloc_asprintf(state->gensec_state, - "%s%s%s", session_info->server_info->domain_name, - lp_winbind_separator(lp_ctx), session_info->server_info->account_name); + "%s%s%s", session_info->info->domain_name, + lpcfg_winbind_separator(lp_ctx), session_info->info->account_name); talloc_free(session_info); } } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { @@ -711,7 +740,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, - char *buf, int length, void **private, + char *buf, int length, void **private1, unsigned int mux_id, void **private2) { char *request, *parameter; @@ -731,7 +760,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } else if (plaintext_password) { /* handle this request as plaintext */ if (!full_username) { - if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(lp_ctx), username) == -1) { + if (asprintf(&full_username, "%s%c%s", domain, *lpcfg_winbind_separator(lp_ctx), username) < 0) { mux_printf(mux_id, "Error: Out of memory in asprintf!\n.\n"); return; } @@ -752,22 +781,18 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod uint32_t flags = 0; if (full_username && !username) { - fstring fstr_user; - fstring fstr_domain; - - if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain, - *lp_winbind_separator(lp_ctx))) { + SAFE_FREE(username); + SAFE_FREE(domain); + if (!parse_ntlm_auth_domain_user(full_username, &username, + &domain, + *lpcfg_winbind_separator(lp_ctx))) { /* username might be 'tainted', don't print into our new-line deleimianted stream */ mux_printf(mux_id, "Error: Could not parse into domain and username\n"); } - SAFE_FREE(username); - SAFE_FREE(domain); - username = smb_xstrdup(fstr_user); - domain = smb_xstrdup(fstr_domain); } if (!domain) { - domain = smb_xstrdup(lp_workgroup(lp_ctx)); + domain = smb_xstrdup(lpcfg_workgroup(lp_ctx)); } if (ntlm_server_1_lm_session_key) @@ -780,7 +805,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod local_pw_check_specified(lp_ctx, username, domain, - lp_netbios_name(lp_ctx), + lpcfg_netbios_name(lp_ctx), &challenge, &lm_response, &nt_response, @@ -868,7 +893,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } if (strequal(request, "LANMAN-Challenge")) { - challenge = strhex_to_data_blob(parameter); + challenge = strhex_to_data_blob(NULL, parameter); if (challenge.length != 8) { mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n", parameter, @@ -876,7 +901,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod challenge = data_blob(NULL, 0); } } else if (strequal(request, "NT-Response")) { - nt_response = strhex_to_data_blob(parameter); + nt_response = strhex_to_data_blob(NULL, parameter); if (nt_response.length < 24) { mux_printf(mux_id, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n", parameter, @@ -884,7 +909,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod nt_response = data_blob(NULL, 0); } } else if (strequal(request, "LANMAN-Response")) { - lm_response = strhex_to_data_blob(parameter); + lm_response = strhex_to_data_blob(NULL, parameter); if (lm_response.length != 24) { mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n", parameter, @@ -908,7 +933,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } } -static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_helper_mode helper_mode, +static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_helper_mode helper_mode, stdio_helper_function fn, void **private2) { char *buf; @@ -923,7 +948,7 @@ static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_hel static struct mux_private *mux_private; static void *normal_private; - void **private; + void **private1; buf = talloc_strdup(NULL, ""); @@ -1005,17 +1030,17 @@ static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_hel (sizeof(*mux_private->private_pointers) * (mux_private->max_mux - prev_max))); }; - private = &mux_private->private_pointers[mux_id]; + private1 = &mux_private->private_pointers[mux_id]; } else { c = buf; - private = &normal_private; + private1 = &normal_private; } - fn(helper_mode, lp_ctx, c, length, private, mux_id, private2); + fn(helper_mode, lp_ctx, c, length, private1, mux_id, private2); talloc_free(buf); } -static void squid_stream(struct loadparm_context *lp_ctx, +static void squid_stream(struct loadparm_context *lp_ctx, enum stdio_helper_mode stdio_mode, stdio_helper_function fn) { /* initialize FDescs */ @@ -1108,7 +1133,7 @@ int main(int argc, const char **argv) gensec_init(cmdline_lp_ctx); if (opt_domain == NULL) { - opt_domain = lp_workgroup(cmdline_lp_ctx); + opt_domain = lpcfg_workgroup(cmdline_lp_ctx); } if (helper_protocol) { @@ -1135,7 +1160,7 @@ int main(int argc, const char **argv) } if (opt_workstation == NULL) { - opt_workstation = lp_netbios_name(cmdline_lp_ctx); + opt_workstation = lpcfg_netbios_name(cmdline_lp_ctx); } if (!opt_password) { @@ -1145,7 +1170,11 @@ int main(int argc, const char **argv) { char *user; - asprintf(&user, "%s%c%s", opt_domain, *lp_winbind_separator(cmdline_lp_ctx), opt_username); + if (asprintf(&user, "%s%c%s", opt_domain, + *lpcfg_winbind_separator(cmdline_lp_ctx), + opt_username) < 0) { + return 1; + } if (!check_plaintext_auth(user, opt_password, true)) { return 1; }