sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-07 17:18:11 +03:00
Code
3186cdce85
samba-mirror/auth/ntlmssp/ntlmssp.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

409 lines
12 KiB
C
Raw Normal View History

auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
/*
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
Unix SMB/Netbios implementation.
Version 3.0
handle NLTMSSP, client server side parsing
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
the Free Software Foundation; either version 3 of the License, or
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
(at your option) any later version.
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
You should have received a copy of the GNU General Public License
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*/
ntlmssp: Move ntlmssp code to auth/ntlmssp This brings in the code from both libcli/auth and source4/auth/ntlmssp. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-07-25 10:04:38 +04:00
struct auth_session_info;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
#include "includes.h"
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
#include <tevent.h>
#include "lib/util/tevent_ntstatus.h"
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
#include "auth/ntlmssp/ntlmssp.h"
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
#include "auth/ntlmssp/ntlmssp_private.h"
Fix Samba4 build errors with common libcli/samsync
2009-04-16 04:17:17 +04:00
#include "../libcli/auth/libcli_auth.h"
r14542: Remove librpc, libndr and libnbt from includes.h (This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f)
2006-03-18 18:42:57 +03:00
#include "librpc/gen_ndr/ndr_dcerpc.h"
r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2006-11-07 03:48:36 +03:00
#include "auth/gensec/gensec.h"
auth/gensec: introduce gensec_internal.h We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 09:12:01 +04:00
#include "auth/gensec/gensec_internal.h"
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
define DBGC_AUTH class Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-19 12:49:10 +03:00
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/**
* Callbacks for NTLMSSP - for both client and server operating modes
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
*
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*/
static const struct ntlmssp_callbacks {
enum ntlmssp_role role;
r17285: some reformating metze (This used to be commit c865aea260dd22b8b5d63e60fd917a52ed719993)
2006-07-27 23:33:15 +04:00
enum ntlmssp_message_type command;
NTSTATUS (*sync_fn)(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out);
auth/ntlmssp: prepare update_send/recv for real async processing Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-15 01:34:26 +03:00
struct tevent_req *(*send_fn)(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_security *gensec_security,
const DATA_BLOB in);
NTSTATUS (*recv_fn)(struct tevent_req *req,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
} ntlmssp_callbacks[] = {
r17285: some reformating metze (This used to be commit c865aea260dd22b8b5d63e60fd917a52ed719993)
2006-07-27 23:33:15 +04:00
{
.role = NTLMSSP_CLIENT,
.command = NTLMSSP_INITIAL,
.sync_fn = ntlmssp_client_initial,
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend These can be used to implement the winbindd side of the WINBINDD_CCACHE_NTLMAUTH call. It can properly get the initial NEGOTIATE messages injected if available. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-25 23:41:23 +03:00
},{
.role = NTLMSSP_CLIENT,
.command = NTLMSSP_NEGOTIATE,
.sync_fn = gensec_ntlmssp_resume_ccache,
r17285: some reformating metze (This used to be commit c865aea260dd22b8b5d63e60fd917a52ed719993)
2006-07-27 23:33:15 +04:00
},{
.role = NTLMSSP_SERVER,
.command = NTLMSSP_NEGOTIATE,
s4:ntlmssp Re-add gensec_ntlmssp wrapper to allow merge with source3/ By re-adding this wrapper, the actual guts of these functions are now very similar to that found in source3/libsmb/ntlmssp.c This should make it easier to merge the implementations. Andrew Bartlett
2010-08-06 11:53:44 +04:00
.sync_fn = gensec_ntlmssp_server_negotiate,
r17285: some reformating metze (This used to be commit c865aea260dd22b8b5d63e60fd917a52ed719993)
2006-07-27 23:33:15 +04:00
},{
.role = NTLMSSP_CLIENT,
.command = NTLMSSP_CHALLENGE,
.sync_fn = ntlmssp_client_challenge,
},{
.role = NTLMSSP_SERVER,
.command = NTLMSSP_AUTH,
auth/ntlmssp: introduce ntlmssp_server_auth_send/recv We still use the sync ntlmssp_server_check_password(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-16 17:16:15 +03:00
.send_fn = ntlmssp_server_auth_send,
.recv_fn = ntlmssp_server_auth_recv,
r17285: some reformating metze (This used to be commit c865aea260dd22b8b5d63e60fd917a52ed719993)
2006-07-27 23:33:15 +04:00
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
};
auth/ntlmssp: Remove gensec_security element from gensec_ntlmssp_state This just means there is one less pointer to ensure we initialise. Andrew Bartlett
2012-03-09 07:28:46 +04:00
static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_security,
struct gensec_ntlmssp_context *gensec_ntlmssp,
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
const DATA_BLOB input, uint32_t *idx)
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
{
uint32_t ntlmssp_command;
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
uint32_t i;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
auth: Remove plugable password-check functions from gensec_ntlmssp The auth4_context layer now provides the plugability here. Andrew Bartlett
2012-02-07 10:47:42 +04:00
if (gensec_ntlmssp->ntlmssp_state->expected_state == NTLMSSP_DONE) {
r9505: Work on GENSEC and the code that calls it, for tighter interface requirements, and for better error reporting. In particular, the composite session setup (extended security/SPNEGO) code now returns errors, rather than NT_STATUS_NO_MEMORY. This is seen particularly when GENSEC fails to start. The tighter interface rules apply to NTLMSSP, which must be called exactly the right number of times. This is to match some of our other less-tested modules, where adding flexablity is harder. (and this is security code, so let's just get it right). As such, the DCE/RPC and LDAP clients have been updated. Andrew Bartlett (This used to be commit 134550cf752b9edad66c3368750bfb4bbd9d55d1)
2005-08-23 09:29:37 +04:00
/* We are strict here because other modules, which we
* don't fully control (such as GSSAPI) are also
* strict, but are tested less often */
DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
return NT_STATUS_INVALID_PARAMETER;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
if (!input.length) {
auth: Remove plugable password-check functions from gensec_ntlmssp The auth4_context layer now provides the plugability here. Andrew Bartlett
2012-02-07 10:47:42 +04:00
switch (gensec_ntlmssp->ntlmssp_state->role) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
case NTLMSSP_CLIENT:
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend These can be used to implement the winbindd side of the WINBINDD_CCACHE_NTLMAUTH call. It can properly get the initial NEGOTIATE messages injected if available. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-25 23:41:23 +03:00
if (gensec_ntlmssp->ntlmssp_state->resume_ccache) {
/*
* make sure gensec_ntlmssp_resume_ccache()
* will be called
*/
ntlmssp_command = NTLMSSP_NEGOTIATE;
break;
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
ntlmssp_command = NTLMSSP_INITIAL;
break;
case NTLMSSP_SERVER:
r9411: Ensure we don't send a challenge without first getting a negotiate in NTLMSSP, unless we are in datagram mode (not fully implemented yet). Andrew Bartlett (This used to be commit 727f5109421e9414a335e42e3ad3dd3ff19776bd)
2005-08-20 08:42:19 +04:00
if (gensec_security->want_features & GENSEC_FEATURE_DATAGRAM_MODE) {
/* 'datagram' mode - no neg packet */
ntlmssp_command = NTLMSSP_NEGOTIATE;
} else {
/* This is normal in SPNEGO mech negotiation fallback */
DEBUG(2, ("Failed to parse NTLMSSP packet: zero length\n"));
return NT_STATUS_INVALID_PARAMETER;
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
break;
ntlmssp: fix compilation with -O2 -fno-inline Without inlining the function, GCC doesn't know that gensec_ntlmssp->ntlmssp_state->role always has a valid value. With inlining, this is obviously redundant but GCC clearly knows enough to detect this and elide the default case. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-21 03:24:46 +03:00
default:
DEBUG(1, ("NTLMSSP state has invalid role %d\n",
gensec_ntlmssp->ntlmssp_state->role));
return NT_STATUS_INVALID_PARAMETER;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
} else {
auth: Remove plugable password-check functions from gensec_ntlmssp The auth4_context layer now provides the plugability here. Andrew Bartlett
2012-02-07 10:47:42 +04:00
if (!msrpc_parse(gensec_ntlmssp->ntlmssp_state,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
&input, "Cd",
"NTLMSSP",
&ntlmssp_command)) {
DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
dump_data(2, input.data, input.length);
return NT_STATUS_INVALID_PARAMETER;
}
}
auth: Remove plugable password-check functions from gensec_ntlmssp The auth4_context layer now provides the plugability here. Andrew Bartlett
2012-02-07 10:47:42 +04:00
if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command,
gensec_ntlmssp->ntlmssp_state->expected_state));
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return NT_STATUS_INVALID_PARAMETER;
}
for (i=0; i < ARRAY_SIZE(ntlmssp_callbacks); i++) {
auth: Remove plugable password-check functions from gensec_ntlmssp The auth4_context layer now provides the plugability here. Andrew Bartlett
2012-02-07 10:47:42 +04:00
if (ntlmssp_callbacks[i].role == gensec_ntlmssp->ntlmssp_state->role &&
r17285: some reformating metze (This used to be commit c865aea260dd22b8b5d63e60fd917a52ed719993)
2006-07-27 23:33:15 +04:00
ntlmssp_callbacks[i].command == ntlmssp_command) {
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
*idx = i;
return NT_STATUS_OK;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
}
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
auth: Remove plugable password-check functions from gensec_ntlmssp The auth4_context layer now provides the plugability here. Andrew Bartlett
2012-02-07 10:47:42 +04:00
gensec_ntlmssp->ntlmssp_state->role, ntlmssp_command));
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
return NT_STATUS_INVALID_PARAMETER;
}
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
struct gensec_ntlmssp_update_state {
auth/ntlmssp: prepare update_send/recv for real async processing Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-15 01:34:26 +03:00
const struct ntlmssp_callbacks *cb;
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
NTSTATUS status;
DATA_BLOB out;
};
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
auth/ntlmssp: prepare update_send/recv for real async processing Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-15 01:34:26 +03:00
static void gensec_ntlmssp_update_done(struct tevent_req *subreq);
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
static struct tevent_req *gensec_ntlmssp_update_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_security *gensec_security,
const DATA_BLOB in)
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
{
s4:ntlmssp: keep struct gensec_ntlmssp_context in gensec_security->private_data Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 10:23:13 +03:00
struct gensec_ntlmssp_context *gensec_ntlmssp =
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
struct tevent_req *req = NULL;
struct gensec_ntlmssp_update_state *state = NULL;
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
NTSTATUS status;
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
uint32_t i = 0;
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
req = tevent_req_create(mem_ctx, &state,
struct gensec_ntlmssp_update_state);
if (req == NULL) {
return NULL;
}
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
auth/ntlmssp: rename 'input' to 'in' in gensec_ntlmssp_update() This matches all other gensec modules. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-18 09:43:09 +03:00
status = gensec_ntlmssp_update_find(gensec_security,
gensec_ntlmssp,
in, &i);
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
auth/ntlmssp: avoid using NT_STATUS_NOT_OK_RETURN() in gensec_ntlmssp_update() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-17 21:21:19 +03:00
}
r17284: move the input checking stuff from ntlmssp_update() into its own function. metze (This used to be commit ee81ad57938a9f54533a0028b87fd84bde90db8d)
2006-07-27 23:20:57 +04:00
auth/ntlmssp: prepare update_send/recv for real async processing Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-15 01:34:26 +03:00
if (ntlmssp_callbacks[i].send_fn != NULL) {
struct tevent_req *subreq = NULL;
state->cb = &ntlmssp_callbacks[i];
subreq = state->cb->send_fn(state, ev,
gensec_security,
in);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
tevent_req_set_callback(subreq,
gensec_ntlmssp_update_done,
req);
return req;
}
auth/ntlmssp: rename 'input' to 'in' in gensec_ntlmssp_update() This matches all other gensec modules. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-18 09:43:09 +03:00
status = ntlmssp_callbacks[i].sync_fn(gensec_security,
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
state,
in, &state->out);
state->status = status;
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
tevent_req_done(req);
return tevent_req_post(req, ev);
}
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
tevent_req_done(req);
return tevent_req_post(req, ev);
}
auth/ntlmssp: prepare update_send/recv for real async processing Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-15 01:34:26 +03:00
static void gensec_ntlmssp_update_done(struct tevent_req *subreq)
{
struct tevent_req *req =
tevent_req_callback_data(subreq,
struct tevent_req);
struct gensec_ntlmssp_update_state *state =
tevent_req_data(req,
struct gensec_ntlmssp_update_state);
NTSTATUS status;
status = state->cb->recv_fn(subreq, state, &state->out);
TALLOC_FREE(subreq);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
state->status = status;
tevent_req_done(req);
}
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
static NTSTATUS gensec_ntlmssp_update_recv(struct tevent_req *req,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
struct gensec_ntlmssp_update_state *state =
tevent_req_data(req,
struct gensec_ntlmssp_update_state);
NTSTATUS status;
*out = data_blob_null;
if (tevent_req_is_nterror(req, &status)) {
tevent_req_received(req);
auth/ntlmssp: avoid using NT_STATUS_NOT_OK_RETURN() in gensec_ntlmssp_update() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-17 21:21:19 +03:00
return status;
}
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
*out = state->out;
talloc_steal(out_mem_ctx, state->out.data);
status = state->status;
tevent_req_received(req);
return status;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto() [MS-SPNG] requires the NTLMSSP RC4 states to be reset after the SPNEGO exchange with mechListMic verification (new_spnego). The 'reset_full' parameter is needed to support the broken behavior that windows only resets the RC4 states but not the sequence numbers. Which means this functionality is completely useless... But we want to work against all windows versions... BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2013-12-17 14:49:31 +04:00
static NTSTATUS gensec_ntlmssp_may_reset_crypto(struct gensec_security *gensec_security,
bool full_reset)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
NTSTATUS status;
bool reset_seqnums = full_reset;
if (!gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
return NT_STATUS_OK;
}
status = ntlmssp_sign_reset(ntlmssp_state, reset_seqnums);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not reset NTLMSSP signing/sealing system (error was: %s)\n",
nt_errstr(status)));
return status;
}
return NT_STATUS_OK;
}
auth_log: Also log the final type of authentication (ntlmssp,krb5) Administrators really care about how their users were authenticated, so make this clear. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-01 06:00:03 +03:00
static const char *gensec_ntlmssp_final_auth_type(struct gensec_security *gensec_security)
{
return GENSEC_FINAL_AUTH_TYPE_NTLMSSP;
}
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
static const char *gensec_ntlmssp_oids[] = {
GENSEC_OID_NTLMSSP,
r6800: A big GENSEC update: Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2005-05-16 03:42:11 +04:00
NULL
};
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
static const struct gensec_security_ops gensec_ntlmssp_security_ops = {
.name = "ntlmssp",
s4:gensec Put the "NTLM" string for NTLMSSP's SASL name in a header
2010-06-01 13:12:29 +04:00
.sasl_name = GENSEC_SASL_NAME_NTLMSSP, /* "NTLM" */
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
.auth_type = DCERPC_AUTH_TYPE_NTLMSSP,
auth:ntlmssp: Mark as weak_crypto Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-11 18:39:24 +03:00
.weak_crypto = true,
r6800: A big GENSEC update: Finally remove the distinction between 'krb5' and 'ms_krb5'. We now don't do kerberos stuff twice on failure. The solution to this is slightly more general than perhaps was really required (as this is a special case), but it works, and I'm happy with the cleanup I achived in the process. All modules have been updated to supply a NULL-terminated list of OIDs. In that process, SPNEGO code has been generalised, as I realised that two of the functions should have been identical in behaviour. Over in the actual modules, I have worked to remove the 'kinit' code from gensec_krb5, and placed it in kerberos/kerberos_util.c. The GSSAPI module has been extended to use this, so no longer requires a manual kinit at the command line. It will soon loose the requirement for a on-disk keytab too. The general kerberos code has also been updated to move from error_message() to our routine which gets the Heimdal error string (which may be much more useful) when available. Andrew Bartlett (This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
2005-05-16 03:42:11 +04:00
.oid = gensec_ntlmssp_oids,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
.client_start = gensec_ntlmssp_client_start,
.server_start = gensec_ntlmssp_server_start,
r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytab support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2005-06-22 06:12:26 +04:00
.magic = gensec_ntlmssp_magic,
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
.update_send = gensec_ntlmssp_update_send,
.update_recv = gensec_ntlmssp_update_recv,
CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto() [MS-SPNG] requires the NTLMSSP RC4 states to be reset after the SPNEGO exchange with mechListMic verification (new_spnego). The 'reset_full' parameter is needed to support the broken behavior that windows only resets the RC4 states but not the sequence numbers. Which means this functionality is completely useless... But we want to work against all windows versions... BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2013-12-17 14:49:31 +04:00
.may_reset_crypto= gensec_ntlmssp_may_reset_crypto,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
.sig_size = gensec_ntlmssp_sig_size,
.sign_packet = gensec_ntlmssp_sign_packet,
.check_packet = gensec_ntlmssp_check_packet,
.seal_packet = gensec_ntlmssp_seal_packet,
.unseal_packet = gensec_ntlmssp_unseal_packet,
.wrap = gensec_ntlmssp_wrap,
.unwrap = gensec_ntlmssp_unwrap,
.session_key = gensec_ntlmssp_session_key,
.session_info = gensec_ntlmssp_session_info,
.have_feature = gensec_ntlmssp_have_feature,
auth_log: Also log the final type of authentication (ntlmssp,krb5) Administrators really care about how their users were authenticated, so make this clear. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-01 06:00:03 +03:00
.final_auth_type = gensec_ntlmssp_final_auth_type,
r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-07 02:16:19 +04:00
.enabled = true,
r18258: need to use .priority not .order here (This used to be commit a47d65fe17a0e84615ff235380eb2462579199f0)
2006-09-08 10:57:01 +04:00
.priority = GENSEC_NTLMSSP
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
};
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend These can be used to implement the winbindd side of the WINBINDD_CCACHE_NTLMAUTH call. It can properly get the initial NEGOTIATE messages injected if available. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-25 23:41:23 +03:00
static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = {
.name = "ntlmssp_resume_ccache",
auth:ntlmssp: Mark as weak_crypto Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-11 18:39:24 +03:00
.weak_crypto = true,
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend These can be used to implement the winbindd side of the WINBINDD_CCACHE_NTLMAUTH call. It can properly get the initial NEGOTIATE messages injected if available. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-25 23:41:23 +03:00
.client_start = gensec_ntlmssp_resume_ccache_start,
auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv() Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-11 10:04:02 +03:00
.update_send = gensec_ntlmssp_update_send,
.update_recv = gensec_ntlmssp_update_recv,
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend These can be used to implement the winbindd side of the WINBINDD_CCACHE_NTLMAUTH call. It can properly get the initial NEGOTIATE messages injected if available. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-25 23:41:23 +03:00
.session_key = gensec_ntlmssp_session_key,
.have_feature = gensec_ntlmssp_have_feature,
.enabled = true,
.priority = GENSEC_NTLMSSP
};
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-20 22:24:43 +03:00
_PUBLIC_ NTSTATUS gensec_ntlmssp_init(TALLOC_CTX *ctx)
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
{
NTSTATUS ret;
r14952: Make sure the auth subsystem gets initialized if a gensec module needs it. (This used to be commit ecf84248b48783fb0ccbeff4d37d930b21fb96df)
2006-04-06 20:08:46 +04:00
gensec: Add a TALLOC_CTX * to gensec_register(). Pass in the TALLOC_CTX * from the module init to remove another talloc_autofree_context() use. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-12 01:56:29 +03:00
ret = gensec_register(ctx, &gensec_ntlmssp_security_ops);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_ntlmssp_security_ops.name));
return ret;
}
gensec: Add a TALLOC_CTX * to gensec_register(). Pass in the TALLOC_CTX * from the module init to remove another talloc_autofree_context() use. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-12 01:56:29 +03:00
ret = gensec_register(ctx, &gensec_ntlmssp_resume_ccache_ops);
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend These can be used to implement the winbindd side of the WINBINDD_CCACHE_NTLMAUTH call. It can properly get the initial NEGOTIATE messages injected if available. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-25 23:41:23 +03:00
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_ntlmssp_resume_ccache_ops.name));
return ret;
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return ret;
}
s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett
2012-02-07 10:02:14 +04:00
auth/ntlmssp: add gensec_ntlmssp_server_domain() This is a hack in order to temporary export the server domain from NTLMSSP through the gensec stack. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-02 14:06:50 +03:00
static struct gensec_security *gensec_find_child_by_ops(struct gensec_security *gensec_security,
const struct gensec_security_ops *ops)
{
struct gensec_security *current = gensec_security;
while (current != NULL) {
if (current->ops == ops) {
return current;
}
current = current->child_security;
}
return NULL;
}
s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett
2012-02-07 10:02:14 +04:00
uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security)
{
struct gensec_ntlmssp_context *gensec_ntlmssp;
auth/ntlmssp: add gensec_ntlmssp_server_domain() This is a hack in order to temporary export the server domain from NTLMSSP through the gensec stack. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-02 14:06:50 +03:00
gensec_security = gensec_find_child_by_ops(gensec_security,
&gensec_ntlmssp_security_ops);
if (gensec_security == NULL) {
s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett
2012-02-07 10:02:14 +04:00
return 0;
}
auth/ntlmssp: add gensec_ntlmssp_server_domain() This is a hack in order to temporary export the server domain from NTLMSSP through the gensec stack. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-02 14:06:50 +03:00
s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett
2012-02-07 10:02:14 +04:00
gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
return gensec_ntlmssp->ntlmssp_state->neg_flags;
}
auth/ntlmssp: add gensec_ntlmssp_server_domain() This is a hack in order to temporary export the server domain from NTLMSSP through the gensec stack. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-02 14:06:50 +03:00
const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security)
{
struct gensec_ntlmssp_context *gensec_ntlmssp;
gensec_security = gensec_find_child_by_ops(gensec_security,
&gensec_ntlmssp_security_ops);
if (gensec_security == NULL) {
return NULL;
}
gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
return gensec_ntlmssp->ntlmssp_state->server.netbios_domain;
}
Copy Permalink