sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code
f31d144e70
samba-mirror/source4/auth/ntlmssp/ntlmssp_server.c

794 lines
27 KiB
C
Raw Normal View History

r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/*
Unix SMB/Netbios implementation.
Version 3.0
handle NLTMSSP, client server side parsing
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
the Free Software Foundation; either version 3 of the License, or
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*/
#include "includes.h"
s4:auth: try to fix the build on Solaris MAXHOSTNAMELEN comes in via system/network.h now. metze
2009-01-31 13:34:12 +03:00
#include "system/network.h"
s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.
2009-12-16 18:41:21 +03:00
#include "lib/tsocket/tsocket.h"
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
#include "auth/ntlmssp/ntlmssp.h"
Fix Samba4 build errors with common libcli/samsync
2009-04-16 04:17:17 +04:00
#include "../libcli/auth/libcli_auth.h"
Move source4/lib/crypto to lib/crypto.
2008-09-24 17:30:23 +04:00
#include "../lib/crypto/crypto.h"
r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2006-11-07 03:48:36 +03:00
#include "auth/gensec/gensec.h"
#include "auth/auth.h"
r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
2007-09-08 16:42:09 +04:00
#include "param/param.h"
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
/**
* Set a username on an NTLMSSP context - ensures it is talloc()ed
*
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
static NTSTATUS ntlmssp_set_username(struct gensec_ntlmssp_state *gensec_ntlmssp_state, const char *user)
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
{
if (!user) {
/* it should be at least "" */
DEBUG(1, ("NTLMSSP failed to set username - cannot accept NULL username\n"));
return NT_STATUS_INVALID_PARAMETER;
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->user = talloc_strdup(gensec_ntlmssp_state, user);
if (!gensec_ntlmssp_state->user) {
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
/**
* Set a domain on an NTLMSSP context - ensures it is talloc()ed
*
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
static NTSTATUS ntlmssp_set_domain(struct gensec_ntlmssp_state *gensec_ntlmssp_state, const char *domain)
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
{
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->domain = talloc_strdup(gensec_ntlmssp_state, domain);
if (!gensec_ntlmssp_state->domain) {
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
/**
* Set a workstation on an NTLMSSP context - ensures it is talloc()ed
*
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
static NTSTATUS ntlmssp_set_workstation(struct gensec_ntlmssp_state *gensec_ntlmssp_state, const char *workstation)
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
{
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->workstation = talloc_strdup(gensec_ntlmssp_state, workstation);
if (!gensec_ntlmssp_state->workstation) {
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/**
* Determine correct target name flags for reply, given server role
* and negotiated flags
*
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
* @param gensec_ntlmssp_state NTLMSSP State
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
* @param neg_flags The flags from the packet
* @param chal_flags The flags to be set in the reply packet
* @return The 'target name' string.
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
static const char *ntlmssp_target_name(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
uint32_t neg_flags, uint32_t *chal_flags)
{
if (neg_flags & NTLMSSP_REQUEST_TARGET) {
s4-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants. Guenther
2009-08-25 14:12:59 +04:00
*chal_flags |= NTLMSSP_NEGOTIATE_TARGET_INFO;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*chal_flags |= NTLMSSP_REQUEST_TARGET;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->server_role == ROLE_STANDALONE) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*chal_flags |= NTLMSSP_TARGET_TYPE_SERVER;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
return gensec_ntlmssp_state->server_name;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
} else {
*chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN;
r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-09-28 05:17:46 +04:00
return gensec_ntlmssp_state->domain;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
};
} else {
return "";
}
}
r7597: removed the bogus get_myfullname() and get_mydomname() calls, and put them in the ntlmssp code, which is the only place they are used. Andrew, please remove them completely once you have some more reliable way to get this info they are bogus as gethostname() may give us a short hostname (and does on lot of systems), so the calls often give totally the wrong result anyway (This used to be commit 35ec292f86bf663618b4bd03133d9bbd6e2faf10)
2005-06-15 05:08:54 +04:00
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/**
* Next state function for the Negotiate packet
*
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
* @param gensec_security GENSEC state
* @param out_mem_ctx Memory context for *out
* @param in The request, as a DATA_BLOB. reply.data must be NULL
* @param out The reply, as an allocated DATA_BLOB, caller to free.
* @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*/
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{
r25000: Fix some more C++ compatibility warnings. (This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-09-07 19:08:14 +04:00
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
DATA_BLOB struct_blob;
uint32_t neg_flags = 0;
uint32_t ntlmssp_command, chal_flags;
s4:auth/ntlmssp: let get_challenge() return a NTSTATUS and fill a stack buffer metze
2009-12-29 12:44:19 +03:00
uint8_t cryptkey[8];
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
const char *target_name;
s4:auth/ntlmssp: let get_challenge() return a NTSTATUS and fill a stack buffer metze
2009-12-29 12:44:19 +03:00
NTSTATUS status;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* parse the NTLMSSP packet */
#if 0
file_save("ntlmssp_negotiate.dat", request.data, request.length);
#endif
if (in.length) {
r26652: msrpc_parse/msrpc_gen: Add iconv_convenience argument. (This used to be commit e886f1bc0dc694971979716d1991535c7d2e08de)
2008-01-04 02:22:04 +03:00
if ((in.length < 16) || !msrpc_parse(out_mem_ctx,
&in, "Cdd",
r11080: Narrowing down on the #1828 PPC bug. The PPC client sends an initial NTLMSSP negotiate blob of only 16 bytes - no strings added ! (So don't try parsing them). Jeremy. (This used to be commit 42d93a317ab424a0720620b83c285b5118bcc06f)
2005-10-15 04:48:47 +04:00
"NTLMSSP",
&ntlmssp_command,
&neg_flags)) {
DEBUG(1, ("ntlmssp_server_negotiate: failed to parse "
"NTLMSSP Negotiate of length %u:\n",
(unsigned int)in.length ));
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
dump_data(2, in.data, in.length);
return NT_STATUS_INVALID_PARAMETER;
}
debug_ntlmssp_flags(neg_flags);
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
ntlmssp_handle_neg_flags(gensec_ntlmssp_state, neg_flags, gensec_ntlmssp_state->allow_lm_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* Ask our caller what challenge they would like in the packet */
s4:auth/ntlmssp: let get_challenge() return a NTSTATUS and fill a stack buffer metze
2009-12-29 12:44:19 +03:00
status = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state, cryptkey);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n",
nt_errstr(status)));
return status;
auth/ntlmssp: don't crash when the backend give no challenge metze (This used to be commit c01fee80a79cd9e0f7bb295333bb03bd37328d05)
2008-08-01 18:10:06 +04:00
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* Check if we may set the challenge */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (!gensec_ntlmssp_state->may_set_challenge(gensec_ntlmssp_state)) {
gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
/* The flags we send back are not just the negotiated flags,
* they are also 'what is in this packet'. Therfore, we
* operate on 'chal_flags' from here on
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
chal_flags = gensec_ntlmssp_state->neg_flags;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* get the right name to fill in as 'target' */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
target_name = ntlmssp_target_name(gensec_ntlmssp_state,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
neg_flags, &chal_flags);
if (target_name == NULL)
return NT_STATUS_INVALID_PARAMETER;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->chal = data_blob_talloc(gensec_ntlmssp_state, cryptkey, 8);
gensec_ntlmssp_state->internal_chal = data_blob_talloc(gensec_ntlmssp_state, cryptkey, 8);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* This creates the 'blob' of names that appears at the end of the packet */
s4-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants. Guenther
2009-08-25 14:12:59 +04:00
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
NTLMSSP Server: Correctly fills in the DNS server name and server domain Don't rely on "get*" system calls but rather on SAMBA "lp_*" calls. Signed-off-by: Stefan Metzmacher <metze@samba.org>
2008-09-17 19:55:52 +04:00
char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN];
/* Find out the DNS domain name */
dnsdomname[0] = '\0';
s4:ntlmssp server - use also here the new "lp_dnsdomain()" call
2009-10-15 12:30:55 +04:00
safe_strcpy(dnsdomname, lp_dnsdomain(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1);
NTLMSSP Server: Correctly fills in the DNS server name and server domain Don't rely on "get*" system calls but rather on SAMBA "lp_*" calls. Signed-off-by: Stefan Metzmacher <metze@samba.org>
2008-09-17 19:55:52 +04:00
/* Find out the DNS host name */
safe_strcpy(dnsname, gensec_ntlmssp_state->server_name, sizeof(dnsname) - 1);
if (dnsdomname[0] != '\0') {
safe_strcat(dnsname, ".", sizeof(dnsname) - 1);
safe_strcat(dnsname, dnsdomname, sizeof(dnsname) - 1);
}
strlower_m(dnsname);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
msrpc_gen(out_mem_ctx,
&struct_blob, "aaaaa",
s4-ntlmssp: use interface constants in TargetInfo blob. Guenther
2009-08-25 14:27:51 +04:00
MsvAvNbDomainName, target_name,
MsvAvNbComputerName, gensec_ntlmssp_state->server_name,
MsvAvDnsDomainName, dnsdomname,
MsvAvDnsComputerName, dnsname,
MsvAvEOL, "");
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
} else {
struct_blob = data_blob(NULL, 0);
}
{
NTLMSSP Server: Correctly fills in the DNS server name and server domain Don't rely on "get*" system calls but rather on SAMBA "lp_*" calls. Signed-off-by: Stefan Metzmacher <metze@samba.org>
2008-09-17 19:55:52 +04:00
/* Marshal the packet in the right format, be it unicode or ASCII */
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
const char *gen_string;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->unicode) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
gen_string = "CdUdbddB";
} else {
gen_string = "CdAdbddB";
}
msrpc_gen(out_mem_ctx,
out, gen_string,
"NTLMSSP",
NTLMSSP_CHALLENGE,
target_name,
chal_flags,
cryptkey, 8,
0, 0,
struct_blob.data, struct_blob.length);
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->expected_state = NTLMSSP_AUTH;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
/**
* Next state function for the Authenticate packet
*
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
* @param gensec_ntlmssp_state NTLMSSP State
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
* @param request The request, as a DATA_BLOB
* @return Errors or NT_STATUS_OK.
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
const DATA_BLOB request)
{
uint32_t ntlmssp_command, auth_flags;
NTSTATUS nt_status;
uint8_t session_nonce_hash[16];
const char *parse_string;
char *domain = NULL;
char *user = NULL;
char *workstation = NULL;
#if 0
file_save("ntlmssp_auth.dat", request.data, request.length);
#endif
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->unicode) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
parse_string = "CdBBUUUBd";
} else {
parse_string = "CdBBAAABd";
}
/* zero these out */
s4:ntlmssp_server: clear session key in ntlmssp_server_preauth() metze
2009-12-29 17:54:59 +03:00
data_blob_free(&gensec_ntlmssp_state->session_key);
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
data_blob_free(&gensec_ntlmssp_state->lm_resp);
data_blob_free(&gensec_ntlmssp_state->nt_resp);
r6465: Use talloc_zero for the gensec_ntlmssp_state structure, as the history of this code has too many pre-zeroed structure assumptions. Remove unused 'stub' functions Andrew Bartlett (This used to be commit 78dc57c65513ba4c271308d84fc2a2a533f76061)
2005-04-25 14:58:46 +04:00
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->user = NULL;
gensec_ntlmssp_state->domain = NULL;
gensec_ntlmssp_state->workstation = NULL;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* now the NTLMSSP encoded auth hashes */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (!msrpc_parse(gensec_ntlmssp_state,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
&request, parse_string,
"NTLMSSP",
&ntlmssp_command,
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
&gensec_ntlmssp_state->lm_resp,
&gensec_ntlmssp_state->nt_resp,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
&domain,
&user,
&workstation,
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
&gensec_ntlmssp_state->encrypted_session_key,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
&auth_flags)) {
DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
dump_data(10, request.data, request.length);
/* zero this out */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
auth_flags = 0;
/* Try again with a shorter string (Win9X truncates this packet) */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->unicode) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
parse_string = "CdBBUUU";
} else {
parse_string = "CdBBAAA";
}
/* now the NTLMSSP encoded auth hashes */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (!msrpc_parse(gensec_ntlmssp_state,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
&request, parse_string,
"NTLMSSP",
&ntlmssp_command,
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
&gensec_ntlmssp_state->lm_resp,
&gensec_ntlmssp_state->nt_resp,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
&domain,
&user,
&workstation)) {
DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP:\n"));
dump_data(2, request.data, request.length);
return NT_STATUS_INVALID_PARAMETER;
}
}
if (auth_flags)
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
ntlmssp_handle_neg_flags(gensec_ntlmssp_state, auth_flags, gensec_ntlmssp_state->allow_lm_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(gensec_ntlmssp_state, domain))) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* zero this out */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return nt_status;
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(gensec_ntlmssp_state, user))) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* zero this out */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return nt_status;
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_workstation(gensec_ntlmssp_state, workstation))) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* zero this out */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return nt_status;
}
DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->user, gensec_ntlmssp_state->domain, gensec_ntlmssp_state->workstation, (unsigned long)gensec_ntlmssp_state->lm_resp.length, (unsigned long)gensec_ntlmssp_state->nt_resp.length));
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
#if 0
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
file_save("nthash1.dat", &gensec_ntlmssp_state->nt_resp.data, &gensec_ntlmssp_state->nt_resp.length);
file_save("lmhash1.dat", &gensec_ntlmssp_state->lm_resp.data, &gensec_ntlmssp_state->lm_resp.length);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
#endif
/* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
client challenge
However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
if (gensec_ntlmssp_state->nt_resp.length == 24 && gensec_ntlmssp_state->lm_resp.length == 24) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
struct MD5Context md5_session_nonce_ctx;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
SMB_ASSERT(gensec_ntlmssp_state->internal_chal.data
&& gensec_ntlmssp_state->internal_chal.length == 8);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-07 02:16:19 +04:00
gensec_ntlmssp_state->doing_ntlm2 = true;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
r6738: My version of the patch by metze that I just reverted (-r 6734). This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2005-05-11 23:22:22 +04:00
memcpy(gensec_ntlmssp_state->crypt.ntlm2.session_nonce, gensec_ntlmssp_state->internal_chal.data, 8);
memcpy(&gensec_ntlmssp_state->crypt.ntlm2.session_nonce[8], gensec_ntlmssp_state->lm_resp.data, 8);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
MD5Init(&md5_session_nonce_ctx);
r6738: My version of the patch by metze that I just reverted (-r 6734). This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2005-05-11 23:22:22 +04:00
MD5Update(&md5_session_nonce_ctx, gensec_ntlmssp_state->crypt.ntlm2.session_nonce, 16);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->chal = data_blob_talloc(gensec_ntlmssp_state,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
session_nonce_hash, 8);
/* LM response is no longer useful, zero it out */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
data_blob_free(&gensec_ntlmssp_state->lm_resp);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* We changed the effective challenge - set it */
if (!NT_STATUS_IS_OK(nt_status =
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->set_challenge(gensec_ntlmssp_state,
r6738: My version of the patch by metze that I just reverted (-r 6734). This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2005-05-11 23:22:22 +04:00
&gensec_ntlmssp_state->chal))) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* zero this out */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return nt_status;
}
/* LM Key is incompatible... */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
}
return NT_STATUS_OK;
}
/**
* Next state function for the Authenticate packet
* (after authentication - figures out the session keys etc)
*
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
* @param gensec_ntlmssp_state NTLMSSP State
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
* @return Errors or NT_STATUS_OK.
*/
r6738: My version of the patch by metze that I just reverted (-r 6734). This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2005-05-11 23:22:22 +04:00
static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
DATA_BLOB *user_session_key,
DATA_BLOB *lm_session_key)
{
r25000: Fix some more C++ compatibility warnings. (This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-09-07 19:08:14 +04:00
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
NTSTATUS nt_status;
DATA_BLOB session_key = data_blob(NULL, 0);
s4:ntlmssp_server: always call ntlmssp_server_postauth() and decide there if it's a noop metze
2009-12-29 18:10:57 +03:00
if (!(gensec_security->want_features
& (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY))) {
return NT_STATUS_OK;
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
if (user_session_key)
dump_data_pw("USER session key:\n", user_session_key->data, user_session_key->length);
if (lm_session_key)
dump_data_pw("LM first-8:\n", lm_session_key->data, lm_session_key->length);
/* Handle the different session key derivation for NTLM2 */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->doing_ntlm2) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
if (user_session_key && user_session_key->data && user_session_key->length == 16) {
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16);
r6738: My version of the patch by metze that I just reverted (-r 6734). This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2005-05-11 23:22:22 +04:00
hmac_md5(user_session_key->data, gensec_ntlmssp_state->crypt.ntlm2.session_nonce,
sizeof(gensec_ntlmssp_state->crypt.ntlm2.session_nonce), session_key.data);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
} else {
DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
session_key = data_blob(NULL, 0);
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
} else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* Ensure we can never get here on NTLMv2 */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
&& (gensec_ntlmssp_state->nt_resp.length == 0 || gensec_ntlmssp_state->nt_resp.length == 24)) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
if (lm_session_key && lm_session_key->data && lm_session_key->length >= 8) {
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->lm_resp.data && gensec_ntlmssp_state->lm_resp.length == 24) {
session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16);
SMBsesskeygen_lm_sess_key(lm_session_key->data, gensec_ntlmssp_state->lm_resp.data,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
session_key.data);
DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
dump_data_pw("LM session key:\n", session_key.data, session_key.length);
} else {
/* When there is no LM response, just use zeros */
static const uint8_t zeros[24];
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
SMBsesskeygen_lm_sess_key(zeros, zeros,
session_key.data);
DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
dump_data_pw("LM session key:\n", session_key.data, session_key.length);
}
} else {
/* LM Key not selected */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
session_key = data_blob(NULL, 0);
}
} else if (user_session_key && user_session_key->data) {
s4:auth It is easier to copy the session key than get talloc right. The session keys as supplied already have a reference on them, so stealing them creates challenges. For 16 bytes, it is just easier to be consistant and copy them. Andrew Bartlett
2009-07-07 07:27:47 +04:00
session_key = data_blob_talloc(gensec_ntlmssp_state, user_session_key->data, user_session_key->length);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
/* LM Key not selected */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
} else if (lm_session_key && lm_session_key->data) {
/* Very weird to have LM key, but no user session key, but anyway.. */
s4:auth It is easier to copy the session key than get talloc right. The session keys as supplied already have a reference on them, so stealing them creates challenges. For 16 bytes, it is just easier to be consistant and copy them. Andrew Bartlett
2009-07-07 07:27:47 +04:00
session_key = data_blob_talloc(gensec_ntlmssp_state, lm_session_key->data, lm_session_key->length);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
/* LM Key not selected */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
} else {
DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
session_key = data_blob(NULL, 0);
/* LM Key not selected */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
/* With KEY_EXCH, the client supplies the proposed session key,
but encrypts it with the long-term key */
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
if (!gensec_ntlmssp_state->encrypted_session_key.data
|| gensec_ntlmssp_state->encrypted_session_key.length != 16) {
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
r8520: fixed a pile of warnings from the build farm gcc -Wall output on S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2005-07-17 13:20:52 +04:00
(unsigned)gensec_ntlmssp_state->encrypted_session_key.length));
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return NT_STATUS_INVALID_PARAMETER;
} else if (!session_key.data || session_key.length != 16) {
DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
r8520: fixed a pile of warnings from the build farm gcc -Wall output on S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2005-07-17 13:20:52 +04:00
(unsigned)session_key.length));
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->session_key = session_key;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
} else {
dump_data_pw("KEY_EXCH session key (enc):\n",
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->encrypted_session_key.data,
gensec_ntlmssp_state->encrypted_session_key.length);
arcfour_crypt(gensec_ntlmssp_state->encrypted_session_key.data,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
session_key.data,
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->encrypted_session_key.length);
gensec_ntlmssp_state->session_key = data_blob_talloc(gensec_ntlmssp_state,
gensec_ntlmssp_state->encrypted_session_key.data,
gensec_ntlmssp_state->encrypted_session_key.length);
dump_data_pw("KEY_EXCH session key:\n", gensec_ntlmssp_state->encrypted_session_key.data,
gensec_ntlmssp_state->encrypted_session_key.length);
s4:auth It is easier to copy the session key than get talloc right. The session keys as supplied already have a reference on them, so stealing them creates challenges. For 16 bytes, it is just easier to be consistant and copy them. Andrew Bartlett
2009-07-07 07:27:47 +04:00
talloc_free(session_key.data);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
} else {
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->session_key = session_key;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
r6738: My version of the patch by metze that I just reverted (-r 6734). This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2005-05-11 23:22:22 +04:00
if ((gensec_security->want_features & GENSEC_FEATURE_SIGN)
|| (gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
} else {
nt_status = NT_STATUS_OK;
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
/* allow arbitarily many authentications, but watch that this will cause a
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
memory leak, until the gensec_ntlmssp_state is shutdown
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_ntlmssp_state->server_multiple_authentications) {
gensec_ntlmssp_state->expected_state = NTLMSSP_AUTH;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
} else {
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->expected_state = NTLMSSP_DONE;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
return nt_status;
}
/**
* Next state function for the Authenticate packet
*
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
* @param gensec_security GENSEC state
* @param out_mem_ctx Memory context for *out
* @param in The request, as a DATA_BLOB. reply.data must be NULL
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
* @param out The reply, as an allocated DATA_BLOB, caller to free.
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
* @return Errors or NT_STATUS_OK if authentication sucessful
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*/
r6460: Push the client credentials into NTLMSSP, allowing logins of the form user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2005-04-25 10:33:20 +04:00
NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security,
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
r6738: My version of the patch by metze that I just reverted (-r 6734). This also includes other changes to reduce memory use by GENSEC when not being used for sign/seal operations. This should lower tridge's K 'per connection' benchmark further. Andrew Bartlett (This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
2005-05-11 23:22:22 +04:00
{
r25000: Fix some more C++ compatibility warnings. (This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-09-07 19:08:14 +04:00
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
s4:ntlmssp: use data_blob_null in ntlmssp_server_auth() metze
2009-12-29 14:58:44 +03:00
DATA_BLOB user_session_key = data_blob_null;
DATA_BLOB lm_session_key = data_blob_null;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
NTSTATUS nt_status;
/* zero the outbound NTLMSSP packet */
s4:ntlmssp: use data_blob_null in ntlmssp_server_auth() metze
2009-12-29 14:58:44 +03:00
*out = data_blob_null;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
s4:ntlmssp_server: don't use a mem_ctx for ntlmssp_server_auth() metze
2009-12-29 18:07:16 +03:00
nt_status = ntlmssp_server_preauth(gensec_ntlmssp_state, in);
if (!NT_STATUS_IS_OK(nt_status)) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return nt_status;
}
/*
* Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
* is required (by "ntlm auth = no" and "lm auth = no" being set in the
* smb.conf file) and no NTLMv2 response was sent then the password check
* will fail here. JRA.
*/
/* Finally, actually ask if the password is OK */
s4:ntlmssp_server: don't use a mem_ctx for ntlmssp_server_auth() metze
2009-12-29 18:07:16 +03:00
nt_status = gensec_ntlmssp_state->check_password(gensec_ntlmssp_state,
NULL,
&user_session_key,
&lm_session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return nt_status;
}
s4:ntlmssp: use data_blob_null in ntlmssp_server_auth() metze
2009-12-29 14:58:44 +03:00
s4:ntlmssp_server: always call ntlmssp_server_postauth() and decide there if it's a noop metze
2009-12-29 18:10:57 +03:00
nt_status = ntlmssp_server_postauth(gensec_security,
&user_session_key,
&lm_session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
r13252: Cleanup, both in code, comments and talloc use: In particular, I've used the --leak-report-full option to smbd to track down memory that shouldn't be on a long-term context. This is now talloc_free()ed much earlier. Andrew Bartlett (This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
2006-01-31 06:15:16 +03:00
return nt_status;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
s4:ntlmssp_server: always call ntlmssp_server_postauth() and decide there if it's a noop metze
2009-12-29 18:10:57 +03:00
return NT_STATUS_OK;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
/**
* Return the challenge as determined by the authentication subsystem
* @return an 8 byte random challenge
*/
s4:auth/ntlmssp: let get_challenge() return a NTSTATUS and fill a stack buffer metze
2009-12-29 12:44:19 +03:00
static NTSTATUS auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_state *gensec_ntlmssp_state,
uint8_t chal[8])
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
{
NTSTATUS status;
s4:auth Change 'get_challenge' API to be more like Samba3 It is just easier to fill in the known to be 8 byte challenge than stuff about with allocated pointers. Andrew Bartlett
2009-12-14 12:32:47 +03:00
status = gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context, chal);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
if (!NT_STATUS_IS_OK(status)) {
auth/ntlmssp: don't crash when the backend give no challenge metze (This used to be commit c01fee80a79cd9e0f7bb295333bb03bd37328d05)
2008-08-01 18:10:06 +04:00
DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
nt_errstr(status)));
s4:auth/ntlmssp: let get_challenge() return a NTSTATUS and fill a stack buffer metze
2009-12-29 12:44:19 +03:00
return status;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
s4:auth/ntlmssp: let get_challenge() return a NTSTATUS and fill a stack buffer metze
2009-12-29 12:44:19 +03:00
return NT_STATUS_OK;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
/**
* Some authentication methods 'fix' the challenge, so we may not be able to set it
*
* @return If the effective challenge used by the auth subsystem may be modified
*/
r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-07 02:16:19 +04:00
static bool auth_ntlmssp_may_set_challenge(const struct gensec_ntlmssp_state *gensec_ntlmssp_state)
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
{
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
return gensec_ntlmssp_state->auth_context->challenge_may_be_modified(gensec_ntlmssp_state->auth_context);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
/**
* NTLM2 authentication modifies the effective challenge,
* @param challenge The new challenge value
*/
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
static NTSTATUS auth_ntlmssp_set_challenge(struct gensec_ntlmssp_state *gensec_ntlmssp_state, DATA_BLOB *challenge)
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
{
NTSTATUS nt_status;
struct auth_context *auth_context = gensec_ntlmssp_state->auth_context;
const uint8_t *chal;
if (challenge->length != 8) {
return NT_STATUS_INVALID_PARAMETER;
}
chal = challenge->data;
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
nt_status = gensec_ntlmssp_state->auth_context->set_challenge(auth_context,
chal,
"NTLMSSP callback (NTLM2)");
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return nt_status;
}
/**
* Check the password on an NTLMSSP login.
*
* Return the session keys used on the connection.
*/
r13252: Cleanup, both in code, comments and talloc use: In particular, I've used the --leak-report-full option to smbd to track down memory that shouldn't be on a long-term context. This is now talloc_free()ed much earlier. Andrew Bartlett (This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
2006-01-31 06:15:16 +03:00
static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
TALLOC_CTX *mem_ctx,
DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
{
NTSTATUS nt_status;
s4:ntlmssp_server: don't use mem_ctx in auth_ntlmssp_check_password() metze
2009-12-29 18:02:00 +03:00
struct auth_usersupplied_info *user_info;
user_info = talloc(gensec_ntlmssp_state, struct auth_usersupplied_info);
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
if (!user_info) {
return NT_STATUS_NO_MEMORY;
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
r11366: Pass around the flags which indicate if we should support plaintext logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
2005-10-28 12:54:37 +04:00
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
user_info->flags = 0;
r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-07 02:16:19 +04:00
user_info->mapped_state = false;
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
user_info->client.account_name = gensec_ntlmssp_state->user;
user_info->client.domain_name = gensec_ntlmssp_state->domain;
user_info->workstation_name = gensec_ntlmssp_state->workstation;
s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.
2009-12-16 18:41:21 +03:00
user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp_state->gensec_security);
r12804: This patch reworks the Samba4 sockets layer to use a socket_address structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2006-01-10 01:12:53 +03:00
r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2005-07-22 08:10:07 +04:00
user_info->password_state = AUTH_PASSWORD_RESPONSE;
user_info->password.response.lanman = gensec_ntlmssp_state->lm_resp;
user_info->password.response.lanman.data = talloc_steal(user_info, gensec_ntlmssp_state->lm_resp.data);
user_info->password.response.nt = gensec_ntlmssp_state->nt_resp;
user_info->password.response.nt.data = talloc_steal(user_info, gensec_ntlmssp_state->nt_resp.data);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
s4:ntlmssp_server: don't use mem_ctx in auth_ntlmssp_check_password() metze
2009-12-29 18:02:00 +03:00
nt_status = gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context,
gensec_ntlmssp_state,
user_info,
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
&gensec_ntlmssp_state->server_info);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
talloc_free(user_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
if (gensec_ntlmssp_state->server_info->user_session_key.length) {
s4:ntlmssp_server: don't use mem_ctx in auth_ntlmssp_check_password() metze
2009-12-29 18:02:00 +03:00
DEBUG(10, ("Got NT session key of length %u\n",
r8520: fixed a pile of warnings from the build farm gcc -Wall output on S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2005-07-17 13:20:52 +04:00
(unsigned)gensec_ntlmssp_state->server_info->user_session_key.length));
r13252: Cleanup, both in code, comments and talloc use: In particular, I've used the --leak-report-full option to smbd to track down memory that shouldn't be on a long-term context. This is now talloc_free()ed much earlier. Andrew Bartlett (This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
2006-01-31 06:15:16 +03:00
*user_session_key = gensec_ntlmssp_state->server_info->user_session_key;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
if (gensec_ntlmssp_state->server_info->lm_session_key.length) {
s4:ntlmssp_server: don't use mem_ctx in auth_ntlmssp_check_password() metze
2009-12-29 18:02:00 +03:00
DEBUG(10, ("Got LM session key of length %u\n",
r8520: fixed a pile of warnings from the build farm gcc -Wall output on S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2005-07-17 13:20:52 +04:00
(unsigned)gensec_ntlmssp_state->server_info->lm_session_key.length));
r13252: Cleanup, both in code, comments and talloc use: In particular, I've used the --leak-report-full option to smbd to track down memory that shouldn't be on a long-term context. This is now talloc_free()ed much earlier. Andrew Bartlett (This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
2006-01-31 06:15:16 +03:00
*lm_session_key = gensec_ntlmssp_state->server_info->lm_session_key;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
}
return nt_status;
}
/**
* Return the credentials of a logged on user, including session keys
* etc.
*
* Only valid after a successful authentication
*
* May only be called once per authentication.
*
*/
NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
r25000: Fix some more C++ compatibility warnings. (This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-09-07 19:08:14 +04:00
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, gensec_ntlmssp_state->server_info, session_info);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
NT_STATUS_NOT_OK_RETURN(nt_status);
(*session_info)->session_key = data_blob_talloc(*session_info,
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->session_key.data,
gensec_ntlmssp_state->session_key.length);
return NT_STATUS_OK;
}
/**
* Start NTLMSSP on the server side
*
*/
NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status;
struct gensec_ntlmssp_state *gensec_ntlmssp_state;
nt_status = gensec_ntlmssp_start(gensec_security);
NT_STATUS_NOT_OK_RETURN(nt_status);
r25000: Fix some more C++ compatibility warnings. (This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-09-07 19:08:14 +04:00
gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->role = NTLMSSP_SERVER;
gensec_ntlmssp_state->workstation = NULL;
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state->server_name = lp_netbios_name(gensec_security->settings->lp_ctx);
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->settings->lp_ctx);
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(gensec_security->settings->lp_ctx)
&& gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false));
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
2007-10-07 02:16:19 +04:00
gensec_ntlmssp_state->server_multiple_authentications = false;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags =
s4-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants. Guenther
2009-08-25 14:12:59 +04:00
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
r6465: Use talloc_zero for the gensec_ntlmssp_state structure, as the history of this code has too many pre-zeroed structure assumptions. Remove unused 'stub' functions Andrew Bartlett (This used to be commit 78dc57c65513ba4c271308d84fc2a2a533f76061)
2005-04-25 14:58:46 +04:00
gensec_ntlmssp_state->lm_resp = data_blob(NULL, 0);
gensec_ntlmssp_state->nt_resp = data_blob(NULL, 0);
gensec_ntlmssp_state->encrypted_session_key = data_blob(NULL, 0);
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
}
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
r16961: Merge 'seperate policy from logic' changes from Samba3. The 56-bit flag is handled just like all the others. Also negotiate the unknown 0x02000000 flag, to match windows. Andrew Bartlett (This used to be commit 1d0befdb681ed9974d1bdff46ce56353552ee0e0)
2006-07-12 04:02:50 +04:00
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
}
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
}
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
r19805: Add the (harmless, but apparently default) NTLMSSP_NEGOTIATE_ALWAYS_SIGN flags into the default set. Andrew Bartlett (This used to be commit 04709c75afda0234c7236fba674bf53a265f8dbb)
2006-11-20 23:58:00 +03:00
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
gensec_ntlmssp_state->auth_context = gensec_security->auth_context;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
gensec_ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
gensec_ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
gensec_ntlmssp_state->check_password = auth_ntlmssp_check_password;
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state->server_role = lp_server_role(gensec_security->settings->lp_ctx);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return NT_STATUS_OK;
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
Copy Permalink