sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code
fca8887900
samba-mirror/auth/ntlmssp/ntlmssp_private.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

195 lines
6.8 KiB
C
Raw Normal View History

s3:ntlmssp Move ntlmssp_sign.c from source3 to common code. This needs a small re-arrangement of the supporting code. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-25 14:58:52 +04:00
/*
* Unix SMB/CIFS implementation.
* Version 3.0
* NTLMSSP Signing routines
* Copyright (C) Andrew Bartlett 2003-2005
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/* For structures internal to the NTLMSSP implementation that should not be exposed */
auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signing BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-12-06 20:11:14 +03:00
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
s4:ntlmssp Use common code for ntlmssp_sign.c The common code does not have a mem_ctx on ntlmssp_check_packet() and ntlmssp_unseal_packet(). We do however need some internal working of the code exposed, so some structures are moved to ntlmssp_sign.h Andrew Bartlett
2010-05-25 15:18:15 +04:00
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
struct auth_session_info;
s4:ntlmssp Use common code for ntlmssp_sign.c The common code does not have a mem_ctx on ntlmssp_check_packet() and ntlmssp_unseal_packet(). We do however need some internal working of the code exposed, so some structures are moved to ntlmssp_sign.h Andrew Bartlett
2010-05-25 15:18:15 +04:00
struct ntlmssp_crypt_direction {
uint32_t seq_num;
uint8_t sign_key[16];
auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signing BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-12-06 20:11:14 +03:00
gnutls_cipher_hd_t seal_state;
s4:ntlmssp Use common code for ntlmssp_sign.c The common code does not have a mem_ctx on ntlmssp_check_packet() and ntlmssp_unseal_packet(). We do however need some internal working of the code exposed, so some structures are moved to ntlmssp_sign.h Andrew Bartlett
2010-05-25 15:18:15 +04:00
};
union ntlmssp_crypt_state {
/* NTLM */
struct ntlmssp_crypt_direction ntlm;
/* NTLM2 */
struct {
struct ntlmssp_crypt_direction sending;
struct ntlmssp_crypt_direction receiving;
} ntlm2;
};
auth: Make more of the ntlmssp code private or static Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 14:20:34 +04:00
struct gensec_ntlmssp_context {
/* For GENSEC users */
void *server_returned_info;
/* used by both client and server implementation */
struct ntlmssp_state *ntlmssp_state;
};
s3-auth Use the common gensec_ntlmssp_update in gensec_ntlmssp3_server Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 07:43:25 +04:00
/* The following definitions come from auth/ntlmssp_util.c */
s3:ntlmssp Move ntlmssp_sign.c from source3 to common code. This needs a small re-arrangement of the supporting code. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-25 14:58:52 +04:00
void debug_ntlmssp_flags(uint32_t neg_flags);
CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS In future we can do a more fine granted negotiation and assert specific security features. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-12-01 10:46:45 +03:00
NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t neg_flags, const char *name);
auth/ntlmssp: add ntlmssp_version_blob() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-24 16:05:17 +03:00
const DATA_BLOB ntlmssp_version_blob(void);
auth/ntlmssp: implement channel binding support BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-11 18:07:05 +03:00
NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
uint8_t cb_hash[16]);
libcli/auth Move some source3/ NTLMSSP functions to the common code. libcli/auth Use true and false rather than True and False in common code Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-06 12:16:32 +04:00
ntlmssp: Move ntlmssp code to auth/ntlmssp This brings in the code from both libcli/auth and source4/auth/ntlmssp. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-07-25 10:04:38 +04:00
/* The following definitions come from auth/ntlmssp_server.c */
libcli/auth Move some source3/ NTLMSSP functions to the common code. libcli/auth Use true and false rather than True and False in common code Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-06 12:16:32 +04:00
const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state,
uint32_t neg_flags, uint32_t *chal_flags);
libcli/auth Make the source3/ implementation of the NTLMSSP server common This means that the core logic (but not the initialisation) of the NTLMSSP server is in common, but uses different authentication backends. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-06 15:31:21 +04:00
NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out);
NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB request, DATA_BLOB *reply);
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
/* The following definitions come from auth/ntlmssp/ntlmssp_client.c */
/**
* Next state function for the Initial packet
*
* @param ntlmssp_state NTLMSSP State
* @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
* @param in A NULL data blob (input ignored)
* @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx
* @return Errors or NT_STATUS_OK.
*/
NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out) ;
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend These can be used to implement the winbindd side of the WINBINDD_CCACHE_NTLMAUTH call. It can properly get the initial NEGOTIATE messages injected if available. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-25 23:41:23 +03:00
NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB in, DATA_BLOB *out);
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
/**
* Next state function for the Challenge Packet. Generate an auth packet.
*
* @param gensec_security GENSEC state
* @param out_mem_ctx Memory context for *out
* @param in The server challnege, as a DATA_BLOB. reply.data must be NULL
* @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context
* @return Errors or NT_STATUS_OK.
*/
NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out) ;
NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security);
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend These can be used to implement the winbindd side of the WINBINDD_CCACHE_NTLMAUTH call. It can properly get the initial NEGOTIATE messages injected if available. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2015-11-25 23:41:23 +03:00
NTSTATUS gensec_ntlmssp_resume_ccache_start(struct gensec_security *gensec_security);
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
auth: Make more of the ntlmssp code private or static Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 14:20:34 +04:00
/* The following definitions come from auth/ntlmssp/gensec_ntlmssp_server.c */
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
/**
* Next state function for the Negotiate packet (GENSEC wrapper)
*
* @param gensec_security GENSEC state
* @param out_mem_ctx Memory context for *out
* @param in The request, as a DATA_BLOB. reply.data must be NULL
* @param out The reply, as an allocated DATA_BLOB, caller to free.
* @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
*/
NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB request, DATA_BLOB *reply);
auth/ntlmssp: introduce ntlmssp_server_auth_send/recv We still use the sync ntlmssp_server_check_password(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-16 17:16:15 +03:00
struct tevent_req *ntlmssp_server_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_security *gensec_security,
const DATA_BLOB in);
NTSTATUS ntlmssp_server_auth_recv(struct tevent_req *req,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out);
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
auth: Make more of the ntlmssp code private or static Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 14:20:34 +04:00
/**
* Start NTLMSSP on the server side
*
*/
NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security);
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
/**
* Return the credentials of a logged on user, including session keys
* etc.
*
* Only valid after a successful authentication
*
* May only be called once per authentication.
*
*/
NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info) ;
auth: Make more of the ntlmssp code private or static Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 14:20:34 +04:00
/* The following definitions come from auth/ntlmssp/gensec_ntlmssp.c */
NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
TALLOC_CTX *sig_mem_ctx,
const uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig);
NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
const uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
const DATA_BLOB *sig);
NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
TALLOC_CTX *sig_mem_ctx,
uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig);
NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
const DATA_BLOB *sig);
size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security, size_t data_size) ;
NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out);
NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB *in,
DATA_BLOB *out);
s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 07:39:34 +04:00
/**
auth: Make more of the ntlmssp code private or static Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 14:20:34 +04:00
* Return the NTLMSSP master session key
s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 07:39:34 +04:00
*
auth: Make more of the ntlmssp code private or static Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 14:20:34 +04:00
* @param ntlmssp_state NTLMSSP State
s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 07:39:34 +04:00
*/
auth: Make more of the ntlmssp code private or static Now that there is only one gensec_ntlmssp server, some of these functions can be static For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 14:20:34 +04:00
NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
const DATA_BLOB *first_packet);
bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
uint32_t feature);
NTSTATUS gensec_ntlmssp_session_key(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key);
NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security);
s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 07:39:34 +04:00
Copy Permalink