mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
auth/ntlmssp: make ntlmssp_server_check_password() shorter
We move as must as possible into ntlmssp_server_{pre,post}auth(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Jun 26 13:07:30 CEST 2017 on sn-devel-144
This commit is contained in:
parent
c6b37a0e1d
commit
27e43e1d0c
@ -294,6 +294,7 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
|
||||
}
|
||||
|
||||
struct ntlmssp_server_auth_state {
|
||||
struct auth_usersupplied_info *user_info;
|
||||
DATA_BLOB user_session_key;
|
||||
DATA_BLOB lm_session_key;
|
||||
/* internal variables used by KEY_EXCH (client-supplied user session key */
|
||||
@ -318,6 +319,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
|
||||
{
|
||||
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
|
||||
struct auth4_context *auth_context = gensec_security->auth_context;
|
||||
struct auth_usersupplied_info *user_info = NULL;
|
||||
uint32_t ntlmssp_command, auth_flags;
|
||||
NTSTATUS nt_status;
|
||||
const unsigned int version_len = 8;
|
||||
@ -686,27 +688,8 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
|
||||
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
|
||||
}
|
||||
}
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check the password on an NTLMSSP login.
|
||||
*
|
||||
* Return the session keys used on the connection.
|
||||
*/
|
||||
|
||||
static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_security,
|
||||
struct gensec_ntlmssp_context *gensec_ntlmssp,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
|
||||
{
|
||||
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
|
||||
struct auth4_context *auth_context = gensec_security->auth_context;
|
||||
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
|
||||
struct auth_session_info *session_info = NULL;
|
||||
struct auth_usersupplied_info *user_info;
|
||||
|
||||
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
|
||||
user_info = talloc_zero(state, struct auth_usersupplied_info);
|
||||
if (!user_info) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
@ -734,6 +717,25 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
|
||||
user_info->password.response.lanman = ntlmssp_state->lm_resp;
|
||||
user_info->password.response.nt = ntlmssp_state->nt_resp;
|
||||
|
||||
state->user_info = user_info;
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check the password on an NTLMSSP login.
|
||||
*
|
||||
* Return the session keys used on the connection.
|
||||
*/
|
||||
|
||||
static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_security,
|
||||
struct gensec_ntlmssp_context *gensec_ntlmssp,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
|
||||
{
|
||||
struct auth4_context *auth_context = gensec_security->auth_context;
|
||||
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
|
||||
|
||||
if (auth_context->check_ntlm_password) {
|
||||
uint8_t authoritative = 0;
|
||||
|
||||
@ -748,10 +750,37 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(5, (__location__ ": Checking NTLMSSP password for %s\\%s failed: %s\n", user_info->client.domain_name, user_info->client.account_name, nt_errstr(nt_status)));
|
||||
}
|
||||
TALLOC_FREE(user_info);
|
||||
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
talloc_steal(mem_ctx, user_session_key->data);
|
||||
talloc_steal(mem_ctx, lm_session_key->data);
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Next state function for the Authenticate packet
|
||||
* (after authentication - figures out the session keys etc)
|
||||
*
|
||||
* @param ntlmssp_state NTLMSSP State
|
||||
* @return Errors or NT_STATUS_OK.
|
||||
*/
|
||||
|
||||
static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
|
||||
struct gensec_ntlmssp_context *gensec_ntlmssp,
|
||||
struct ntlmssp_server_auth_state *state,
|
||||
DATA_BLOB request)
|
||||
{
|
||||
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
|
||||
struct auth4_context *auth_context = gensec_security->auth_context;
|
||||
DATA_BLOB user_session_key = state->user_session_key;
|
||||
DATA_BLOB lm_session_key = state->lm_session_key;
|
||||
NTSTATUS nt_status = NT_STATUS_OK;
|
||||
DATA_BLOB session_key = data_blob(NULL, 0);
|
||||
struct auth_session_info *session_info = NULL;
|
||||
|
||||
TALLOC_FREE(state->user_info);
|
||||
|
||||
if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
|
||||
&& auth_context->generate_session_info != NULL)
|
||||
{
|
||||
@ -760,7 +789,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
|
||||
/*
|
||||
* We need to check if the auth is anonymous or mapped to guest
|
||||
*/
|
||||
tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
|
||||
tmp_status = auth_context->generate_session_info(auth_context, state,
|
||||
gensec_ntlmssp->server_returned_info,
|
||||
gensec_ntlmssp->ntlmssp_state->user,
|
||||
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
|
||||
@ -788,31 +817,6 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
|
||||
TALLOC_FREE(session_info);
|
||||
}
|
||||
|
||||
talloc_steal(mem_ctx, user_session_key->data);
|
||||
talloc_steal(mem_ctx, lm_session_key->data);
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Next state function for the Authenticate packet
|
||||
* (after authentication - figures out the session keys etc)
|
||||
*
|
||||
* @param ntlmssp_state NTLMSSP State
|
||||
* @return Errors or NT_STATUS_OK.
|
||||
*/
|
||||
|
||||
static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
|
||||
struct gensec_ntlmssp_context *gensec_ntlmssp,
|
||||
struct ntlmssp_server_auth_state *state,
|
||||
DATA_BLOB request)
|
||||
{
|
||||
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
|
||||
DATA_BLOB user_session_key = state->user_session_key;
|
||||
DATA_BLOB lm_session_key = state->lm_session_key;
|
||||
NTSTATUS nt_status = NT_STATUS_OK;
|
||||
DATA_BLOB session_key = data_blob(NULL, 0);
|
||||
|
||||
dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
|
||||
dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
|
||||
|
||||
@ -1029,7 +1033,7 @@ NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
|
||||
|
||||
/* Finally, actually ask if the password is OK */
|
||||
nt_status = ntlmssp_server_check_password(gensec_security, gensec_ntlmssp,
|
||||
state,
|
||||
state->user_info, state,
|
||||
&state->user_session_key,
|
||||
&state->lm_session_key);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
|
Loading…
Reference in New Issue
Block a user