The branch, master has been updated
via f14dffa s3-selftest: Verify GK and GF flag behaviour
via b947d84 s3-selftest: run ntlm_auth against winbindd in make test
via 111d9f3 auth: Remove plugable password-check functions from
gensec_ntlmssp
via 83810f8 auth: consolidate gensec_ntlmssp_server wrapper functions
via a61298e s3-libsmb: Remove unused ntlmssp_server_start()
via 9de7fb8 s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp
server-side
via 4478f31 s3-auth: Provide helper routine to check password and
return session_info
via e3cebef auth: Rename some elements of auth4_context
via 8a9b6fe s3-auth: Add a way to get an auth4_context from the auth
stack
from aed0735 waf: Make sure libraries are installed with the execute
flag set.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f14dffa815b47af4061cf1d0c35e0237d35c07a9
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Feb 24 12:19:27 2012 +1100
s3-selftest: Verify GK and GF flag behaviour
At least this ensures that the helper has not crashed, it will require
a little more to ensure that the values are correct.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abart...@samba.org>
Autobuild-Date: Fri Feb 24 03:53:38 CET 2012 on sn-devel-104
commit b947d84c88d1fcc3bdd75f3002bb38b673cbecd3
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Feb 24 12:12:48 2012 +1100
s3-selftest: run ntlm_auth against winbindd in make test
commit 111d9f3eb20ad0c3e3b6a7a01f7c997111c660d9
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Feb 7 17:47:42 2012 +1100
auth: Remove plugable password-check functions from gensec_ntlmssp
The auth4_context layer now provides the plugability here.
Andrew Bartlett
commit 83810f8afad85818edb7a21428dbbef305147b8c
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Feb 7 17:12:19 2012 +1100
auth: consolidate gensec_ntlmssp_server wrapper functions
commit a61298e8028574d10358e2d53c956f74ab641ef4
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Feb 7 17:07:52 2012 +1100
s3-libsmb: Remove unused ntlmssp_server_start()
commit 9de7fb8706d3314951ddc1fc6c919b4872f2ea92
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Feb 7 17:02:14 2012 +1100
s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-side
This uses the common gensec_ntlmssp server code for ntlm_auth, removing
the last non-gensec use of the NTLMSSP server.
Andrew Bartlett
commit 4478f315e6cb178b53114033e1247e265f82ab8f
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Feb 3 23:32:26 2012 +1100
s3-auth: Provide helper routine to check password and return session_info
commit e3cebef0cf93ddade8e698ea292d2c03cf005a7b
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Feb 3 16:33:44 2012 +1100
auth: Rename some elements of auth4_context
These operate on NTLM authentication, so make that clear.
Andrew Bartlett
commit 8a9b6fe26dc347afd6dc17570354e0af391b351d
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Feb 3 16:14:42 2012 +1100
s3-auth: Add a way to get an auth4_context from the auth stack
This will allow us to use the same layer that auth_ntlmssp does
in the non-SPNEGO session setup, which will in turn make the
authentication code more consistent in the AD server case.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
auth/common_auth.h | 14 +-
auth/ntlmssp/gensec_ntlmssp_server.c | 180 ------------
auth/ntlmssp/ntlmssp.c | 33 ++-
auth/ntlmssp/ntlmssp.h | 54 +----
auth/ntlmssp/ntlmssp_client.c | 8 -
auth/ntlmssp/ntlmssp_server.c | 139 ++++++++--
source3/auth/auth.c | 6 +-
source3/auth/auth_generic.c | 84 +++++-
source3/auth/auth_samba4.c | 54 ++++
source3/auth/proto.h | 6 +
source3/include/auth.h | 7 +-
source3/libsmb/ntlmssp.c | 121 --------
source3/script/tests/test_ntlm_auth_s3.sh | 8 +-
source3/selftest/tests.py | 2 +-
source3/torture/test_ntlm_auth.py | 37 +++-
source3/utils/ntlm_auth.c | 426 ++++++++++++++++++++++-------
source4/auth/ntlm/auth.c | 6 +-
17 files changed, 659 insertions(+), 526 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/common_auth.h b/auth/common_auth.h
index c0fd6b6..cf21543 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -105,17 +105,17 @@ struct auth4_context {
/* Private data for the callbacks on this auth context */
void *private_data;
- NTSTATUS (*check_password)(struct auth4_context *auth_ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info
*user_info,
- void **server_returned_info,
- DATA_BLOB *nt_session_key, DATA_BLOB
*lm_session_key);
+ NTSTATUS (*check_ntlm_password)(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info
*user_info,
+ void **server_returned_info,
+ DATA_BLOB *nt_session_key, DATA_BLOB
*lm_session_key);
- NTSTATUS (*get_challenge)(struct auth4_context *auth_ctx, uint8_t
chal[8]);
+ NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t
chal[8]);
bool (*challenge_may_be_modified)(struct auth4_context *auth_ctx);
- NTSTATUS (*set_challenge)(struct auth4_context *auth_ctx, const uint8_t
chal[8], const char *set_by);
+ NTSTATUS (*set_ntlm_challenge)(struct auth4_context *auth_ctx, const
uint8_t chal[8], const char *set_by);
NTSTATUS (*generate_session_info)(struct auth4_context *auth_context,
TALLOC_CTX *mem_ctx,
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c
b/auth/ntlmssp/gensec_ntlmssp_server.c
index a1d43e6..f4dfab3 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -34,179 +34,6 @@
#include "auth/common_auth.h"
#include "param/param.h"
-/**
- * Next state function for the Negotiate packet (GENSEC wrapper)
- *
- * @param gensec_security GENSEC state
- * @param out_mem_ctx Memory context for *out
- * @param in The request, as a DATA_BLOB. reply.data must be NULL
- * @param out The reply, as an allocated DATA_BLOB, caller to free.
- * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
- */
-
-NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security
*gensec_security,
- TALLOC_CTX *out_mem_ctx,
- const DATA_BLOB request, DATA_BLOB
*reply)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(gensec_security->private_data,
- struct gensec_ntlmssp_context);
- struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
- return ntlmssp_server_negotiate(ntlmssp_state, out_mem_ctx, request,
reply);
-}
-
-/**
- * Next state function for the Authenticate packet (GENSEC wrapper)
- *
- * @param gensec_security GENSEC state
- * @param out_mem_ctx Memory context for *out
- * @param in The request, as a DATA_BLOB. reply.data must be NULL
- * @param out The reply, as an allocated DATA_BLOB, caller to free.
- * @return Errors or NT_STATUS_OK if authentication sucessful
- */
-
-NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
- TALLOC_CTX *out_mem_ctx,
- const DATA_BLOB in, DATA_BLOB *out)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(gensec_security->private_data,
- struct gensec_ntlmssp_context);
- struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
- return ntlmssp_server_auth(ntlmssp_state, out_mem_ctx, in, out);
-}
-
-/**
- * Return the challenge as determined by the authentication subsystem
- * @return an 8 byte random challenge
- */
-
-static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state
*ntlmssp_state,
- uint8_t chal[8])
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct auth4_context *auth_context =
gensec_ntlmssp->gensec_security->auth_context;
- NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
-
- if (auth_context->get_challenge) {
- status = auth_context->get_challenge(auth_context, chal);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get
challenge: %s\n",
- nt_errstr(status)));
- return status;
- }
- }
-
- return status;
-}
-
-/**
- * Some authentication methods 'fix' the challenge, so we may not be able to
set it
- *
- * @return If the effective challenge used by the auth subsystem may be
modified
- */
-static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state
*ntlmssp_state)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct auth4_context *auth_context =
gensec_ntlmssp->gensec_security->auth_context;
-
- if (auth_context->challenge_may_be_modified) {
- return auth_context->challenge_may_be_modified(auth_context);
- }
- return false;
-}
-
-/**
- * NTLM2 authentication modifies the effective challenge,
- * @param challenge The new challenge value
- */
-static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state
*ntlmssp_state, DATA_BLOB *challenge)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct auth4_context *auth_context =
gensec_ntlmssp->gensec_security->auth_context;
- NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
- const uint8_t *chal;
-
- if (challenge->length != 8) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- chal = challenge->data;
-
- if (auth_context->set_challenge) {
- nt_status = auth_context->set_challenge(auth_context,
- chal,
- "NTLMSSP callback
(NTLM2)");
- }
- return nt_status;
-}
-
-/**
- * Check the password on an NTLMSSP login.
- *
- * Return the session keys used on the connection.
- */
-
-static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state
*ntlmssp_state,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *user_session_key,
DATA_BLOB *lm_session_key)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
- struct auth4_context *auth_context =
gensec_ntlmssp->gensec_security->auth_context;
- NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
- struct auth_usersupplied_info *user_info;
-
- user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
- if (!user_info) {
- return NT_STATUS_NO_MEMORY;
- }
-
- user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
- user_info->flags = 0;
- user_info->mapped_state = false;
- user_info->client.account_name = ntlmssp_state->user;
- user_info->client.domain_name = ntlmssp_state->domain;
- user_info->workstation_name = ntlmssp_state->client.netbios_name;
- user_info->remote_host =
gensec_get_remote_address(gensec_ntlmssp->gensec_security);
-
- user_info->password_state = AUTH_PASSWORD_RESPONSE;
- user_info->password.response.lanman = ntlmssp_state->lm_resp;
- user_info->password.response.lanman.data = talloc_steal(user_info,
ntlmssp_state->lm_resp.data);
- user_info->password.response.nt = ntlmssp_state->nt_resp;
- user_info->password.response.nt.data = talloc_steal(user_info,
ntlmssp_state->nt_resp.data);
-
- if (auth_context->check_password) {
- nt_status = auth_context->check_password(auth_context,
- gensec_ntlmssp,
- user_info,
-
&gensec_ntlmssp->server_returned_info,
- user_session_key,
lm_session_key);
- }
- talloc_free(user_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5,("%s: Checking NTLMSSP password for %s\\%s failed:
%s\n",
- __location__,
- user_info->client.domain_name,
- user_info->client.account_name,
- nt_errstr(nt_status)));
- }
-
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- talloc_steal(mem_ctx, user_session_key->data);
- talloc_steal(mem_ctx, lm_session_key->data);
-
- return nt_status;
-}
/**
* Return the credentials of a logged on user, including session keys
@@ -285,8 +112,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security
*gensec_security)
}
gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
- ntlmssp_state->callback_private = gensec_ntlmssp;
-
ntlmssp_state->role = NTLMSSP_SERVER;
ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
@@ -332,11 +157,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct
gensec_security *gensec_security)
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
- ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
- ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
- ntlmssp_state->check_password = auth_ntlmssp_check_password;
-
if (lpcfg_server_role(gensec_security->settings->lp_ctx) ==
ROLE_STANDALONE) {
ntlmssp_state->server.is_standalone = true;
} else {
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 71e0186..ad2a312 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -62,17 +62,14 @@ static const struct ntlmssp_callbacks {
};
-static NTSTATUS gensec_ntlmssp_update_find(struct ntlmssp_state *ntlmssp_state,
+static NTSTATUS gensec_ntlmssp_update_find(struct gensec_ntlmssp_context
*gensec_ntlmssp,
const DATA_BLOB input, uint32_t *idx)
{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(ntlmssp_state->callback_private,
- struct gensec_ntlmssp_context);
struct gensec_security *gensec_security =
gensec_ntlmssp->gensec_security;
uint32_t ntlmssp_command;
uint32_t i;
- if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
+ if (gensec_ntlmssp->ntlmssp_state->expected_state == NTLMSSP_DONE) {
/* We are strict here because other modules, which we
* don't fully control (such as GSSAPI) are also
* strict, but are tested less often */
@@ -82,7 +79,7 @@ static NTSTATUS gensec_ntlmssp_update_find(struct
ntlmssp_state *ntlmssp_state,
}
if (!input.length) {
- switch (ntlmssp_state->role) {
+ switch (gensec_ntlmssp->ntlmssp_state->role) {
case NTLMSSP_CLIENT:
ntlmssp_command = NTLMSSP_INITIAL;
break;
@@ -98,7 +95,7 @@ static NTSTATUS gensec_ntlmssp_update_find(struct
ntlmssp_state *ntlmssp_state,
break;
}
} else {
- if (!msrpc_parse(ntlmssp_state,
+ if (!msrpc_parse(gensec_ntlmssp->ntlmssp_state,
&input, "Cd",
"NTLMSSP",
&ntlmssp_command)) {
@@ -108,13 +105,14 @@ static NTSTATUS gensec_ntlmssp_update_find(struct
ntlmssp_state *ntlmssp_state,
}
}
- if (ntlmssp_command != ntlmssp_state->expected_state) {
- DEBUG(2, ("got NTLMSSP command %u, expected %u\n",
ntlmssp_command, ntlmssp_state->expected_state));
+ if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
+ DEBUG(2, ("got NTLMSSP command %u, expected %u\n",
ntlmssp_command,
+ gensec_ntlmssp->ntlmssp_state->expected_state));
return NT_STATUS_INVALID_PARAMETER;
}
for (i=0; i < ARRAY_SIZE(ntlmssp_callbacks); i++) {
- if (ntlmssp_callbacks[i].role == ntlmssp_state->role &&
+ if (ntlmssp_callbacks[i].role ==
gensec_ntlmssp->ntlmssp_state->role &&
ntlmssp_callbacks[i].command == ntlmssp_command) {
*idx = i;
return NT_STATUS_OK;
@@ -122,7 +120,7 @@ static NTSTATUS gensec_ntlmssp_update_find(struct
ntlmssp_state *ntlmssp_state,
}
DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command
%u\n",
- ntlmssp_state->role, ntlmssp_command));
+ gensec_ntlmssp->ntlmssp_state->role, ntlmssp_command));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -158,7 +156,7 @@ NTSTATUS gensec_ntlmssp_update(struct gensec_security
*gensec_security,
out_mem_ctx = ntlmssp_state;
}
- status = gensec_ntlmssp_update_find(ntlmssp_state, input, &i);
+ status = gensec_ntlmssp_update_find(gensec_ntlmssp, input, &i);
NT_STATUS_NOT_OK_RETURN(status);
status = ntlmssp_callbacks[i].sync_fn(gensec_security, out_mem_ctx,
input, out);
@@ -209,3 +207,14 @@ _PUBLIC_ NTSTATUS gensec_ntlmssp_init(void)
return ret;
}
+
+uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security)
+{
+ struct gensec_ntlmssp_context *gensec_ntlmssp;
+ if (gensec_security->ops != &gensec_ntlmssp_security_ops) {
+ return 0;
+ }
+ gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ return gensec_ntlmssp->ntlmssp_state->neg_flags;
+}
diff --git a/auth/ntlmssp/ntlmssp.h b/auth/ntlmssp/ntlmssp.h
index 0d6a64e..6061cd0 100644
--- a/auth/ntlmssp/ntlmssp.h
+++ b/auth/ntlmssp/ntlmssp.h
@@ -92,58 +92,6 @@ struct ntlmssp_state
uint32_t neg_flags; /* the current state of negotiation with the
NTLMSSP partner */
- /**
- * Private data for the callback functions
- */
- void *callback_private;
-
- /**
- * Callback to get the 'challenge' used for NTLM authentication.
- *
- * @param ntlmssp_state This structure
- * @return 8 bytes of challenge data, determined by the server to be
the challenge for NTLM authentication
- *
- */
- NTSTATUS (*get_challenge)(const struct ntlmssp_state *ntlmssp_state,
- uint8_t challenge[8]);
-
- /**
- * Callback to find if the challenge used by NTLM authentication may be
modified
- *
- * The NTLM2 authentication scheme modifies the effective challenge,
but this is not compatiable with the
- * current 'security=server' implementation..
- *
- * @param ntlmssp_state This structure
- * @return Can the challenge be set to arbitary values?
- *
- */
- bool (*may_set_challenge)(const struct ntlmssp_state *ntlmssp_state);
-
- /**
- * Callback to set the 'challenge' used for NTLM authentication.
- *
- * The callback may use the void *auth_context to store state
information, but the same value is always available
- * from the DATA_BLOB chal on this structure.
- *
- * @param ntlmssp_state This structure
- * @param challenge 8 bytes of data, agreed by the client and server to
be the effective challenge for NTLM2 authentication
- *
- */
- NTSTATUS (*set_challenge)(struct ntlmssp_state *ntlmssp_state,
DATA_BLOB *challenge);
-
- /**
- * Callback to check the user's password.
- *
- * The callback must reads the feilds of this structure for the
information it needs on the user
- * @param ntlmssp_state This structure
- * @param mem_ctx Talloc context for LM and NT session key to be
returned on
- * @param nt_session_key If an NT session key is returned by the
authentication process, return it here
- * @param lm_session_key If an LM session key is returned by the
authentication process, return it here
- *
- */
- NTSTATUS (*check_password)(struct ntlmssp_state *ntlmssp_state,
TALLOC_CTX *mem_ctx,
- DATA_BLOB *nt_session_key, DATA_BLOB
*lm_session_key);
-
union ntlmssp_crypt_state *crypt;
};
@@ -182,3 +130,5 @@ bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob);
/* The following definitions come from auth/ntlmssp/gensec_ntlmssp.c */
NTSTATUS gensec_ntlmssp_init(void);
+
+uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security);
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 1a2e857..f51a1ed 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -317,12 +317,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security
*gensec_security,
talloc_steal(out_mem_ctx, out->data);
- ntlmssp_state->chal = challenge_blob;
- ntlmssp_state->lm_resp = lm_response;
- talloc_steal(ntlmssp_state->lm_resp.data, lm_response.data);
- ntlmssp_state->nt_resp = nt_response;
- talloc_steal(ntlmssp_state->nt_resp.data, nt_response.data);
-
ntlmssp_state->expected_state = NTLMSSP_DONE;
if (gensec_security->want_features &
(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
@@ -358,8 +352,6 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security
*gensec_security)
return NT_STATUS_NO_MEMORY;
}
- ntlmssp_state->callback_private = gensec_ntlmssp;
-
gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 1a498e8..03e3703 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -27,6 +27,8 @@
#include "auth/ntlmssp/ntlmssp_ndr.h"
#include "../libcli/auth/libcli_auth.h"
#include "../lib/crypto/crypto.h"
+#include "auth/gensec/gensec.h"
+#include "auth/common_auth.h"
/**
* Determine correct target name flags for reply, given server role
@@ -57,19 +59,24 @@ const char *ntlmssp_target_name(struct ntlmssp_state
*ntlmssp_state,
}
/**
- * Next state function for the Negotiate packet
+ * Next state function for the NTLMSSP Negotiate packet
*
- * @param ntlmssp_state NTLMSSP state
+ * @param gensec_security GENSEC state
* @param out_mem_ctx Memory context for *out
* @param in The request, as a DATA_BLOB. reply.data must be NULL
* @param out The reply, as an allocated DATA_BLOB, caller to free.
* @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
*/
-NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
- TALLOC_CTX *out_mem_ctx,
- const DATA_BLOB request, DATA_BLOB *reply)
+NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security
*gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB request, DATA_BLOB
*reply)
{
+ struct gensec_ntlmssp_context *gensec_ntlmssp =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
+ struct auth4_context *auth_context = gensec_security->auth_context;
DATA_BLOB struct_blob;
uint32_t neg_flags = 0;
uint32_t ntlmssp_command, chal_flags;
@@ -112,16 +119,23 @@ NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state
*ntlmssp_state,
ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags,
ntlmssp_state->allow_lm_key);
/* Ask our caller what challenge they would like in the packet */
- status = ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a
challenge: %s\n",
- nt_errstr(status)));
- return status;
+ if (auth_context->get_ntlm_challenge) {
+ status = auth_context->get_ntlm_challenge(auth_context,
cryptkey);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("gensec_ntlmssp_server_negotiate: failed to
get challenge: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+ } else {
+ DEBUG(1, ("gensec_ntlmssp_server_negotiate: backend doesn't
give a challenge\n"));
+ return NT_STATUS_NOT_IMPLEMENTED;
}
/* Check if we may set the challenge */
- if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
- ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+ if (auth_context->challenge_may_be_modified) {
+ if (!auth_context->challenge_may_be_modified(auth_context)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+ }
}
/* The flags we send back are not just the negotiated flags,
@@ -249,10 +263,13 @@ struct ntlmssp_server_auth_state {
* @return Errors or NT_STATUS_OK.
*/
--
Samba Shared Repository
