[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sat Aug 7 04:05:06 MDT 2010
The branch, master has been updated
via 4b47245... s4:ntlmssp Merge more aspects of the source3/ NTLMSSP layer
via 6644f48... s4:ntlmssp Re-add gensec_ntlmssp wrapper to allow merge with source3/
via 1979486... s4:ntlmssp Always setup the session keys and signing state
from b03bc88... s3: Remove a pointless "else"
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4b47245a9d7292255a5dca8286283b5519de12e6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 7 18:56:35 2010 +1000
s4:ntlmssp Merge more aspects of the source3/ NTLMSSP layer
This changes the talloc treatment of the session keys to avoid
memory duplication - the session key has always been allocated
onto the ntlmssp_context by the auth subsystem callback.
The remainder of the changes are cosmetics, such as avoiding
using lm_session_key as a pointer (and avoiding then doing an
if statement on something that is always true).
Andrew Bartlett
commit 6644f48d724085f839da86ef75bd814a46359ea5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 17:53:44 2010 +1000
s4:ntlmssp Re-add gensec_ntlmssp wrapper to allow merge with source3/
By re-adding this wrapper, the actual guts of these functions are now very
similar to that found in source3/libsmb/ntlmssp.c
This should make it easier to merge the implementations.
Andrew Bartlett
commit 1979486c8ea9125cb8b16782acc0dcea9c6f552e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 17:51:34 2010 +1000
s4:ntlmssp Always setup the session keys and signing state
While it would save some CPU to only setup the session key when
requested (like windows does), this instead matches the
implementation in source3/libsmb/ntlmssp.c
We could re-add this later after the codebase is merged.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/auth/ntlmssp/ntlmssp.c | 4 +-
source4/auth/ntlmssp/ntlmssp_server.c | 121 ++++++++++++++++++++-------------
2 files changed, 76 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index e55527a..74fa62f 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -47,7 +47,7 @@ static const struct ntlmssp_callbacks {
},{
.role = NTLMSSP_SERVER,
.command = NTLMSSP_NEGOTIATE,
- .sync_fn = ntlmssp_server_negotiate,
+ .sync_fn = gensec_ntlmssp_server_negotiate,
},{
.role = NTLMSSP_CLIENT,
.command = NTLMSSP_CHALLENGE,
@@ -55,7 +55,7 @@ static const struct ntlmssp_callbacks {
},{
.role = NTLMSSP_SERVER,
.command = NTLMSSP_AUTH,
- .sync_fn = ntlmssp_server_auth,
+ .sync_fn = gensec_ntlmssp_server_auth,
}
};
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 9cfc18c..c4c7544 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -67,21 +67,17 @@ static const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state,
/**
* Next state function for the Negotiate packet
*
- * @param gensec_security GENSEC state
+ * @param ntlmssp_state NTLMSSP state
* @param out_mem_ctx Memory context for *out
* @param in The request, as a DATA_BLOB. reply.data must be NULL
* @param out The reply, as an allocated DATA_BLOB, caller to free.
* @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
*/
-NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
+NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
TALLOC_CTX *out_mem_ctx,
- const DATA_BLOB request, DATA_BLOB *reply)
+ const DATA_BLOB request, DATA_BLOB *reply)
{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(gensec_security->private_data,
- struct gensec_ntlmssp_context);
- struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
DATA_BLOB struct_blob;
uint32_t neg_flags = 0;
uint32_t ntlmssp_command, chal_flags;
@@ -400,38 +396,27 @@ static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
* @return Errors or NT_STATUS_OK.
*/
-static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
+static NTSTATUS ntlmssp_server_postauth(struct ntlmssp_state *ntlmssp_state,
struct ntlmssp_server_auth_state *state)
{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(gensec_security->private_data,
- struct gensec_ntlmssp_context);
- struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
- DATA_BLOB *user_session_key = &state->user_session_key;
- DATA_BLOB *lm_session_key = &state->lm_session_key;
+ DATA_BLOB user_session_key = state->user_session_key;
+ DATA_BLOB lm_session_key = state->lm_session_key;
NTSTATUS nt_status;
DATA_BLOB session_key = data_blob(NULL, 0);
- if (!(gensec_security->want_features
- & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY))) {
- return NT_STATUS_OK;
- }
-
- if (user_session_key)
- dump_data_pw("USER session key:\n", user_session_key->data, user_session_key->length);
-
- if (lm_session_key)
- dump_data_pw("LM first-8:\n", lm_session_key->data, lm_session_key->length);
+ dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
+ dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
/* Handle the different session key derivation for NTLM2 */
if (state->doing_ntlm2) {
- if (user_session_key && user_session_key->data && user_session_key->length == 16) {
- session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
- hmac_md5(user_session_key->data, state->session_nonce,
+ if (user_session_key.data && user_session_key.length == 16) {
+ session_key = data_blob_talloc(ntlmssp_state,
+ NULL, 16);
+ hmac_md5(user_session_key.data, state->session_nonce,
sizeof(state->session_nonce), session_key.data);
DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
-
+
} else {
DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
session_key = data_blob_null;
@@ -440,10 +425,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
/* Ensure we can never get here on NTLMv2 */
&& (ntlmssp_state->nt_resp.length == 0 || ntlmssp_state->nt_resp.length == 24)) {
- if (lm_session_key && lm_session_key->data && lm_session_key->length >= 8) {
+ if (lm_session_key.data && lm_session_key.length >= 8) {
if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
- session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
- SMBsesskeygen_lm_sess_key(lm_session_key->data, ntlmssp_state->lm_resp.data,
+ session_key = data_blob_talloc(ntlmssp_state,
+ NULL, 16);
+ if (session_key.data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
session_key.data);
DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
} else {
@@ -456,7 +445,6 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
SMBsesskeygen_lm_sess_key(zeros, zeros,
session_key.data);
DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
- dump_data_pw("LM session key:\n", session_key.data, session_key.length);
}
dump_data_pw("LM session key:\n", session_key.data,
session_key.length);
@@ -468,17 +456,17 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
session_key = data_blob_null;
}
- } else if (user_session_key && user_session_key->data) {
- session_key = data_blob_talloc(ntlmssp_state, user_session_key->data, user_session_key->length);
+ } else if (user_session_key.data) {
+ session_key = user_session_key;
DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
/* LM Key not selected */
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
- } else if (lm_session_key && lm_session_key->data) {
+ } else if (lm_session_key.data) {
/* Very weird to have LM key, but no user session key, but anyway.. */
- session_key = data_blob_talloc(ntlmssp_state, lm_session_key->data, lm_session_key->length);
+ session_key = lm_session_key;
DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
@@ -487,7 +475,7 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
} else {
DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
- session_key = data_blob(NULL, 0);
+ session_key = data_blob_null;
/* LM Key not selected */
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
@@ -525,11 +513,8 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
ntlmssp_state->session_key = session_key;
}
- if ((gensec_security->want_features & GENSEC_FEATURE_SIGN)
- || (gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
+ if (ntlmssp_state->session_key.length) {
nt_status = ntlmssp_sign_init(ntlmssp_state);
- } else {
- nt_status = NT_STATUS_OK;
}
ntlmssp_state->expected_state = NTLMSSP_DONE;
@@ -548,14 +533,10 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
* @return Errors or NT_STATUS_OK if authentication sucessful
*/
-NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security,
+NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{
- struct gensec_ntlmssp_context *gensec_ntlmssp =
- talloc_get_type_abort(gensec_security->private_data,
- struct gensec_ntlmssp_context);
- struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct ntlmssp_server_auth_state *state;
NTSTATUS nt_status;
@@ -589,7 +570,11 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security,
return nt_status;
}
- nt_status = ntlmssp_server_postauth(gensec_security, state);
+ /* When we get more async in the auth code behind
+ ntlmssp_state->check_password, the ntlmssp_server_postpath
+ can be done in a callback */
+
+ nt_status = ntlmssp_server_postauth(ntlmssp_state, state);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(state);
return nt_status;
@@ -600,6 +585,48 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security,
}
/**
+ * Next state function for the Negotiate packet (GENSEC wrapper)
+ *
+ * @param gensec_security GENSEC state
+ * @param out_mem_ctx Memory context for *out
+ * @param in The request, as a DATA_BLOB. reply.data must be NULL
+ * @param out The reply, as an allocated DATA_BLOB, caller to free.
+ * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
+ */
+
+NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB request, DATA_BLOB *reply)
+{
+ struct gensec_ntlmssp_context *gensec_ntlmssp =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
+ return ntlmssp_server_negotiate(ntlmssp_state, out_mem_ctx, request, reply);
+}
+
+/**
+ * Next state function for the Authenticate packet (GENSEC wrapper)
+ *
+ * @param gensec_security GENSEC state
+ * @param out_mem_ctx Memory context for *out
+ * @param in The request, as a DATA_BLOB. reply.data must be NULL
+ * @param out The reply, as an allocated DATA_BLOB, caller to free.
+ * @return Errors or NT_STATUS_OK if authentication sucessful
+ */
+
+NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB in, DATA_BLOB *out)
+{
+ struct gensec_ntlmssp_context *gensec_ntlmssp =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
+ return ntlmssp_server_auth(ntlmssp_state, out_mem_ctx, in, out);
+};
+
+/**
* Return the challenge as determined by the authentication subsystem
* @return an 8 byte random challenge
*/
--
Samba Shared Repository
More information about the samba-cvs
mailing list