auth/common: add support for auth4_ctx->check_ntlm_password_send/recv()

Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2017-06-16 17:18:17 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2017-08-07 15:20:03 +0200
commit: e8264d9678dff1cf56f7ac97d8a1a59b9532b6b8 (patch)
tree: 8c61041d4550982fc4f9d7efa4d4dcfc7b0d7831 /auth
parent: 7d43aecb5002902486a6c57ff14a1dcbd64b0f40 (diff)
download: samba-e8264d9678dff1cf56f7ac97d8a1a59b9532b6b8.tar.gz
2 files changed, 75 insertions, 0 deletions
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 507971794f3..3de227ee354 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -131,6 +131,16 @@ struct auth4_context {
 					uint8_t *pauthoritative,
 					void **server_returned_info,
 					DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
+	struct tevent_req *(*check_ntlm_password_send)(TALLOC_CTX *mem_ctx,
+					struct tevent_context *ev,
+					struct auth4_context *auth_ctx,
+					const struct auth_usersupplied_info *user_info);
+	NTSTATUS (*check_ntlm_password_recv)(struct tevent_req *req,
+					TALLOC_CTX *mem_ctx,
+					uint8_t *pauthoritative,
+					void **server_returned_info,
+					DATA_BLOB *nt_session_key,
+					DATA_BLOB *lm_session_key);
 
 	NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]);
 
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 4990f77f66f..417352bf259 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -296,6 +296,9 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
 }
 
 struct ntlmssp_server_auth_state {
+	struct gensec_security *gensec_security;
+	struct gensec_ntlmssp_context *gensec_ntlmssp;
+	DATA_BLOB in;
 	struct auth_usersupplied_info *user_info;
 	DATA_BLOB user_session_key;
 	DATA_BLOB lm_session_key;
@@ -310,6 +313,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
 				       struct gensec_ntlmssp_context *gensec_ntlmssp,
 				       struct ntlmssp_server_auth_state *state,
 				       const DATA_BLOB request);
+static void ntlmssp_server_auth_done(struct tevent_req *subreq);
 static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
 					struct gensec_ntlmssp_context *gensec_ntlmssp,
 					struct ntlmssp_server_auth_state *state,
@@ -334,6 +338,9 @@ struct tevent_req *ntlmssp_server_auth_send(TALLOC_CTX *mem_ctx,
 	if (req == NULL) {
 		return NULL;
 	}
+	state->gensec_security = gensec_security;
+	state->gensec_ntlmssp = gensec_ntlmssp;
+	state->in = in;
 
 	status = ntlmssp_server_preauth(gensec_security,
 					gensec_ntlmssp,
@@ -342,6 +349,21 @@ struct tevent_req *ntlmssp_server_auth_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
+	if (auth_context->check_ntlm_password_send != NULL) {
+		struct tevent_req *subreq = NULL;
+
+		subreq = auth_context->check_ntlm_password_send(state, ev,
+						auth_context,
+						state->user_info);
+		if (tevent_req_nomem(subreq, req)) {
+			return tevent_req_post(req, ev);
+		}
+		tevent_req_set_callback(subreq,
+					ntlmssp_server_auth_done,
+					req);
+		return req;
+	}
+
 	if (auth_context->check_ntlm_password == NULL) {
 		tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
 		return tevent_req_post(req, ev);
@@ -794,6 +816,49 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
 	return NT_STATUS_OK;
 }
 
+static void ntlmssp_server_auth_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct ntlmssp_server_auth_state *state =
+		tevent_req_data(req,
+		struct ntlmssp_server_auth_state);
+	struct gensec_security *gensec_security = state->gensec_security;
+	struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
+	struct auth4_context *auth_context = gensec_security->auth_context;
+	uint8_t authoritative = 0;
+	NTSTATUS status;
+
+	status = auth_context->check_ntlm_password_recv(subreq,
+						gensec_ntlmssp,
+						&authoritative,
+						&gensec_ntlmssp->server_returned_info,
+						&state->user_session_key,
+						&state->lm_session_key);
+	TALLOC_FREE(subreq);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_INFO("Checking NTLMSSP password for %s\\%s failed: %s\n",
+			 state->user_info->client.domain_name,
+			 state->user_info->client.account_name,
+			 nt_errstr(status));
+	}
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+	talloc_steal(state, state->user_session_key.data);
+	talloc_steal(state, state->lm_session_key.data);
+
+	status = ntlmssp_server_postauth(state->gensec_security,
+					 state->gensec_ntlmssp,
+					 state, state->in);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	tevent_req_done(req);
+}
+
 /**
  * Next state function for the Authenticate packet
  * (after authentication - figures out the session keys etc)
author	Stefan Metzmacher <metze@samba.org>	2017-06-16 17:18:17 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2017-08-07 15:20:03 +0200
commit	e8264d9678dff1cf56f7ac97d8a1a59b9532b6b8 (patch)
tree	8c61041d4550982fc4f9d7efa4d4dcfc7b0d7831 /auth
parent	7d43aecb5002902486a6c57ff14a1dcbd64b0f40 (diff)
download	samba-e8264d9678dff1cf56f7ac97d8a1a59b9532b6b8.tar.gz