auth: Remove .get_challenge (only used for security=server)

With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.

Now that security=server has been removed, we have no such module.

This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.

Andrew Bartlett

auth/common_auth.h

@@ -82,8 +82,6 @@ struct auth4_context {
 		/* Who set this up in the first place? */
 		const char *set_by;
 
-		bool may_be_modified;
-
 		DATA_BLOB data;
 	} challenge;
 
@@ -113,8 +111,6 @@ struct auth4_context {
 
 	NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]);
 
-	bool (*challenge_may_be_modified)(struct auth4_context *auth_ctx);
-
 	NTSTATUS (*set_ntlm_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by);
 
 	NTSTATUS (*generate_session_info)(struct auth4_context *auth_context,

auth/ntlmssp/ntlmssp_server.c

@@ -131,13 +131,6 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 
-	/* Check if we may set the challenge */
-	if (auth_context->challenge_may_be_modified) {
-		if (!auth_context->challenge_may_be_modified(auth_context)) {
-			ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-		}
-	}
-
 	/* The flags we send back are not just the negotiated flags,
 	 * they are also 'what is in this packet'.  Therfore, we
 	 * operate on 'chal_flags' from here on

source3/auth/auth.c

@@ -81,9 +81,8 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name
 NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
 				 uint8_t chal[8])
 {
-	DATA_BLOB challenge = data_blob_null;
-	const char *challenge_set_by = NULL;
-	auth_methods *auth_method;
+	uchar tmp[8];
+
 
 	if (auth_context->challenge.length) {
 		DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n", 
@@ -92,52 +91,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
 		return NT_STATUS_OK;
 	}
 
-	auth_context->challenge_may_be_modified = False;
-
-	for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) {
-		if (auth_method->get_chal == NULL) {
-			DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name));
-			continue;
-		}
-
-		DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name));
-		if (challenge_set_by != NULL) {
-			DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge.  Challenge by %s ignored.\n", 
-				  challenge_set_by, auth_method->name));
-			continue;
-		}
-
-		challenge = auth_method->get_chal(auth_context, &auth_method->private_data,
-						  auth_context);
-		if (!challenge.length) {
-			DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", 
-				  auth_method->name));
-		} else {
-			DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name));
-			auth_context->challenge = challenge;
-			challenge_set_by = auth_method->name;
-			auth_context->challenge_set_method = auth_method;
-		}
-	}
-
-	if (!challenge_set_by) {
-		uchar tmp[8];
-
-		generate_random_buffer(tmp, sizeof(tmp));
-		auth_context->challenge = data_blob_talloc(auth_context,
-							   tmp, sizeof(tmp));
-
-		challenge_set_by = "random";
-		auth_context->challenge_may_be_modified = True;
-	} 
-
-	DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by));
-	DEBUG(5, ("challenge is: \n"));
-	dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
-
-	SMB_ASSERT(auth_context->challenge.length == 8);
+	generate_random_buffer(tmp, sizeof(tmp));
+	auth_context->challenge = data_blob_talloc(auth_context,
+						   tmp, sizeof(tmp));
 
-	auth_context->challenge_set_by=challenge_set_by;
+	auth_context->challenge_set_by = "random";
 
 	memcpy(chal, auth_context->challenge.data, 8);
 	return NT_STATUS_OK;

source3/auth/auth_builtin.c

@@ -128,67 +128,12 @@ static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, co
 	return NT_STATUS_OK;
 }
 
-/** 
- * Return a 'fixed' challenge instead of a variable one.
- *
- * The idea of this function is to make packet snifs consistant
- * with a fixed challenge, so as to aid debugging.
- *
- * This module is of no value to end-users.
- *
- * This module does not actually authenticate the user, but
- * just pretenteds to need a specified challenge.  
- * This module removes *all* security from the challenge-response system
- *
- * @return NT_STATUS_UNSUCCESSFUL
- **/
-
-static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context,
-					       void *my_private_data, 
-					       TALLOC_CTX *mem_ctx,
-					       const struct auth_usersupplied_info *user_info,
-					       struct auth_serversupplied_info **server_info)
-{
-	return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************************
- Get the challenge out of a password server.
-****************************************************************************/
-
-static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_context,
-					  void **my_private_data, 
-					  TALLOC_CTX *mem_ctx)
-{
-	const char *challenge = "I am a teapot";   
-	return data_blob(challenge, 8);
-}
-
-
-/** Module initialisation function */
-
-static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
-{
-	struct auth_methods *result;
-
-	result = talloc_zero(auth_context, struct auth_methods);
-	if (result == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-	result->auth = check_fixed_challenge_security;
-	result->get_chal = auth_get_fixed_challenge;
-	result->name = "fixed_challenge";
-
-	*auth_method = result;
-	return NT_STATUS_OK;
-}
 #endif /* DEVELOPER */
 
 NTSTATUS auth_builtin_init(void)
 {
 	smb_register_auth(AUTH_INTERFACE_VERSION, "guest", auth_init_guest);
 #ifdef DEVELOPER
-	smb_register_auth(AUTH_INTERFACE_VERSION, "fixed_challenge", auth_init_fixed_challenge);
 	smb_register_auth(AUTH_INTERFACE_VERSION, "name_to_ntstatus", auth_init_name_to_ntstatus);
 #endif
 	return NT_STATUS_OK;

source3/auth/auth_generic.c

@@ -165,7 +165,6 @@ static struct auth4_context *make_auth4_context_s3(TALLOC_CTX *mem_ctx, struct a
 	auth4_context->generate_session_info = auth3_generate_session_info;
 	auth4_context->get_ntlm_challenge = auth3_get_challenge;
 	auth4_context->set_ntlm_challenge = auth3_set_challenge;
-	auth4_context->challenge_may_be_modified = auth3_may_set_challenge;
 	auth4_context->check_ntlm_password = auth3_check_password;
 	auth4_context->private_data = talloc_steal(auth4_context, auth_context);
 	return auth4_context;

source3/auth/auth_ntlmssp.c

@@ -63,18 +63,6 @@ NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context,
 	return NT_STATUS_OK;
 }
 
-/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-bool auth3_may_set_challenge(struct auth4_context *auth4_context)
-{
-	struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
-								  struct auth_context);
-	return auth_context->challenge_may_be_modified;
-}
-
 /**
  * NTLM2 authentication modifies the effective challenge, 
  * @param challenge The new challenge value

source3/include/auth.h

@@ -78,9 +78,6 @@ struct auth_context {
 	/* Who set this up in the first place? */ 
 	const char *challenge_set_by; 
 
-	bool challenge_may_be_modified;
-
-	struct auth_methods *challenge_set_method; 
 	/* What order are the various methods in?   Try to stop it changing under us */ 
 	struct auth_methods *auth_method_list;	
 
@@ -99,14 +96,6 @@ typedef struct auth_methods
 			 const struct auth_usersupplied_info *user_info, 
 			 struct auth_serversupplied_info **server_info);
 
-	/* If you are using this interface, then you are probably
-	 * getting something wrong.  This interface is only for
-	 * security=server, and makes a number of compromises to allow
-	 * that.  It is not compatible with being a PDC.  */
-	DATA_BLOB (*get_chal)(const struct auth_context *auth_context,
-			      void **my_private_data, 
-			      TALLOC_CTX *mem_ctx);
-
 	/* Optional methods allowing this module to provide a way to get a gensec context and an auth4_context */
 	prepare_gensec_fn prepare_gensec;
 	make_auth4_context_fn make_auth4_context;

source3/utils/ntlm_auth.c

@@ -866,8 +866,6 @@ static NTSTATUS ntlm_auth_get_challenge(struct auth4_context *auth_ctx,
 		auth_ctx->challenge.data		= data_blob_talloc(auth_ctx, chal, 8);
 		NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
 		auth_ctx->challenge.set_by		= "random";
-
-		auth_ctx->challenge.may_be_modified	= true;
 	}
 
 	DEBUG(10,("auth_get_challenge: challenge set by %s\n",
@@ -876,16 +874,6 @@ static NTSTATUS ntlm_auth_get_challenge(struct auth4_context *auth_ctx,
 	return NT_STATUS_OK;
 }
 
-/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-static bool ntlm_auth_may_set_challenge(struct auth4_context *auth_ctx)
-{
-	return auth_ctx->challenge.may_be_modified;
-}
-
 /**
  * NTLM2 authentication modifies the effective challenge, 
  * @param challenge The new challenge value
@@ -1055,7 +1043,6 @@ static struct auth4_context *make_auth4_context_ntlm_auth(TALLOC_CTX *mem_ctx, b
 	auth4_context->generate_session_info_pac = ntlm_auth_generate_session_info_pac;
 	auth4_context->get_ntlm_challenge = ntlm_auth_get_challenge;
 	auth4_context->set_ntlm_challenge = ntlm_auth_set_challenge;
-	auth4_context->challenge_may_be_modified = ntlm_auth_may_set_challenge;
 	if (local_pw) {
 		auth4_context->check_ntlm_password = local_pw_check;
 	} else {

source4/auth/auth.h

@@ -55,13 +55,6 @@ struct smb_krb5_context;
 struct auth_operations {
 	const char *name;
 
-	/* If you are using this interface, then you are probably
-	 * getting something wrong.  This interface is only for
-	 * security=server, and makes a number of compromises to allow
-	 * that.  It is not compatible with being a PDC.  */
-
-	NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8]);
-
 	/* Given the user supplied info, check if this backend want to handle the password checking */
 
 	NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,

source4/auth/ntlm/auth.c

@@ -54,22 +54,12 @@ _PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, con
 	return NT_STATUS_OK;
 }
 
-/***************************************************************************
- Set a fixed challenge
-***************************************************************************/
-_PUBLIC_ bool auth_challenge_may_be_modified(struct auth4_context *auth_ctx)
-{
-	return auth_ctx->challenge.may_be_modified;
-}
-
 /****************************************************************************
  Try to get a challenge out of the various authentication modules.
  Returns a const char of length 8 bytes.
 ****************************************************************************/
 _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8])
 {
-	NTSTATUS nt_status;
-	struct auth_method_context *method;
 
 	if (auth_ctx->challenge.data.length == 8) {
 		DEBUG(5, ("auth_get_challenge: returning previous challenge by module %s (normal)\n", 
@@ -78,29 +68,12 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
 		return NT_STATUS_OK;
 	}
 
-	for (method = auth_ctx->methods; method; method = method->next) {
-		nt_status = method->ops->get_challenge(method, auth_ctx, chal);
-		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
-			continue;
-		}
-
-		NT_STATUS_NOT_OK_RETURN(nt_status);
-
-		auth_ctx->challenge.data	= data_blob_talloc(auth_ctx, chal, 8);
-		NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
-		auth_ctx->challenge.set_by	= method->ops->name;
-
-		break;
-	}
-
 	if (!auth_ctx->challenge.set_by) {
 		generate_random_buffer(chal, 8);
 
 		auth_ctx->challenge.data		= data_blob_talloc(auth_ctx, chal, 8);
 		NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
 		auth_ctx->challenge.set_by		= "random";
-
-		auth_ctx->challenge.may_be_modified	= true;
 	}
 
 	DEBUG(10,("auth_get_challenge: challenge set by %s\n",
@@ -574,8 +547,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
 
 	ctx = talloc_zero(mem_ctx, struct auth4_context);
 	NT_STATUS_HAVE_NO_MEMORY(ctx);
-	ctx->challenge.set_by		= NULL;
-	ctx->challenge.may_be_modified	= false;
 	ctx->challenge.data		= data_blob(NULL, 0);
 	ctx->methods			= NULL;
 	ctx->event_ctx			= ev;
@@ -608,7 +579,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
 	ctx->check_ntlm_password = auth_check_password_wrapper;
 	ctx->get_ntlm_challenge = auth_get_challenge;
 	ctx->set_ntlm_challenge = auth_context_set_challenge;
-	ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
 	ctx->generate_session_info = auth_generate_session_info_wrapper;
 	ctx->generate_session_info_pac = auth_generate_session_info_pac;
 

source4/auth/ntlm/auth_anonymous.c

@@ -61,7 +61,6 @@ static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
 
 static const struct auth_operations anonymous_auth_ops = {
 	.name		= "anonymous",
-	.get_challenge	= auth_get_challenge_not_implemented,
 	.want_check	= anonymous_want_check,
 	.check_password	= anonymous_check_password
 };