From: Samuel Cabrero <scabrero@samba.org>
Date: Tue, 15 Jun 2021 12:06:27 +0000 (+0200)
Subject: s3:winbind: Pass the challenge to winbind_dual_SamLogon() as a data blob
X-Git-Tag: talloc-2.3.4~309
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d900e93931e18fb86252b9eef96b236f5a39cf61;p=thirdparty%2Fsamba.git

s3:winbind: Pass the challenge to winbind_dual_SamLogon() as a data blob

Next commits will covert the winbindd_dual_pam_auth_crap() function to a
local RPC call handler receiving the challenge as a DATA_BLOB in the 'r'
struct.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 50dae9d7f3e..f446f0c8724 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -644,7 +644,7 @@ NTSTATUS rpccli_netlogon_network_logon(
 	const char *domain,
 	const char *workstation,
 	const uint64_t logon_id,
-	const uint8_t chal[8],
+	DATA_BLOB chal,
 	DATA_BLOB lm_response,
 	DATA_BLOB nt_response,
 	enum netr_LogonInfoClass logon_type,
@@ -715,7 +715,12 @@ NTSTATUS rpccli_netlogon_network_logon(
 	network_info->identity_info.account_name.string		= username;
 	network_info->identity_info.workstation.string		= workstation_name_slash;
 
-	memcpy(network_info->challenge, chal, 8);
+	if (chal.length != 8) {
+		DBG_WARNING("Invalid challenge length %zd\n", chal.length);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	memcpy(network_info->challenge, chal.data, chal.length);
 	network_info->nt = nt;
 	network_info->lm = lm;
 
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 362321f312f..464492520fb 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -83,7 +83,7 @@ NTSTATUS rpccli_netlogon_network_logon(
 	const char *domain,
 	const char *workstation,
 	const uint64_t logon_id,
-	const uint8_t chal[8],
+	DATA_BLOB chal,
 	DATA_BLOB lm_response,
 	DATA_BLOB nt_response,
 	enum netr_LogonInfoClass logon_type,
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index a59ecafe695..ae2bd77c8a6 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -941,9 +941,8 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
 	struct winbindd_domain *domain;
 	NTSTATUS status;
 	struct netr_IdentityInfo *identity_info = NULL;
-	const uint8_t chal_zero[8] = {0, };
-	const uint8_t *challenge = chal_zero;
 	DATA_BLOB lm_response, nt_response;
+	DATA_BLOB challenge = data_blob_null;
 	uint32_t flags = 0;
 	uint16_t validation_level;
 	union netr_Validation *validation = NULL;
@@ -981,7 +980,7 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
 		interactive = true;
 		identity_info = &r->in.logon.password->identity_info;
 
-		challenge = chal_zero;
+		challenge = data_blob_null;
 		lm_response = data_blob_talloc(p->mem_ctx,
 					r->in.logon.password->lmpassword.hash,
 					sizeof(r->in.logon.password->lmpassword.hash));
@@ -999,7 +998,9 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
 		interactive = false;
 		identity_info = &r->in.logon.network->identity_info;
 
-		challenge = r->in.logon.network->challenge;
+		challenge = data_blob_talloc(p->mem_ctx,
+					r->in.logon.network->challenge,
+					8);
 		lm_response = data_blob_talloc(p->mem_ctx,
 					r->in.logon.network->lm.data,
 					r->in.logon.network->lm.length);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 78bc6c932f3..0a11f440a72 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1653,7 +1653,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 					    const char *workstation,
 					    const uint64_t logon_id,
 					    bool plaintext_given,
-					    const uint8_t chal[8],
+					    DATA_BLOB chal,
 					    DATA_BLOB lm_response,
 					    DATA_BLOB nt_response,
 					    bool interactive,
@@ -2093,7 +2093,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(
 					     lp_netbios_name(),
 					     logon_id,
 					     true, /* plaintext_given */
-					     NULL,
+					     data_blob_null,
 					     data_blob_null, data_blob_null,
 					     true, /* interactive */
 					     &authoritative,
@@ -2672,7 +2672,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 			       const uint64_t logon_id,
 			       const char* client_name,
 			       const int client_pid,
-			       const uint8_t chal[8],
+			       DATA_BLOB chal_blob,
 			       DATA_BLOB lm_response,
 			       DATA_BLOB nt_response,
 			       const struct tsocket_address *remote,
@@ -2697,8 +2697,6 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 	 * we need to check against domain->name.
 	 */
 	if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
-		DATA_BLOB chal_blob = data_blob_const(
-			chal, 8);
 		struct netr_SamInfo3 *info3 = NULL;
 
 		result = winbindd_dual_auth_passdb(
@@ -2745,7 +2743,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 					     workstation, /* We carefully set this above so use it... */
 					     logon_id,
 					     false, /* plaintext_given */
-					     chal,
+					     chal_blob,
 					     lm_response,
 					     nt_response,
 					     interactive,
@@ -2851,6 +2849,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 	uint16_t validation_level = UINT16_MAX;
 	union netr_Validation *validation = NULL;
 	DATA_BLOB lm_resp = { 0 }, nt_resp = { 0 };
+	DATA_BLOB chal = data_blob_null;
 	const struct timeval start_time = timeval_current();
 	const struct tsocket_address *remote = NULL;
 	const struct tsocket_address *local = NULL;
@@ -2896,6 +2895,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 					   state->request->data.auth_crap.nt_resp,
 					   state->request->data.auth_crap.nt_resp_len);
 	}
+	chal = data_blob_const(state->request->data.auth_crap.chal, 8);
 
 	result = winbind_dual_SamLogon(domain,
 				       state->mem_ctx,
@@ -2908,7 +2908,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 				       logon_id,
 				       state->request->client_name,
 				       state->request->pid,
-				       state->request->data.auth_crap.chal,
+				       chal,
 				       lm_resp,
 				       nt_resp,
 				       remote,
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 0edd6dd1d70..1393adec163 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -463,7 +463,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 			       const uint64_t logon_id,
 			       const char *client_name,
 			       const int pid,
-			       const uint8_t chal[8],
+			       DATA_BLOB chal,
 			       DATA_BLOB lm_response,
 			       DATA_BLOB nt_response,
 			       const struct tsocket_address *remote,