Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

ntlmssp.c@ 815

Visit:

Last change on this file since 815 was 1, checked in by Paul Smedley, 18 years ago
Initial code import
File size: 37.9 KB

Line
1	/*
2	Unix SMB/Netbios implementation.
3	Version 3.0
4	handle NLTMSSP, server side
5
6	Copyright (C) Andrew Tridgell 2001
7	Copyright (C) Andrew Bartlett 2001-2003
8	Copyright (C) Andrew Bartlett 2005 (Updated from gensec).
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 2 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program; if not, write to the Free Software
22	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23	*/
24
25	#include "includes.h"
26
27	static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
28	DATA_BLOB reply, DATA_BLOB *next_request);
29	static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
30	const DATA_BLOB in, DATA_BLOB *out);
31	static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
32	const DATA_BLOB reply, DATA_BLOB *next_request);
33	static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
34	const DATA_BLOB request, DATA_BLOB *reply);
35
36	/**
37	* Callbacks for NTLMSSP - for both client and server operating modes
38	*
39	*/
40
41	static const struct ntlmssp_callbacks {
42	enum NTLMSSP_ROLE role;
43	enum NTLM_MESSAGE_TYPE ntlmssp_command;
44	NTSTATUS (fn)(struct ntlmssp_state ntlmssp_state,
45	DATA_BLOB in, DATA_BLOB *out);
46	} ntlmssp_callbacks[] = {
47	{NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial},
48	{NTLMSSP_SERVER, NTLMSSP_NEGOTIATE, ntlmssp_server_negotiate},
49	{NTLMSSP_CLIENT, NTLMSSP_CHALLENGE, ntlmssp_client_challenge},
50	{NTLMSSP_SERVER, NTLMSSP_AUTH, ntlmssp_server_auth},
51	{NTLMSSP_CLIENT, NTLMSSP_UNKNOWN, NULL},
52	{NTLMSSP_SERVER, NTLMSSP_UNKNOWN, NULL}
53	};
54
55
56	/**
57	* Print out the NTLMSSP flags for debugging
58	* @param neg_flags The flags from the packet
59	*/
60
61	void debug_ntlmssp_flags(uint32 neg_flags)
62	{
63	DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags));
64
65	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE)
66	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_UNICODE\n"));
67	if (neg_flags & NTLMSSP_NEGOTIATE_OEM)
68	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM\n"));
69	if (neg_flags & NTLMSSP_REQUEST_TARGET)
70	DEBUGADD(4, (" NTLMSSP_REQUEST_TARGET\n"));
71	if (neg_flags & NTLMSSP_NEGOTIATE_SIGN)
72	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SIGN\n"));
73	if (neg_flags & NTLMSSP_NEGOTIATE_SEAL)
74	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SEAL\n"));
75	if (neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM_STYLE)
76	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DATAGRAM_STYLE\n"));
77	if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
78	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_LM_KEY\n"));
79	if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE)
80	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NETWARE\n"));
81	if (neg_flags & NTLMSSP_NEGOTIATE_NTLM)
82	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM\n"));
83	if (neg_flags & NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED)
84	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED\n"));
85	if (neg_flags & NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED)
86	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED\n"));
87	if (neg_flags & NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL)
88	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n"));
89	if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)
90	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n"));
91	if (neg_flags & NTLMSSP_CHAL_ACCEPT_RESPONSE)
92	DEBUGADD(4, (" NTLMSSP_CHAL_ACCEPT_RESPONSE\n"));
93	if (neg_flags & NTLMSSP_CHAL_NON_NT_SESSION_KEY)
94	DEBUGADD(4, (" NTLMSSP_CHAL_NON_NT_SESSION_KEY\n"));
95	if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
96	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM2\n"));
97	if (neg_flags & NTLMSSP_CHAL_TARGET_INFO)
98	DEBUGADD(4, (" NTLMSSP_CHAL_TARGET_INFO\n"));
99	if (neg_flags & NTLMSSP_NEGOTIATE_128)
100	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_128\n"));
101	if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)
102	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_KEY_EXCH\n"));
103	if (neg_flags & NTLMSSP_NEGOTIATE_56)
104	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_56\n"));
105	}
106
107	/**
108	* Default challenge generation code.
109	*
110	*/
111
112	static const uint8 get_challenge(const struct ntlmssp_state ntlmssp_state)
113	{
114	static uchar chal[8];
115	generate_random_buffer(chal, sizeof(chal));
116
117	return chal;
118	}
119
120	/**
121	* Default 'we can set the challenge to anything we like' implementation
122	*
123	*/
124
125	static BOOL may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
126	{
127	return True;
128	}
129
130	/**
131	* Default 'we can set the challenge to anything we like' implementation
132	*
133	* Does not actually do anything, as the value is always in the structure anyway.
134	*
135	*/
136
137	static NTSTATUS set_challenge(struct ntlmssp_state ntlmssp_state, DATA_BLOB challenge)
138	{
139	SMB_ASSERT(challenge->length == 8);
140	return NT_STATUS_OK;
141	}
142
143	/**
144	* Set a username on an NTLMSSP context - ensures it is talloc()ed
145	*
146	*/
147
148	NTSTATUS ntlmssp_set_username(NTLMSSP_STATE ntlmssp_state, const char user)
149	{
150	ntlmssp_state->user = talloc_strdup(ntlmssp_state->mem_ctx, user ? user : "" );
151	if (!ntlmssp_state->user) {
152	return NT_STATUS_NO_MEMORY;
153	}
154	return NT_STATUS_OK;
155	}
156
157	/**
158	* Store NT and LM hashes on an NTLMSSP context - ensures they are talloc()ed
159	*
160	*/
161	NTSTATUS ntlmssp_set_hashes(NTLMSSP_STATE *ntlmssp_state,
162	const unsigned char lm_hash[16],
163	const unsigned char nt_hash[16])
164	{
165	ntlmssp_state->lm_hash = (unsigned char *)
166	TALLOC_MEMDUP(ntlmssp_state->mem_ctx, lm_hash, 16);
167	ntlmssp_state->nt_hash = (unsigned char *)
168	TALLOC_MEMDUP(ntlmssp_state->mem_ctx, nt_hash, 16);
169	if (!ntlmssp_state->lm_hash \|\| !ntlmssp_state->nt_hash) {
170	TALLOC_FREE(ntlmssp_state->lm_hash);
171	TALLOC_FREE(ntlmssp_state->nt_hash);
172	return NT_STATUS_NO_MEMORY;
173	}
174	return NT_STATUS_OK;
175	}
176
177	/**
178	* Converts a password to the hashes on an NTLMSSP context.
179	*
180	*/
181	NTSTATUS ntlmssp_set_password(NTLMSSP_STATE ntlmssp_state, const char password)
182	{
183	if (!password) {
184	ntlmssp_state->lm_hash = NULL;
185	ntlmssp_state->nt_hash = NULL;
186	} else {
187	unsigned char lm_hash[16];
188	unsigned char nt_hash[16];
189
190	E_deshash(password, lm_hash);
191	E_md4hash(password, nt_hash);
192	return ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
193	}
194	return NT_STATUS_OK;
195	}
196
197	/**
198	* Set a domain on an NTLMSSP context - ensures it is talloc()ed
199	*
200	*/
201	NTSTATUS ntlmssp_set_domain(NTLMSSP_STATE ntlmssp_state, const char domain)
202	{
203	ntlmssp_state->domain = talloc_strdup(ntlmssp_state->mem_ctx, domain ? domain : "" );
204	if (!ntlmssp_state->domain) {
205	return NT_STATUS_NO_MEMORY;
206	}
207	return NT_STATUS_OK;
208	}
209
210	/**
211	* Set a workstation on an NTLMSSP context - ensures it is talloc()ed
212	*
213	*/
214	NTSTATUS ntlmssp_set_workstation(NTLMSSP_STATE ntlmssp_state, const char workstation)
215	{
216	ntlmssp_state->workstation = talloc_strdup(ntlmssp_state->mem_ctx, workstation);
217	if (!ntlmssp_state->workstation) {
218	return NT_STATUS_NO_MEMORY;
219	}
220	return NT_STATUS_OK;
221	}
222
223	/**
224	* Store a DATA_BLOB containing an NTLMSSP response, for use later.
225	* This copies the data blob
226	*/
227
228	NTSTATUS ntlmssp_store_response(NTLMSSP_STATE *ntlmssp_state,
229	DATA_BLOB response)
230	{
231	ntlmssp_state->stored_response = data_blob_talloc(ntlmssp_state->mem_ctx,
232	response.data, response.length);
233	return NT_STATUS_OK;
234	}
235
236	/**
237	* Request features for the NTLMSSP negotiation
238	*
239	* @param ntlmssp_state NTLMSSP state
240	* @param feature_list List of space seperated features requested from NTLMSSP.
241	*/
242	void ntlmssp_want_feature_list(NTLMSSP_STATE ntlmssp_state, char feature_list)
243	{
244	/*
245	* We need to set this to allow a later SetPassword
246	* via the SAMR pipe to succeed. Strange.... We could
247	* also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
248	*/
249	if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
250	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
251	}
252	if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
253	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
254	}
255	if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
256	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
257	}
258	}
259
260	/**
261	* Request a feature for the NTLMSSP negotiation
262	*
263	* @param ntlmssp_state NTLMSSP state
264	* @param feature Bit flag specifying the requested feature
265	*/
266	void ntlmssp_want_feature(NTLMSSP_STATE *ntlmssp_state, uint32 feature)
267	{
268	/* As per JRA's comment above */
269	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
270	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
271	}
272	if (feature & NTLMSSP_FEATURE_SIGN) {
273	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
274	}
275	if (feature & NTLMSSP_FEATURE_SEAL) {
276	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
277	}
278	}
279
280	/**
281	* Next state function for the NTLMSSP state machine
282	*
283	* @param ntlmssp_state NTLMSSP State
284	* @param in The packet in from the NTLMSSP partner, as a DATA_BLOB
285	* @param out The reply, as an allocated DATA_BLOB, caller to free.
286	* @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK.
287	*/
288
289	NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state,
290	const DATA_BLOB in, DATA_BLOB *out)
291	{
292	DATA_BLOB input;
293	uint32 ntlmssp_command;
294	int i;
295
296	if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
297	/* Called update after negotiations finished. */
298	DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
299	return NT_STATUS_INVALID_PARAMETER;
300	}
301
302	*out = data_blob(NULL, 0);
303
304	if (!in.length && ntlmssp_state->stored_response.length) {
305	input = ntlmssp_state->stored_response;
306
307	/* we only want to read the stored response once - overwrite it */
308	ntlmssp_state->stored_response = data_blob(NULL, 0);
309	} else {
310	input = in;
311	}
312
313	if (!input.length) {
314	switch (ntlmssp_state->role) {
315	case NTLMSSP_CLIENT:
316	ntlmssp_command = NTLMSSP_INITIAL;
317	break;
318	case NTLMSSP_SERVER:
319	/* 'datagram' mode - no neg packet */
320	ntlmssp_command = NTLMSSP_NEGOTIATE;
321	break;
322	}
323	} else {
324	if (!msrpc_parse(&input, "Cd",
325	"NTLMSSP",
326	&ntlmssp_command)) {
327	DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
328	dump_data(2, (const char *)input.data, input.length);
329	return NT_STATUS_INVALID_PARAMETER;
330	}
331	}
332
333	if (ntlmssp_command != ntlmssp_state->expected_state) {
334	DEBUG(1, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
335	return NT_STATUS_INVALID_PARAMETER;
336	}
337
338	for (i=0; ntlmssp_callbacks[i].fn; i++) {
339	if (ntlmssp_callbacks[i].role == ntlmssp_state->role
340	&& ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command) {
341	return ntlmssp_callbacks[i].fn(ntlmssp_state, input, out);
342	}
343	}
344
345	DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
346	ntlmssp_state->role, ntlmssp_command));
347
348	return NT_STATUS_INVALID_PARAMETER;
349	}
350
351	/**
352	* End an NTLMSSP state machine
353	*
354	* @param ntlmssp_state NTLMSSP State, free()ed by this function
355	*/
356
357	void ntlmssp_end(NTLMSSP_STATE **ntlmssp_state)
358	{
359	TALLOC_CTX mem_ctx = (ntlmssp_state)->mem_ctx;
360
361	(*ntlmssp_state)->ref_count--;
362
363	if ((*ntlmssp_state)->ref_count == 0) {
364	data_blob_free(&(*ntlmssp_state)->chal);
365	data_blob_free(&(*ntlmssp_state)->lm_resp);
366	data_blob_free(&(*ntlmssp_state)->nt_resp);
367
368	talloc_destroy(mem_ctx);
369	}
370
371	*ntlmssp_state = NULL;
372	return;
373	}
374
375	/**
376	* Determine correct target name flags for reply, given server role
377	* and negotiated flags
378	*
379	* @param ntlmssp_state NTLMSSP State
380	* @param neg_flags The flags from the packet
381	* @param chal_flags The flags to be set in the reply packet
382	* @return The 'target name' string.
383	*/
384
385	static const char ntlmssp_target_name(struct ntlmssp_state ntlmssp_state,
386	uint32 neg_flags, uint32 *chal_flags)
387	{
388	if (neg_flags & NTLMSSP_REQUEST_TARGET) {
389	*chal_flags \|= NTLMSSP_CHAL_TARGET_INFO;
390	*chal_flags \|= NTLMSSP_REQUEST_TARGET;
391	if (ntlmssp_state->server_role == ROLE_STANDALONE) {
392	*chal_flags \|= NTLMSSP_TARGET_TYPE_SERVER;
393	return ntlmssp_state->get_global_myname();
394	} else {
395	*chal_flags \|= NTLMSSP_TARGET_TYPE_DOMAIN;
396	return ntlmssp_state->get_domain();
397	};
398	} else {
399	return "";
400	}
401	}
402
403	static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
404	uint32 neg_flags, BOOL allow_lm) {
405	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
406	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_UNICODE;
407	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
408	ntlmssp_state->unicode = True;
409	} else {
410	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
411	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_OEM;
412	ntlmssp_state->unicode = False;
413	}
414
415	if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
416	/* other end forcing us to use LM */
417	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_LM_KEY;
418	ntlmssp_state->use_ntlmv2 = False;
419	} else {
420	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
421	}
422
423	if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
424	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
425	}
426
427	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
428	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
429	}
430
431	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
432	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
433	}
434
435	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
436	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
437	}
438
439	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
440	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
441	}
442
443	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
444	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
445	}
446
447	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
448	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
449	}
450
451	/* Woop Woop - unknown flag for Windows compatibility...
452	What does this really do ? JRA. */
453	if (!(neg_flags & NTLMSSP_UNKNOWN_02000000)) {
454	ntlmssp_state->neg_flags &= ~NTLMSSP_UNKNOWN_02000000;
455	}
456
457	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
458	ntlmssp_state->neg_flags \|= NTLMSSP_REQUEST_TARGET;
459	}
460	}
461
462	/**
463	Weaken NTLMSSP keys to cope with down-level clients and servers.
464
465	We probably should have some parameters to control this, but as
466	it only occours for LM_KEY connections, and this is controlled
467	by the client lanman auth/lanman auth parameters, it isn't too bad.
468	*/
469
470	DATA_BLOB ntlmssp_weaken_keys(NTLMSSP_STATE ntlmssp_state, TALLOC_CTX mem_ctx)
471	{
472	DATA_BLOB weakened_key = data_blob_talloc(mem_ctx,
473	ntlmssp_state->session_key.data,
474	ntlmssp_state->session_key.length);
475
476	/* Nothing to weaken. We certainly don't want to 'extend' the length... */
477	if (weakened_key.length < 16) {
478	/* perhaps there was no key? */
479	return weakened_key;
480	}
481
482	/* Key weakening not performed on the master key for NTLM2
483	and does not occour for NTLM1. Therefore we only need
484	to do this for the LM_KEY.
485	*/
486
487	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
488	/* LM key doesn't support 128 bit crypto, so this is
489	* the best we can do. If you negotiate 128 bit, but
490	* not 56, you end up with 40 bit... */
491	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
492	weakened_key.data[7] = 0xa0;
493	} else { /* forty bits */
494	weakened_key.data[5] = 0xe5;
495	weakened_key.data[6] = 0x38;
496	weakened_key.data[7] = 0xb0;
497	}
498	weakened_key.length = 8;
499	}
500	return weakened_key;
501	}
502
503	/**
504	* Next state function for the Negotiate packet
505	*
506	* @param ntlmssp_state NTLMSSP State
507	* @param request The request, as a DATA_BLOB
508	* @param request The reply, as an allocated DATA_BLOB, caller to free.
509	* @return Errors or MORE_PROCESSING_REQUIRED if a reply is sent.
510	*/
511
512	static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
513	const DATA_BLOB request, DATA_BLOB *reply)
514	{
515	DATA_BLOB struct_blob;
516	fstring dnsname, dnsdomname;
517	uint32 neg_flags = 0;
518	uint32 ntlmssp_command, chal_flags;
519	const uint8 *cryptkey;
520	const char *target_name;
521
522	/* parse the NTLMSSP packet */
523	#if 0
524	file_save("ntlmssp_negotiate.dat", request.data, request.length);
525	#endif
526
527	if (request.length) {
528	if ((request.length < 16) \|\| !msrpc_parse(&request, "Cdd",
529	"NTLMSSP",
530	&ntlmssp_command,
531	&neg_flags)) {
532	DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
533	(unsigned int)request.length));
534	dump_data(2, (const char *)request.data, request.length);
535	return NT_STATUS_INVALID_PARAMETER;
536	}
537	debug_ntlmssp_flags(neg_flags);
538	}
539
540	ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth());
541
542	/* Ask our caller what challenge they would like in the packet */
543	cryptkey = ntlmssp_state->get_challenge(ntlmssp_state);
544
545	/* Check if we may set the challenge */
546	if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
547	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
548	}
549
550	/* The flags we send back are not just the negotiated flags,
551	* they are also 'what is in this packet'. Therfore, we
552	* operate on 'chal_flags' from here on
553	*/
554
555	chal_flags = ntlmssp_state->neg_flags;
556
557	/* get the right name to fill in as 'target' */
558	target_name = ntlmssp_target_name(ntlmssp_state,
559	neg_flags, &chal_flags);
560	if (target_name == NULL)
561	return NT_STATUS_INVALID_PARAMETER;
562
563	ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8);
564	ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8);
565
566
567	/* This should be a 'netbios domain -> DNS domain' mapping */
568	dnsdomname[0] = '\0';
569	get_mydnsdomname(dnsdomname);
570	strlower_m(dnsdomname);
571
572	dnsname[0] = '\0';
573	get_mydnsfullname(dnsname);
574
575	/* This creates the 'blob' of names that appears at the end of the packet */
576	if (chal_flags & NTLMSSP_CHAL_TARGET_INFO)
577	{
578	msrpc_gen(&struct_blob, "aaaaa",
579	NTLMSSP_NAME_TYPE_DOMAIN, target_name,
580	NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(),
581	NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsdomname,
582	NTLMSSP_NAME_TYPE_SERVER_DNS, dnsname,
583	0, "");
584	} else {
585	struct_blob = data_blob(NULL, 0);
586	}
587
588	{
589	/* Marshel the packet in the right format, be it unicode or ASCII */
590	const char *gen_string;
591	if (ntlmssp_state->unicode) {
592	gen_string = "CdUdbddB";
593	} else {
594	gen_string = "CdAdbddB";
595	}
596
597	msrpc_gen(reply, gen_string,
598	"NTLMSSP",
599	NTLMSSP_CHALLENGE,
600	target_name,
601	chal_flags,
602	cryptkey, 8,
603	0, 0,
604	struct_blob.data, struct_blob.length);
605	}
606
607	data_blob_free(&struct_blob);
608
609	ntlmssp_state->expected_state = NTLMSSP_AUTH;
610
611	return NT_STATUS_MORE_PROCESSING_REQUIRED;
612	}
613
614	/**
615	* Next state function for the Authenticate packet
616	*
617	* @param ntlmssp_state NTLMSSP State
618	* @param request The request, as a DATA_BLOB
619	* @param request The reply, as an allocated DATA_BLOB, caller to free.
620	* @return Errors or NT_STATUS_OK.
621	*/
622
623	static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
624	const DATA_BLOB request, DATA_BLOB *reply)
625	{
626	DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
627	DATA_BLOB user_session_key = data_blob(NULL, 0);
628	DATA_BLOB lm_session_key = data_blob(NULL, 0);
629	DATA_BLOB session_key = data_blob(NULL, 0);
630	uint32 ntlmssp_command, auth_flags;
631	NTSTATUS nt_status = NT_STATUS_OK;
632
633	/* used by NTLM2 */
634	BOOL doing_ntlm2 = False;
635
636	uchar session_nonce[16];
637	uchar session_nonce_hash[16];
638
639	const char *parse_string;
640	char *domain = NULL;
641	char *user = NULL;
642	char *workstation = NULL;
643
644	/* parse the NTLMSSP packet */
645	*reply = data_blob(NULL, 0);
646
647	#if 0
648	file_save("ntlmssp_auth.dat", request.data, request.length);
649	#endif
650
651	if (ntlmssp_state->unicode) {
652	parse_string = "CdBBUUUBd";
653	} else {
654	parse_string = "CdBBAAABd";
655	}
656
657	data_blob_free(&ntlmssp_state->lm_resp);
658	data_blob_free(&ntlmssp_state->nt_resp);
659
660	ntlmssp_state->user = NULL;
661	ntlmssp_state->domain = NULL;
662	ntlmssp_state->workstation = NULL;
663
664	/* now the NTLMSSP encoded auth hashes */
665	if (!msrpc_parse(&request, parse_string,
666	"NTLMSSP",
667	&ntlmssp_command,
668	&ntlmssp_state->lm_resp,
669	&ntlmssp_state->nt_resp,
670	&domain,
671	&user,
672	&workstation,
673	&encrypted_session_key,
674	&auth_flags)) {
675	SAFE_FREE(domain);
676	SAFE_FREE(user);
677	SAFE_FREE(workstation);
678	data_blob_free(&encrypted_session_key);
679	auth_flags = 0;
680
681	/* Try again with a shorter string (Win9X truncates this packet) */
682	if (ntlmssp_state->unicode) {
683	parse_string = "CdBBUUU";
684	} else {
685	parse_string = "CdBBAAA";
686	}
687
688	/* now the NTLMSSP encoded auth hashes */
689	if (!msrpc_parse(&request, parse_string,
690	"NTLMSSP",
691	&ntlmssp_command,
692	&ntlmssp_state->lm_resp,
693	&ntlmssp_state->nt_resp,
694	&domain,
695	&user,
696	&workstation)) {
697	DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
698	dump_data(2, (const char *)request.data, request.length);
699	SAFE_FREE(domain);
700	SAFE_FREE(user);
701	SAFE_FREE(workstation);
702
703	return NT_STATUS_INVALID_PARAMETER;
704	}
705	}
706
707	if (auth_flags)
708	ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, lp_lanman_auth());
709
710	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, domain))) {
711	SAFE_FREE(domain);
712	SAFE_FREE(user);
713	SAFE_FREE(workstation);
714	data_blob_free(&encrypted_session_key);
715	return nt_status;
716	}
717
718	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) {
719	SAFE_FREE(domain);
720	SAFE_FREE(user);
721	SAFE_FREE(workstation);
722	data_blob_free(&encrypted_session_key);
723	return nt_status;
724	}
725
726	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_workstation(ntlmssp_state, workstation))) {
727	SAFE_FREE(domain);
728	SAFE_FREE(user);
729	SAFE_FREE(workstation);
730	data_blob_free(&encrypted_session_key);
731	return nt_status;
732	}
733
734	SAFE_FREE(domain);
735	SAFE_FREE(user);
736	SAFE_FREE(workstation);
737
738	DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
739	ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, (unsigned long)ntlmssp_state->lm_resp.length, (unsigned long)ntlmssp_state->nt_resp.length));
740
741	#if 0
742	file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
743	file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
744	#endif
745
746	/* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
747	client challenge
748
749	However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
750	*/
751	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
752	if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
753	struct MD5Context md5_session_nonce_ctx;
754	SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
755
756	doing_ntlm2 = True;
757
758	memcpy(session_nonce, ntlmssp_state->internal_chal.data, 8);
759	memcpy(&session_nonce[8], ntlmssp_state->lm_resp.data, 8);
760
761	MD5Init(&md5_session_nonce_ctx);
762	MD5Update(&md5_session_nonce_ctx, session_nonce, 16);
763	MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
764
765	ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, session_nonce_hash, 8);
766
767	/* LM response is no longer useful */
768	data_blob_free(&ntlmssp_state->lm_resp);
769
770	/* We changed the effective challenge - set it */
771	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) {
772	data_blob_free(&encrypted_session_key);
773	return nt_status;
774	}
775
776	/* LM Key is incompatible. */
777	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
778	}
779	}
780
781	/*
782	* Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
783	* is required (by "ntlm auth = no" and "lm auth = no" being set in the
784	* smb.conf file) and no NTLMv2 response was sent then the password check
785	* will fail here. JRA.
786	*/
787
788	/* Finally, actually ask if the password is OK */
789
790	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->check_password(ntlmssp_state,
791	&user_session_key, &lm_session_key))) {
792	data_blob_free(&encrypted_session_key);
793	return nt_status;
794	}
795
796	dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
797	dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
798
799	/* Handle the different session key derivation for NTLM2 */
800	if (doing_ntlm2) {
801	if (user_session_key.data && user_session_key.length == 16) {
802	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
803	hmac_md5(user_session_key.data, session_nonce,
804	sizeof(session_nonce), session_key.data);
805	DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
806	dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
807
808	} else {
809	DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
810	session_key = data_blob(NULL, 0);
811	}
812	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
813	if (lm_session_key.data && lm_session_key.length >= 8) {
814	if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
815	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
816	if (session_key.data == NULL) {
817	return NT_STATUS_NO_MEMORY;
818	}
819	SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
820	session_key.data);
821	DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
822	} else {
823	static const uint8 zeros[24] = { 0, };
824	session_key = data_blob_talloc(
825	ntlmssp_state->mem_ctx, NULL, 16);
826	if (session_key.data == NULL) {
827	return NT_STATUS_NO_MEMORY;
828	}
829	SMBsesskeygen_lm_sess_key(
830	lm_session_key.data, zeros,
831	session_key.data);
832	}
833	dump_data_pw("LM session key:\n", session_key.data,
834	session_key.length);
835	} else {
836	DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
837	session_key = data_blob(NULL, 0);
838	}
839	} else if (user_session_key.data) {
840	session_key = user_session_key;
841	DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
842	dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
843	} else if (lm_session_key.data) {
844	session_key = lm_session_key;
845	DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
846	dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
847	} else {
848	DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
849	session_key = data_blob(NULL, 0);
850	}
851
852	/* With KEY_EXCH, the client supplies the proposed session key,
853	but encrypts it with the long-term key */
854	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
855	if (!encrypted_session_key.data \|\| encrypted_session_key.length != 16) {
856	data_blob_free(&encrypted_session_key);
857	DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
858	(unsigned int)encrypted_session_key.length));
859	return NT_STATUS_INVALID_PARAMETER;
860	} else if (!session_key.data \|\| session_key.length != 16) {
861	DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
862	(unsigned int)session_key.length));
863	ntlmssp_state->session_key = session_key;
864	} else {
865	dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
866	SamOEMhash(encrypted_session_key.data,
867	session_key.data,
868	encrypted_session_key.length);
869	ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state->mem_ctx,
870	encrypted_session_key.data,
871	encrypted_session_key.length);
872	dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data,
873	encrypted_session_key.length);
874	}
875	} else {
876	ntlmssp_state->session_key = session_key;
877	}
878
879	if (!NT_STATUS_IS_OK(nt_status)) {
880	ntlmssp_state->session_key = data_blob(NULL, 0);
881	} else if (ntlmssp_state->session_key.length) {
882	nt_status = ntlmssp_sign_init(ntlmssp_state);
883	}
884
885	data_blob_free(&encrypted_session_key);
886
887	/* Only one authentication allowed per server state. */
888	ntlmssp_state->expected_state = NTLMSSP_DONE;
889
890	return nt_status;
891	}
892
893	/**
894	* Create an NTLMSSP state machine
895	*
896	* @param ntlmssp_state NTLMSSP State, allocated by this function
897	*/
898
899	NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
900	{
901	TALLOC_CTX *mem_ctx;
902
903	mem_ctx = talloc_init("NTLMSSP context");
904
905	*ntlmssp_state = TALLOC_ZERO_P(mem_ctx, NTLMSSP_STATE);
906	if (!*ntlmssp_state) {
907	DEBUG(0,("ntlmssp_server_start: talloc failed!\n"));
908	talloc_destroy(mem_ctx);
909	return NT_STATUS_NO_MEMORY;
910	}
911
912	(*ntlmssp_state)->role = NTLMSSP_SERVER;
913
914	(*ntlmssp_state)->mem_ctx = mem_ctx;
915	(*ntlmssp_state)->get_challenge = get_challenge;
916	(*ntlmssp_state)->set_challenge = set_challenge;
917	(*ntlmssp_state)->may_set_challenge = may_set_challenge;
918
919	(*ntlmssp_state)->get_global_myname = global_myname;
920	(*ntlmssp_state)->get_domain = lp_workgroup;
921	(ntlmssp_state)->server_role = ROLE_DOMAIN_MEMBER; / a good default */
922
923	(*ntlmssp_state)->expected_state = NTLMSSP_NEGOTIATE;
924
925	(*ntlmssp_state)->ref_count = 1;
926
927	(*ntlmssp_state)->neg_flags =
928	NTLMSSP_NEGOTIATE_128 \|
929	NTLMSSP_NEGOTIATE_56 \|
930	NTLMSSP_UNKNOWN_02000000 \|
931	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \|
932	NTLMSSP_NEGOTIATE_NTLM \|
933	NTLMSSP_NEGOTIATE_NTLM2 \|
934	NTLMSSP_NEGOTIATE_KEY_EXCH \|
935	NTLMSSP_NEGOTIATE_SIGN \|
936	NTLMSSP_NEGOTIATE_SEAL;
937
938	return NT_STATUS_OK;
939	}
940
941	/*********************************************************************
942	Client side NTLMSSP
943	*********************************************************************/
944
945	/**
946	* Next state function for the Initial packet
947	*
948	* @param ntlmssp_state NTLMSSP State
949	* @param request The request, as a DATA_BLOB. reply.data must be NULL
950	* @param request The reply, as an allocated DATA_BLOB, caller to free.
951	* @return Errors or NT_STATUS_OK.
952	*/
953
954	static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
955	DATA_BLOB reply, DATA_BLOB *next_request)
956	{
957	if (ntlmssp_state->unicode) {
958	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_UNICODE;
959	} else {
960	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_OEM;
961	}
962
963	if (ntlmssp_state->use_ntlmv2) {
964	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_NTLM2;
965	}
966
967	/* generate the ntlmssp negotiate packet */
968	msrpc_gen(next_request, "CddAA",
969	"NTLMSSP",
970	NTLMSSP_NEGOTIATE,
971	ntlmssp_state->neg_flags,
972	ntlmssp_state->get_domain(),
973	ntlmssp_state->get_global_myname());
974
975	ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
976
977	return NT_STATUS_MORE_PROCESSING_REQUIRED;
978	}
979
980	/**
981	* Next state function for the Challenge Packet. Generate an auth packet.
982	*
983	* @param ntlmssp_state NTLMSSP State
984	* @param request The request, as a DATA_BLOB. reply.data must be NULL
985	* @param request The reply, as an allocated DATA_BLOB, caller to free.
986	* @return Errors or NT_STATUS_OK.
987	*/
988
989	static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
990	const DATA_BLOB reply, DATA_BLOB *next_request)
991	{
992	uint32 chal_flags, ntlmssp_command, unkn1, unkn2;
993	DATA_BLOB server_domain_blob;
994	DATA_BLOB challenge_blob;
995	DATA_BLOB struct_blob = data_blob(NULL, 0);
996	char *server_domain;
997	const char *chal_parse_string;
998	const char *auth_gen_string;
999	DATA_BLOB lm_response = data_blob(NULL, 0);
1000	DATA_BLOB nt_response = data_blob(NULL, 0);
1001	DATA_BLOB session_key = data_blob(NULL, 0);
1002	DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
1003	NTSTATUS nt_status = NT_STATUS_OK;
1004
1005	if (!msrpc_parse(&reply, "CdBd",
1006	"NTLMSSP",
1007	&ntlmssp_command,
1008	&server_domain_blob,
1009	&chal_flags)) {
1010	DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
1011	dump_data(2, (const char *)reply.data, reply.length);
1012
1013	return NT_STATUS_INVALID_PARAMETER;
1014	}
1015
1016	data_blob_free(&server_domain_blob);
1017
1018	DEBUG(3, ("Got challenge flags:\n"));
1019	debug_ntlmssp_flags(chal_flags);
1020
1021	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
1022
1023	if (ntlmssp_state->unicode) {
1024	if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
1025	chal_parse_string = "CdUdbddB";
1026	} else {
1027	chal_parse_string = "CdUdbdd";
1028	}
1029	auth_gen_string = "CdBBUUUBd";
1030	} else {
1031	if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
1032	chal_parse_string = "CdAdbddB";
1033	} else {
1034	chal_parse_string = "CdAdbdd";
1035	}
1036
1037	auth_gen_string = "CdBBAAABd";
1038	}
1039
1040	DEBUG(3, ("NTLMSSP: Set final flags:\n"));
1041	debug_ntlmssp_flags(ntlmssp_state->neg_flags);
1042
1043	if (!msrpc_parse(&reply, chal_parse_string,
1044	"NTLMSSP",
1045	&ntlmssp_command,
1046	&server_domain,
1047	&chal_flags,
1048	&challenge_blob, 8,
1049	&unkn1, &unkn2,
1050	&struct_blob)) {
1051	DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
1052	dump_data(2, (const char *)reply.data, reply.length);
1053	return NT_STATUS_INVALID_PARAMETER;
1054	}
1055
1056	ntlmssp_state->server_domain = talloc_strdup(ntlmssp_state->mem_ctx,
1057	server_domain);
1058
1059	SAFE_FREE(server_domain);
1060	if (challenge_blob.length != 8) {
1061	data_blob_free(&struct_blob);
1062	return NT_STATUS_INVALID_PARAMETER;
1063	}
1064
1065	if (!ntlmssp_state->nt_hash \|\| !ntlmssp_state->lm_hash) {
1066	static const uchar zeros[16] = { 0, };
1067	/* do nothing - blobs are zero length */
1068
1069	/* session key is all zeros */
1070	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, zeros, 16);
1071
1072	/* not doing NLTM2 without a password */
1073	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
1074	} else if (ntlmssp_state->use_ntlmv2) {
1075
1076	if (!struct_blob.length) {
1077	/* be lazy, match win2k - we can't do NTLMv2 without it */
1078	DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n"));
1079	return NT_STATUS_INVALID_PARAMETER;
1080	}
1081
1082	/* TODO: if the remote server is standalone, then we should replace 'domain'
1083	with the server name as supplied above */
1084
1085	if (!SMBNTLMv2encrypt_hash(ntlmssp_state->user,
1086	ntlmssp_state->domain,
1087	ntlmssp_state->nt_hash, &challenge_blob,
1088	&struct_blob,
1089	&lm_response, &nt_response, &session_key)) {
1090	data_blob_free(&challenge_blob);
1091	data_blob_free(&struct_blob);
1092	return NT_STATUS_NO_MEMORY;
1093	}
1094	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
1095	struct MD5Context md5_session_nonce_ctx;
1096	uchar session_nonce[16];
1097	uchar session_nonce_hash[16];
1098	uchar user_session_key[16];
1099
1100	lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
1101	generate_random_buffer(lm_response.data, 8);
1102	memset(lm_response.data+8, 0, 16);
1103
1104	memcpy(session_nonce, challenge_blob.data, 8);
1105	memcpy(&session_nonce[8], lm_response.data, 8);
1106
1107	MD5Init(&md5_session_nonce_ctx);
1108	MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8);
1109	MD5Update(&md5_session_nonce_ctx, lm_response.data, 8);
1110	MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
1111
1112	DEBUG(5, ("NTLMSSP challenge set by NTLM2\n"));
1113	DEBUG(5, ("challenge is: \n"));
1114	dump_data(5, (const char *)session_nonce_hash, 8);
1115
1116	nt_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
1117	SMBNTencrypt_hash(ntlmssp_state->nt_hash,
1118	session_nonce_hash,
1119	nt_response.data);
1120
1121	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
1122
1123	SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, NULL, user_session_key);
1124	hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
1125	dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
1126	} else {
1127	/* lanman auth is insecure, it may be disabled */
1128	if (lp_client_lanman_auth()) {
1129	lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
1130	SMBencrypt_hash(ntlmssp_state->lm_hash,challenge_blob.data,
1131	lm_response.data);
1132	}
1133
1134	nt_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
1135	SMBNTencrypt_hash(ntlmssp_state->nt_hash,challenge_blob.data,
1136	nt_response.data);
1137
1138	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
1139	if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
1140	&& lp_client_lanman_auth()) {
1141	SMBsesskeygen_lm_sess_key(ntlmssp_state->lm_hash, lm_response.data,
1142	session_key.data);
1143	dump_data_pw("LM session key\n", session_key.data, session_key.length);
1144	} else {
1145	SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, NULL, session_key.data);
1146	dump_data_pw("NT session key:\n", session_key.data, session_key.length);
1147	}
1148	}
1149	data_blob_free(&struct_blob);
1150
1151	/* Key exchange encryptes a new client-generated session key with
1152	the password-derived key */
1153	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
1154	/* Make up a new session key */
1155	uint8 client_session_key[16];
1156	generate_random_buffer(client_session_key, sizeof(client_session_key));
1157
1158	/* Encrypt the new session key with the old one */
1159	encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key));
1160	dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
1161	SamOEMhash(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
1162	dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
1163
1164	/* Mark the new session key as the 'real' session key */
1165	data_blob_free(&session_key);
1166	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, client_session_key, sizeof(client_session_key));
1167	}
1168
1169	/* this generates the actual auth packet */
1170	if (!msrpc_gen(next_request, auth_gen_string,
1171	"NTLMSSP",
1172	NTLMSSP_AUTH,
1173	lm_response.data, lm_response.length,
1174	nt_response.data, nt_response.length,
1175	ntlmssp_state->domain,
1176	ntlmssp_state->user,
1177	ntlmssp_state->get_global_myname(),
1178	encrypted_session_key.data, encrypted_session_key.length,
1179	ntlmssp_state->neg_flags)) {
1180
1181	return NT_STATUS_NO_MEMORY;
1182	}
1183
1184	data_blob_free(&encrypted_session_key);
1185
1186	data_blob_free(&ntlmssp_state->chal);
1187
1188	ntlmssp_state->session_key = session_key;
1189
1190	ntlmssp_state->chal = challenge_blob;
1191	ntlmssp_state->lm_resp = lm_response;
1192	ntlmssp_state->nt_resp = nt_response;
1193
1194	ntlmssp_state->expected_state = NTLMSSP_DONE;
1195
1196	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
1197	DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status)));
1198	}
1199
1200	return nt_status;
1201	}
1202
1203	NTSTATUS ntlmssp_client_start(NTLMSSP_STATE **ntlmssp_state)
1204	{
1205	TALLOC_CTX *mem_ctx;
1206
1207	mem_ctx = talloc_init("NTLMSSP Client context");
1208
1209	*ntlmssp_state = TALLOC_ZERO_P(mem_ctx, NTLMSSP_STATE);
1210	if (!*ntlmssp_state) {
1211	DEBUG(0,("ntlmssp_client_start: talloc failed!\n"));
1212	talloc_destroy(mem_ctx);
1213	return NT_STATUS_NO_MEMORY;
1214	}
1215
1216	(*ntlmssp_state)->role = NTLMSSP_CLIENT;
1217
1218	(*ntlmssp_state)->mem_ctx = mem_ctx;
1219
1220	(*ntlmssp_state)->get_global_myname = global_myname;
1221	(*ntlmssp_state)->get_domain = lp_workgroup;
1222
1223	(*ntlmssp_state)->unicode = True;
1224
1225	(*ntlmssp_state)->use_ntlmv2 = lp_client_ntlmv2_auth();
1226
1227	(*ntlmssp_state)->expected_state = NTLMSSP_INITIAL;
1228
1229	(*ntlmssp_state)->ref_count = 1;
1230
1231	(*ntlmssp_state)->neg_flags =
1232	NTLMSSP_NEGOTIATE_128 \|
1233	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \|
1234	NTLMSSP_NEGOTIATE_NTLM \|
1235	NTLMSSP_NEGOTIATE_NTLM2 \|
1236	NTLMSSP_NEGOTIATE_KEY_EXCH \|
1237	NTLMSSP_REQUEST_TARGET;
1238
1239	return NT_STATUS_OK;
1240	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: branches/samba-3.0/source/libsmb/ntlmssp.c@ 815

Download in other formats: