Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.2.x/source/libsmb/ntlmssp.c

Visit:

Last change on this file was 133, checked in by Paul Smedley, 17 years ago
Update trunk to 3.2.0pre3
File size: 37.8 KB

Line
1	/*
2	Unix SMB/Netbios implementation.
3	Version 3.0
4	handle NLTMSSP, server side
5
6	Copyright (C) Andrew Tridgell 2001
7	Copyright (C) Andrew Bartlett 2001-2003
8	Copyright (C) Andrew Bartlett 2005 (Updated from gensec).
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25
26	static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
27	DATA_BLOB reply, DATA_BLOB *next_request);
28	static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
29	const DATA_BLOB in, DATA_BLOB *out);
30	static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
31	const DATA_BLOB reply, DATA_BLOB *next_request);
32	static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
33	const DATA_BLOB request, DATA_BLOB *reply);
34
35	/**
36	* Callbacks for NTLMSSP - for both client and server operating modes
37	*
38	*/
39
40	static const struct ntlmssp_callbacks {
41	enum NTLMSSP_ROLE role;
42	enum NTLM_MESSAGE_TYPE ntlmssp_command;
43	NTSTATUS (fn)(struct ntlmssp_state ntlmssp_state,
44	DATA_BLOB in, DATA_BLOB *out);
45	} ntlmssp_callbacks[] = {
46	{NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial},
47	{NTLMSSP_SERVER, NTLMSSP_NEGOTIATE, ntlmssp_server_negotiate},
48	{NTLMSSP_CLIENT, NTLMSSP_CHALLENGE, ntlmssp_client_challenge},
49	{NTLMSSP_SERVER, NTLMSSP_AUTH, ntlmssp_server_auth},
50	{NTLMSSP_CLIENT, NTLMSSP_UNKNOWN, NULL},
51	{NTLMSSP_SERVER, NTLMSSP_UNKNOWN, NULL}
52	};
53
54
55	/**
56	* Print out the NTLMSSP flags for debugging
57	* @param neg_flags The flags from the packet
58	*/
59
60	void debug_ntlmssp_flags(uint32 neg_flags)
61	{
62	DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags));
63
64	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE)
65	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_UNICODE\n"));
66	if (neg_flags & NTLMSSP_NEGOTIATE_OEM)
67	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM\n"));
68	if (neg_flags & NTLMSSP_REQUEST_TARGET)
69	DEBUGADD(4, (" NTLMSSP_REQUEST_TARGET\n"));
70	if (neg_flags & NTLMSSP_NEGOTIATE_SIGN)
71	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SIGN\n"));
72	if (neg_flags & NTLMSSP_NEGOTIATE_SEAL)
73	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SEAL\n"));
74	if (neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM_STYLE)
75	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DATAGRAM_STYLE\n"));
76	if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
77	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_LM_KEY\n"));
78	if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE)
79	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NETWARE\n"));
80	if (neg_flags & NTLMSSP_NEGOTIATE_NTLM)
81	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM\n"));
82	if (neg_flags & NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED)
83	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED\n"));
84	if (neg_flags & NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED)
85	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED\n"));
86	if (neg_flags & NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL)
87	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n"));
88	if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)
89	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n"));
90	if (neg_flags & NTLMSSP_CHAL_ACCEPT_RESPONSE)
91	DEBUGADD(4, (" NTLMSSP_CHAL_ACCEPT_RESPONSE\n"));
92	if (neg_flags & NTLMSSP_CHAL_NON_NT_SESSION_KEY)
93	DEBUGADD(4, (" NTLMSSP_CHAL_NON_NT_SESSION_KEY\n"));
94	if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
95	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM2\n"));
96	if (neg_flags & NTLMSSP_CHAL_TARGET_INFO)
97	DEBUGADD(4, (" NTLMSSP_CHAL_TARGET_INFO\n"));
98	if (neg_flags & NTLMSSP_NEGOTIATE_128)
99	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_128\n"));
100	if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)
101	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_KEY_EXCH\n"));
102	if (neg_flags & NTLMSSP_NEGOTIATE_56)
103	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_56\n"));
104	}
105
106	/**
107	* Default challenge generation code.
108	*
109	*/
110
111	static const uint8 get_challenge(const struct ntlmssp_state ntlmssp_state)
112	{
113	static uchar chal[8];
114	generate_random_buffer(chal, sizeof(chal));
115
116	return chal;
117	}
118
119	/**
120	* Default 'we can set the challenge to anything we like' implementation
121	*
122	*/
123
124	static bool may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
125	{
126	return True;
127	}
128
129	/**
130	* Default 'we can set the challenge to anything we like' implementation
131	*
132	* Does not actually do anything, as the value is always in the structure anyway.
133	*
134	*/
135
136	static NTSTATUS set_challenge(struct ntlmssp_state ntlmssp_state, DATA_BLOB challenge)
137	{
138	SMB_ASSERT(challenge->length == 8);
139	return NT_STATUS_OK;
140	}
141
142	/**
143	* Set a username on an NTLMSSP context - ensures it is talloc()ed
144	*
145	*/
146
147	NTSTATUS ntlmssp_set_username(NTLMSSP_STATE ntlmssp_state, const char user)
148	{
149	ntlmssp_state->user = talloc_strdup(ntlmssp_state->mem_ctx, user ? user : "" );
150	if (!ntlmssp_state->user) {
151	return NT_STATUS_NO_MEMORY;
152	}
153	return NT_STATUS_OK;
154	}
155
156	/**
157	* Store NT and LM hashes on an NTLMSSP context - ensures they are talloc()ed
158	*
159	*/
160	NTSTATUS ntlmssp_set_hashes(NTLMSSP_STATE *ntlmssp_state,
161	const unsigned char lm_hash[16],
162	const unsigned char nt_hash[16])
163	{
164	ntlmssp_state->lm_hash = (unsigned char *)
165	TALLOC_MEMDUP(ntlmssp_state->mem_ctx, lm_hash, 16);
166	ntlmssp_state->nt_hash = (unsigned char *)
167	TALLOC_MEMDUP(ntlmssp_state->mem_ctx, nt_hash, 16);
168	if (!ntlmssp_state->lm_hash \|\| !ntlmssp_state->nt_hash) {
169	TALLOC_FREE(ntlmssp_state->lm_hash);
170	TALLOC_FREE(ntlmssp_state->nt_hash);
171	return NT_STATUS_NO_MEMORY;
172	}
173	return NT_STATUS_OK;
174	}
175
176	/**
177	* Converts a password to the hashes on an NTLMSSP context.
178	*
179	*/
180	NTSTATUS ntlmssp_set_password(NTLMSSP_STATE ntlmssp_state, const char password)
181	{
182	if (!password) {
183	ntlmssp_state->lm_hash = NULL;
184	ntlmssp_state->nt_hash = NULL;
185	} else {
186	unsigned char lm_hash[16];
187	unsigned char nt_hash[16];
188
189	E_deshash(password, lm_hash);
190	E_md4hash(password, nt_hash);
191	return ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
192	}
193	return NT_STATUS_OK;
194	}
195
196	/**
197	* Set a domain on an NTLMSSP context - ensures it is talloc()ed
198	*
199	*/
200	NTSTATUS ntlmssp_set_domain(NTLMSSP_STATE ntlmssp_state, const char domain)
201	{
202	ntlmssp_state->domain = talloc_strdup(ntlmssp_state->mem_ctx, domain ? domain : "" );
203	if (!ntlmssp_state->domain) {
204	return NT_STATUS_NO_MEMORY;
205	}
206	return NT_STATUS_OK;
207	}
208
209	/**
210	* Set a workstation on an NTLMSSP context - ensures it is talloc()ed
211	*
212	*/
213	NTSTATUS ntlmssp_set_workstation(NTLMSSP_STATE ntlmssp_state, const char workstation)
214	{
215	ntlmssp_state->workstation = talloc_strdup(ntlmssp_state->mem_ctx, workstation);
216	if (!ntlmssp_state->workstation) {
217	return NT_STATUS_NO_MEMORY;
218	}
219	return NT_STATUS_OK;
220	}
221
222	/**
223	* Store a DATA_BLOB containing an NTLMSSP response, for use later.
224	* This copies the data blob
225	*/
226
227	NTSTATUS ntlmssp_store_response(NTLMSSP_STATE *ntlmssp_state,
228	DATA_BLOB response)
229	{
230	ntlmssp_state->stored_response = data_blob_talloc(ntlmssp_state->mem_ctx,
231	response.data, response.length);
232	return NT_STATUS_OK;
233	}
234
235	/**
236	* Request features for the NTLMSSP negotiation
237	*
238	* @param ntlmssp_state NTLMSSP state
239	* @param feature_list List of space seperated features requested from NTLMSSP.
240	*/
241	void ntlmssp_want_feature_list(NTLMSSP_STATE ntlmssp_state, char feature_list)
242	{
243	/*
244	* We need to set this to allow a later SetPassword
245	* via the SAMR pipe to succeed. Strange.... We could
246	* also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
247	*/
248	if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
249	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
250	}
251	if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
252	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
253	}
254	if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
255	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
256	}
257	}
258
259	/**
260	* Request a feature for the NTLMSSP negotiation
261	*
262	* @param ntlmssp_state NTLMSSP state
263	* @param feature Bit flag specifying the requested feature
264	*/
265	void ntlmssp_want_feature(NTLMSSP_STATE *ntlmssp_state, uint32 feature)
266	{
267	/* As per JRA's comment above */
268	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
269	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
270	}
271	if (feature & NTLMSSP_FEATURE_SIGN) {
272	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
273	}
274	if (feature & NTLMSSP_FEATURE_SEAL) {
275	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
276	}
277	}
278
279	/**
280	* Next state function for the NTLMSSP state machine
281	*
282	* @param ntlmssp_state NTLMSSP State
283	* @param in The packet in from the NTLMSSP partner, as a DATA_BLOB
284	* @param out The reply, as an allocated DATA_BLOB, caller to free.
285	* @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK.
286	*/
287
288	NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state,
289	const DATA_BLOB in, DATA_BLOB *out)
290	{
291	DATA_BLOB input;
292	uint32 ntlmssp_command;
293	int i;
294
295	if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
296	/* Called update after negotiations finished. */
297	DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
298	return NT_STATUS_INVALID_PARAMETER;
299	}
300
301	*out = data_blob_null;
302
303	if (!in.length && ntlmssp_state->stored_response.length) {
304	input = ntlmssp_state->stored_response;
305
306	/* we only want to read the stored response once - overwrite it */
307	ntlmssp_state->stored_response = data_blob_null;
308	} else {
309	input = in;
310	}
311
312	if (!input.length) {
313	switch (ntlmssp_state->role) {
314	case NTLMSSP_CLIENT:
315	ntlmssp_command = NTLMSSP_INITIAL;
316	break;
317	case NTLMSSP_SERVER:
318	/* 'datagram' mode - no neg packet */
319	ntlmssp_command = NTLMSSP_NEGOTIATE;
320	break;
321	}
322	} else {
323	if (!msrpc_parse(&input, "Cd",
324	"NTLMSSP",
325	&ntlmssp_command)) {
326	DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
327	dump_data(2, input.data, input.length);
328	return NT_STATUS_INVALID_PARAMETER;
329	}
330	}
331
332	if (ntlmssp_command != ntlmssp_state->expected_state) {
333	DEBUG(1, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
334	return NT_STATUS_INVALID_PARAMETER;
335	}
336
337	for (i=0; ntlmssp_callbacks[i].fn; i++) {
338	if (ntlmssp_callbacks[i].role == ntlmssp_state->role
339	&& ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command) {
340	return ntlmssp_callbacks[i].fn(ntlmssp_state, input, out);
341	}
342	}
343
344	DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
345	ntlmssp_state->role, ntlmssp_command));
346
347	return NT_STATUS_INVALID_PARAMETER;
348	}
349
350	/**
351	* End an NTLMSSP state machine
352	*
353	* @param ntlmssp_state NTLMSSP State, free()ed by this function
354	*/
355
356	void ntlmssp_end(NTLMSSP_STATE **ntlmssp_state)
357	{
358	TALLOC_CTX mem_ctx = (ntlmssp_state)->mem_ctx;
359
360	(*ntlmssp_state)->ref_count--;
361
362	if ((*ntlmssp_state)->ref_count == 0) {
363	data_blob_free(&(*ntlmssp_state)->chal);
364	data_blob_free(&(*ntlmssp_state)->lm_resp);
365	data_blob_free(&(*ntlmssp_state)->nt_resp);
366
367	talloc_destroy(mem_ctx);
368	}
369
370	*ntlmssp_state = NULL;
371	return;
372	}
373
374	/**
375	* Determine correct target name flags for reply, given server role
376	* and negotiated flags
377	*
378	* @param ntlmssp_state NTLMSSP State
379	* @param neg_flags The flags from the packet
380	* @param chal_flags The flags to be set in the reply packet
381	* @return The 'target name' string.
382	*/
383
384	static const char ntlmssp_target_name(struct ntlmssp_state ntlmssp_state,
385	uint32 neg_flags, uint32 *chal_flags)
386	{
387	if (neg_flags & NTLMSSP_REQUEST_TARGET) {
388	*chal_flags \|= NTLMSSP_CHAL_TARGET_INFO;
389	*chal_flags \|= NTLMSSP_REQUEST_TARGET;
390	if (ntlmssp_state->server_role == ROLE_STANDALONE) {
391	*chal_flags \|= NTLMSSP_TARGET_TYPE_SERVER;
392	return ntlmssp_state->get_global_myname();
393	} else {
394	*chal_flags \|= NTLMSSP_TARGET_TYPE_DOMAIN;
395	return ntlmssp_state->get_domain();
396	};
397	} else {
398	return "";
399	}
400	}
401
402	static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
403	uint32 neg_flags, bool allow_lm) {
404	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
405	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_UNICODE;
406	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
407	ntlmssp_state->unicode = True;
408	} else {
409	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
410	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_OEM;
411	ntlmssp_state->unicode = False;
412	}
413
414	if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
415	/* other end forcing us to use LM */
416	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_LM_KEY;
417	ntlmssp_state->use_ntlmv2 = False;
418	} else {
419	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
420	}
421
422	if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
423	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
424	}
425
426	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
427	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
428	}
429
430	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
431	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
432	}
433
434	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
435	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
436	}
437
438	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
439	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
440	}
441
442	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
443	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
444	}
445
446	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
447	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
448	}
449
450	/* Woop Woop - unknown flag for Windows compatibility...
451	What does this really do ? JRA. */
452	if (!(neg_flags & NTLMSSP_UNKNOWN_02000000)) {
453	ntlmssp_state->neg_flags &= ~NTLMSSP_UNKNOWN_02000000;
454	}
455
456	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
457	ntlmssp_state->neg_flags \|= NTLMSSP_REQUEST_TARGET;
458	}
459	}
460
461	/**
462	Weaken NTLMSSP keys to cope with down-level clients and servers.
463
464	We probably should have some parameters to control this, but as
465	it only occours for LM_KEY connections, and this is controlled
466	by the client lanman auth/lanman auth parameters, it isn't too bad.
467	*/
468
469	DATA_BLOB ntlmssp_weaken_keys(NTLMSSP_STATE ntlmssp_state, TALLOC_CTX mem_ctx)
470	{
471	DATA_BLOB weakened_key = data_blob_talloc(mem_ctx,
472	ntlmssp_state->session_key.data,
473	ntlmssp_state->session_key.length);
474
475	/* Nothing to weaken. We certainly don't want to 'extend' the length... */
476	if (weakened_key.length < 16) {
477	/* perhaps there was no key? */
478	return weakened_key;
479	}
480
481	/* Key weakening not performed on the master key for NTLM2
482	and does not occour for NTLM1. Therefore we only need
483	to do this for the LM_KEY.
484	*/
485
486	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
487	/* LM key doesn't support 128 bit crypto, so this is
488	* the best we can do. If you negotiate 128 bit, but
489	* not 56, you end up with 40 bit... */
490	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
491	weakened_key.data[7] = 0xa0;
492	} else { /* forty bits */
493	weakened_key.data[5] = 0xe5;
494	weakened_key.data[6] = 0x38;
495	weakened_key.data[7] = 0xb0;
496	}
497	weakened_key.length = 8;
498	}
499	return weakened_key;
500	}
501
502	/**
503	* Next state function for the Negotiate packet
504	*
505	* @param ntlmssp_state NTLMSSP State
506	* @param request The request, as a DATA_BLOB
507	* @param request The reply, as an allocated DATA_BLOB, caller to free.
508	* @return Errors or MORE_PROCESSING_REQUIRED if a reply is sent.
509	*/
510
511	static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
512	const DATA_BLOB request, DATA_BLOB *reply)
513	{
514	DATA_BLOB struct_blob;
515	const char *dnsname;
516	char *dnsdomname = NULL;
517	uint32 neg_flags = 0;
518	uint32 ntlmssp_command, chal_flags;
519	const uint8 *cryptkey;
520	const char *target_name;
521
522	/* parse the NTLMSSP packet */
523	#if 0
524	file_save("ntlmssp_negotiate.dat", request.data, request.length);
525	#endif
526
527	if (request.length) {
528	if ((request.length < 16) \|\| !msrpc_parse(&request, "Cdd",
529	"NTLMSSP",
530	&ntlmssp_command,
531	&neg_flags)) {
532	DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
533	(unsigned int)request.length));
534	dump_data(2, request.data, request.length);
535	return NT_STATUS_INVALID_PARAMETER;
536	}
537	debug_ntlmssp_flags(neg_flags);
538	}
539
540	ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth());
541
542	/* Ask our caller what challenge they would like in the packet */
543	cryptkey = ntlmssp_state->get_challenge(ntlmssp_state);
544
545	/* Check if we may set the challenge */
546	if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
547	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
548	}
549
550	/* The flags we send back are not just the negotiated flags,
551	* they are also 'what is in this packet'. Therfore, we
552	* operate on 'chal_flags' from here on
553	*/
554
555	chal_flags = ntlmssp_state->neg_flags;
556
557	/* get the right name to fill in as 'target' */
558	target_name = ntlmssp_target_name(ntlmssp_state,
559	neg_flags, &chal_flags);
560	if (target_name == NULL)
561	return NT_STATUS_INVALID_PARAMETER;
562
563	ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8);
564	ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8);
565
566	/* This should be a 'netbios domain -> DNS domain' mapping */
567	dnsdomname = get_mydnsdomname(ntlmssp_state->mem_ctx);
568	if (!dnsdomname) {
569	dnsdomname = talloc_strdup(ntlmssp_state->mem_ctx, "");
570	}
571	if (!dnsdomname) {
572	return NT_STATUS_NO_MEMORY;
573	}
574	strlower_m(dnsdomname);
575
576	dnsname = get_mydnsfullname();
577	if (!dnsname) {
578	dnsname = "";
579	}
580
581	/* This creates the 'blob' of names that appears at the end of the packet */
582	if (chal_flags & NTLMSSP_CHAL_TARGET_INFO)
583	{
584	msrpc_gen(&struct_blob, "aaaaa",
585	NTLMSSP_NAME_TYPE_DOMAIN, target_name,
586	NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(),
587	NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsdomname,
588	NTLMSSP_NAME_TYPE_SERVER_DNS, dnsname,
589	0, "");
590	} else {
591	struct_blob = data_blob_null;
592	}
593
594	{
595	/* Marshel the packet in the right format, be it unicode or ASCII */
596	const char *gen_string;
597	if (ntlmssp_state->unicode) {
598	gen_string = "CdUdbddB";
599	} else {
600	gen_string = "CdAdbddB";
601	}
602
603	msrpc_gen(reply, gen_string,
604	"NTLMSSP",
605	NTLMSSP_CHALLENGE,
606	target_name,
607	chal_flags,
608	cryptkey, 8,
609	0, 0,
610	struct_blob.data, struct_blob.length);
611	}
612
613	data_blob_free(&struct_blob);
614
615	ntlmssp_state->expected_state = NTLMSSP_AUTH;
616
617	return NT_STATUS_MORE_PROCESSING_REQUIRED;
618	}
619
620	/**
621	* Next state function for the Authenticate packet
622	*
623	* @param ntlmssp_state NTLMSSP State
624	* @param request The request, as a DATA_BLOB
625	* @param request The reply, as an allocated DATA_BLOB, caller to free.
626	* @return Errors or NT_STATUS_OK.
627	*/
628
629	static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
630	const DATA_BLOB request, DATA_BLOB *reply)
631	{
632	DATA_BLOB encrypted_session_key = data_blob_null;
633	DATA_BLOB user_session_key = data_blob_null;
634	DATA_BLOB lm_session_key = data_blob_null;
635	DATA_BLOB session_key = data_blob_null;
636	uint32 ntlmssp_command, auth_flags;
637	NTSTATUS nt_status = NT_STATUS_OK;
638
639	/* used by NTLM2 */
640	bool doing_ntlm2 = False;
641
642	uchar session_nonce[16];
643	uchar session_nonce_hash[16];
644
645	const char *parse_string;
646	char *domain = NULL;
647	char *user = NULL;
648	char *workstation = NULL;
649
650	/* parse the NTLMSSP packet */
651	*reply = data_blob_null;
652
653	#if 0
654	file_save("ntlmssp_auth.dat", request.data, request.length);
655	#endif
656
657	if (ntlmssp_state->unicode) {
658	parse_string = "CdBBUUUBd";
659	} else {
660	parse_string = "CdBBAAABd";
661	}
662
663	data_blob_free(&ntlmssp_state->lm_resp);
664	data_blob_free(&ntlmssp_state->nt_resp);
665
666	ntlmssp_state->user = NULL;
667	ntlmssp_state->domain = NULL;
668	ntlmssp_state->workstation = NULL;
669
670	/* now the NTLMSSP encoded auth hashes */
671	if (!msrpc_parse(&request, parse_string,
672	"NTLMSSP",
673	&ntlmssp_command,
674	&ntlmssp_state->lm_resp,
675	&ntlmssp_state->nt_resp,
676	&domain,
677	&user,
678	&workstation,
679	&encrypted_session_key,
680	&auth_flags)) {
681	SAFE_FREE(domain);
682	SAFE_FREE(user);
683	SAFE_FREE(workstation);
684	data_blob_free(&encrypted_session_key);
685	auth_flags = 0;
686
687	/* Try again with a shorter string (Win9X truncates this packet) */
688	if (ntlmssp_state->unicode) {
689	parse_string = "CdBBUUU";
690	} else {
691	parse_string = "CdBBAAA";
692	}
693
694	/* now the NTLMSSP encoded auth hashes */
695	if (!msrpc_parse(&request, parse_string,
696	"NTLMSSP",
697	&ntlmssp_command,
698	&ntlmssp_state->lm_resp,
699	&ntlmssp_state->nt_resp,
700	&domain,
701	&user,
702	&workstation)) {
703	DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
704	dump_data(2, request.data, request.length);
705	SAFE_FREE(domain);
706	SAFE_FREE(user);
707	SAFE_FREE(workstation);
708
709	return NT_STATUS_INVALID_PARAMETER;
710	}
711	}
712
713	if (auth_flags)
714	ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, lp_lanman_auth());
715
716	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, domain))) {
717	SAFE_FREE(domain);
718	SAFE_FREE(user);
719	SAFE_FREE(workstation);
720	data_blob_free(&encrypted_session_key);
721	return nt_status;
722	}
723
724	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) {
725	SAFE_FREE(domain);
726	SAFE_FREE(user);
727	SAFE_FREE(workstation);
728	data_blob_free(&encrypted_session_key);
729	return nt_status;
730	}
731
732	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_workstation(ntlmssp_state, workstation))) {
733	SAFE_FREE(domain);
734	SAFE_FREE(user);
735	SAFE_FREE(workstation);
736	data_blob_free(&encrypted_session_key);
737	return nt_status;
738	}
739
740	SAFE_FREE(domain);
741	SAFE_FREE(user);
742	SAFE_FREE(workstation);
743
744	DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
745	ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, (unsigned long)ntlmssp_state->lm_resp.length, (unsigned long)ntlmssp_state->nt_resp.length));
746
747	#if 0
748	file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
749	file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
750	#endif
751
752	/* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
753	client challenge
754
755	However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
756	*/
757	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
758	if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
759	struct MD5Context md5_session_nonce_ctx;
760	SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
761
762	doing_ntlm2 = True;
763
764	memcpy(session_nonce, ntlmssp_state->internal_chal.data, 8);
765	memcpy(&session_nonce[8], ntlmssp_state->lm_resp.data, 8);
766
767	MD5Init(&md5_session_nonce_ctx);
768	MD5Update(&md5_session_nonce_ctx, session_nonce, 16);
769	MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
770
771	ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, session_nonce_hash, 8);
772
773	/* LM response is no longer useful */
774	data_blob_free(&ntlmssp_state->lm_resp);
775
776	/* We changed the effective challenge - set it */
777	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) {
778	data_blob_free(&encrypted_session_key);
779	return nt_status;
780	}
781
782	/* LM Key is incompatible. */
783	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
784	}
785	}
786
787	/*
788	* Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
789	* is required (by "ntlm auth = no" and "lm auth = no" being set in the
790	* smb.conf file) and no NTLMv2 response was sent then the password check
791	* will fail here. JRA.
792	*/
793
794	/* Finally, actually ask if the password is OK */
795
796	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->check_password(ntlmssp_state,
797	&user_session_key, &lm_session_key))) {
798	data_blob_free(&encrypted_session_key);
799	return nt_status;
800	}
801
802	dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
803	dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
804
805	/* Handle the different session key derivation for NTLM2 */
806	if (doing_ntlm2) {
807	if (user_session_key.data && user_session_key.length == 16) {
808	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
809	hmac_md5(user_session_key.data, session_nonce,
810	sizeof(session_nonce), session_key.data);
811	DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
812	dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
813
814	} else {
815	DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
816	session_key = data_blob_null;
817	}
818	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
819	if (lm_session_key.data && lm_session_key.length >= 8) {
820	if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
821	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
822	if (session_key.data == NULL) {
823	return NT_STATUS_NO_MEMORY;
824	}
825	SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
826	session_key.data);
827	DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
828	} else {
829	uint8 zeros[24];
830	ZERO_STRUCT(zeros);
831	session_key = data_blob_talloc(
832	ntlmssp_state->mem_ctx, NULL, 16);
833	if (session_key.data == NULL) {
834	return NT_STATUS_NO_MEMORY;
835	}
836	SMBsesskeygen_lm_sess_key(
837	lm_session_key.data, zeros,
838	session_key.data);
839	}
840	dump_data_pw("LM session key:\n", session_key.data,
841	session_key.length);
842	} else {
843	DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
844	session_key = data_blob_null;
845	}
846	} else if (user_session_key.data) {
847	session_key = user_session_key;
848	DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
849	dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
850	} else if (lm_session_key.data) {
851	session_key = lm_session_key;
852	DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
853	dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
854	} else {
855	DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
856	session_key = data_blob_null;
857	}
858
859	/* With KEY_EXCH, the client supplies the proposed session key,
860	but encrypts it with the long-term key */
861	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
862	if (!encrypted_session_key.data \|\| encrypted_session_key.length != 16) {
863	data_blob_free(&encrypted_session_key);
864	DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
865	(unsigned int)encrypted_session_key.length));
866	return NT_STATUS_INVALID_PARAMETER;
867	} else if (!session_key.data \|\| session_key.length != 16) {
868	DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
869	(unsigned int)session_key.length));
870	ntlmssp_state->session_key = session_key;
871	} else {
872	dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
873	SamOEMhash(encrypted_session_key.data,
874	session_key.data,
875	encrypted_session_key.length);
876	ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state->mem_ctx,
877	encrypted_session_key.data,
878	encrypted_session_key.length);
879	dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data,
880	encrypted_session_key.length);
881	}
882	} else {
883	ntlmssp_state->session_key = session_key;
884	}
885
886	if (!NT_STATUS_IS_OK(nt_status)) {
887	ntlmssp_state->session_key = data_blob_null;
888	} else if (ntlmssp_state->session_key.length) {
889	nt_status = ntlmssp_sign_init(ntlmssp_state);
890	}
891
892	data_blob_free(&encrypted_session_key);
893
894	/* Only one authentication allowed per server state. */
895	ntlmssp_state->expected_state = NTLMSSP_DONE;
896
897	return nt_status;
898	}
899
900	/**
901	* Create an NTLMSSP state machine
902	*
903	* @param ntlmssp_state NTLMSSP State, allocated by this function
904	*/
905
906	NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
907	{
908	TALLOC_CTX *mem_ctx;
909
910	mem_ctx = talloc_init("NTLMSSP context");
911
912	*ntlmssp_state = TALLOC_ZERO_P(mem_ctx, NTLMSSP_STATE);
913	if (!*ntlmssp_state) {
914	DEBUG(0,("ntlmssp_server_start: talloc failed!\n"));
915	talloc_destroy(mem_ctx);
916	return NT_STATUS_NO_MEMORY;
917	}
918
919	(*ntlmssp_state)->role = NTLMSSP_SERVER;
920
921	(*ntlmssp_state)->mem_ctx = mem_ctx;
922	(*ntlmssp_state)->get_challenge = get_challenge;
923	(*ntlmssp_state)->set_challenge = set_challenge;
924	(*ntlmssp_state)->may_set_challenge = may_set_challenge;
925
926	(*ntlmssp_state)->get_global_myname = global_myname;
927	(*ntlmssp_state)->get_domain = lp_workgroup;
928	(ntlmssp_state)->server_role = ROLE_DOMAIN_MEMBER; / a good default */
929
930	(*ntlmssp_state)->expected_state = NTLMSSP_NEGOTIATE;
931
932	(*ntlmssp_state)->ref_count = 1;
933
934	(*ntlmssp_state)->neg_flags =
935	NTLMSSP_NEGOTIATE_128 \|
936	NTLMSSP_NEGOTIATE_56 \|
937	NTLMSSP_UNKNOWN_02000000 \|
938	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \|
939	NTLMSSP_NEGOTIATE_NTLM \|
940	NTLMSSP_NEGOTIATE_NTLM2 \|
941	NTLMSSP_NEGOTIATE_KEY_EXCH \|
942	NTLMSSP_NEGOTIATE_SIGN \|
943	NTLMSSP_NEGOTIATE_SEAL;
944
945	return NT_STATUS_OK;
946	}
947
948	/*********************************************************************
949	Client side NTLMSSP
950	*********************************************************************/
951
952	/**
953	* Next state function for the Initial packet
954	*
955	* @param ntlmssp_state NTLMSSP State
956	* @param request The request, as a DATA_BLOB. reply.data must be NULL
957	* @param request The reply, as an allocated DATA_BLOB, caller to free.
958	* @return Errors or NT_STATUS_OK.
959	*/
960
961	static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
962	DATA_BLOB reply, DATA_BLOB *next_request)
963	{
964	if (ntlmssp_state->unicode) {
965	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_UNICODE;
966	} else {
967	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_OEM;
968	}
969
970	if (ntlmssp_state->use_ntlmv2) {
971	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_NTLM2;
972	}
973
974	/* generate the ntlmssp negotiate packet */
975	msrpc_gen(next_request, "CddAA",
976	"NTLMSSP",
977	NTLMSSP_NEGOTIATE,
978	ntlmssp_state->neg_flags,
979	ntlmssp_state->get_domain(),
980	ntlmssp_state->get_global_myname());
981
982	ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
983
984	return NT_STATUS_MORE_PROCESSING_REQUIRED;
985	}
986
987	/**
988	* Next state function for the Challenge Packet. Generate an auth packet.
989	*
990	* @param ntlmssp_state NTLMSSP State
991	* @param request The request, as a DATA_BLOB. reply.data must be NULL
992	* @param request The reply, as an allocated DATA_BLOB, caller to free.
993	* @return Errors or NT_STATUS_OK.
994	*/
995
996	static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
997	const DATA_BLOB reply, DATA_BLOB *next_request)
998	{
999	uint32 chal_flags, ntlmssp_command, unkn1, unkn2;
1000	DATA_BLOB server_domain_blob;
1001	DATA_BLOB challenge_blob;
1002	DATA_BLOB struct_blob = data_blob_null;
1003	char *server_domain;
1004	const char *chal_parse_string;
1005	const char *auth_gen_string;
1006	DATA_BLOB lm_response = data_blob_null;
1007	DATA_BLOB nt_response = data_blob_null;
1008	DATA_BLOB session_key = data_blob_null;
1009	DATA_BLOB encrypted_session_key = data_blob_null;
1010	NTSTATUS nt_status = NT_STATUS_OK;
1011
1012	if (!msrpc_parse(&reply, "CdBd",
1013	"NTLMSSP",
1014	&ntlmssp_command,
1015	&server_domain_blob,
1016	&chal_flags)) {
1017	DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
1018	dump_data(2, reply.data, reply.length);
1019
1020	return NT_STATUS_INVALID_PARAMETER;
1021	}
1022
1023	data_blob_free(&server_domain_blob);
1024
1025	DEBUG(3, ("Got challenge flags:\n"));
1026	debug_ntlmssp_flags(chal_flags);
1027
1028	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
1029
1030	if (ntlmssp_state->unicode) {
1031	if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
1032	chal_parse_string = "CdUdbddB";
1033	} else {
1034	chal_parse_string = "CdUdbdd";
1035	}
1036	auth_gen_string = "CdBBUUUBd";
1037	} else {
1038	if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
1039	chal_parse_string = "CdAdbddB";
1040	} else {
1041	chal_parse_string = "CdAdbdd";
1042	}
1043
1044	auth_gen_string = "CdBBAAABd";
1045	}
1046
1047	DEBUG(3, ("NTLMSSP: Set final flags:\n"));
1048	debug_ntlmssp_flags(ntlmssp_state->neg_flags);
1049
1050	if (!msrpc_parse(&reply, chal_parse_string,
1051	"NTLMSSP",
1052	&ntlmssp_command,
1053	&server_domain,
1054	&chal_flags,
1055	&challenge_blob, 8,
1056	&unkn1, &unkn2,
1057	&struct_blob)) {
1058	DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
1059	dump_data(2, reply.data, reply.length);
1060	return NT_STATUS_INVALID_PARAMETER;
1061	}
1062
1063	ntlmssp_state->server_domain = talloc_strdup(ntlmssp_state->mem_ctx,
1064	server_domain);
1065
1066	SAFE_FREE(server_domain);
1067	if (challenge_blob.length != 8) {
1068	data_blob_free(&struct_blob);
1069	return NT_STATUS_INVALID_PARAMETER;
1070	}
1071
1072	if (!ntlmssp_state->nt_hash \|\| !ntlmssp_state->lm_hash) {
1073	uchar zeros[16];
1074	/* do nothing - blobs are zero length */
1075
1076	ZERO_STRUCT(zeros);
1077
1078	/* session key is all zeros */
1079	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, zeros, 16);
1080
1081	/* not doing NLTM2 without a password */
1082	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
1083	} else if (ntlmssp_state->use_ntlmv2) {
1084
1085	if (!struct_blob.length) {
1086	/* be lazy, match win2k - we can't do NTLMv2 without it */
1087	DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n"));
1088	return NT_STATUS_INVALID_PARAMETER;
1089	}
1090
1091	/* TODO: if the remote server is standalone, then we should replace 'domain'
1092	with the server name as supplied above */
1093
1094	if (!SMBNTLMv2encrypt_hash(ntlmssp_state->user,
1095	ntlmssp_state->domain,
1096	ntlmssp_state->nt_hash, &challenge_blob,
1097	&struct_blob,
1098	&lm_response, &nt_response, &session_key)) {
1099	data_blob_free(&challenge_blob);
1100	data_blob_free(&struct_blob);
1101	return NT_STATUS_NO_MEMORY;
1102	}
1103	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
1104	struct MD5Context md5_session_nonce_ctx;
1105	uchar session_nonce[16];
1106	uchar session_nonce_hash[16];
1107	uchar user_session_key[16];
1108
1109	lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
1110	generate_random_buffer(lm_response.data, 8);
1111	memset(lm_response.data+8, 0, 16);
1112
1113	memcpy(session_nonce, challenge_blob.data, 8);
1114	memcpy(&session_nonce[8], lm_response.data, 8);
1115
1116	MD5Init(&md5_session_nonce_ctx);
1117	MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8);
1118	MD5Update(&md5_session_nonce_ctx, lm_response.data, 8);
1119	MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
1120
1121	DEBUG(5, ("NTLMSSP challenge set by NTLM2\n"));
1122	DEBUG(5, ("challenge is: \n"));
1123	dump_data(5, session_nonce_hash, 8);
1124
1125	nt_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
1126	SMBNTencrypt_hash(ntlmssp_state->nt_hash,
1127	session_nonce_hash,
1128	nt_response.data);
1129
1130	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
1131
1132	SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, NULL, user_session_key);
1133	hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
1134	dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
1135	} else {
1136	/* lanman auth is insecure, it may be disabled */
1137	if (lp_client_lanman_auth()) {
1138	lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
1139	SMBencrypt_hash(ntlmssp_state->lm_hash,challenge_blob.data,
1140	lm_response.data);
1141	}
1142
1143	nt_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
1144	SMBNTencrypt_hash(ntlmssp_state->nt_hash,challenge_blob.data,
1145	nt_response.data);
1146
1147	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
1148	if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
1149	&& lp_client_lanman_auth()) {
1150	SMBsesskeygen_lm_sess_key(ntlmssp_state->lm_hash, lm_response.data,
1151	session_key.data);
1152	dump_data_pw("LM session key\n", session_key.data, session_key.length);
1153	} else {
1154	SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, NULL, session_key.data);
1155	dump_data_pw("NT session key:\n", session_key.data, session_key.length);
1156	}
1157	}
1158	data_blob_free(&struct_blob);
1159
1160	/* Key exchange encryptes a new client-generated session key with
1161	the password-derived key */
1162	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
1163	/* Make up a new session key */
1164	uint8 client_session_key[16];
1165	generate_random_buffer(client_session_key, sizeof(client_session_key));
1166
1167	/* Encrypt the new session key with the old one */
1168	encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key));
1169	dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
1170	SamOEMhash(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
1171	dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
1172
1173	/* Mark the new session key as the 'real' session key */
1174	data_blob_free(&session_key);
1175	session_key = data_blob_talloc(ntlmssp_state->mem_ctx, client_session_key, sizeof(client_session_key));
1176	}
1177
1178	/* this generates the actual auth packet */
1179	if (!msrpc_gen(next_request, auth_gen_string,
1180	"NTLMSSP",
1181	NTLMSSP_AUTH,
1182	lm_response.data, lm_response.length,
1183	nt_response.data, nt_response.length,
1184	ntlmssp_state->domain,
1185	ntlmssp_state->user,
1186	ntlmssp_state->get_global_myname(),
1187	encrypted_session_key.data, encrypted_session_key.length,
1188	ntlmssp_state->neg_flags)) {
1189
1190	return NT_STATUS_NO_MEMORY;
1191	}
1192
1193	data_blob_free(&encrypted_session_key);
1194
1195	data_blob_free(&ntlmssp_state->chal);
1196
1197	ntlmssp_state->session_key = session_key;
1198
1199	ntlmssp_state->chal = challenge_blob;
1200	ntlmssp_state->lm_resp = lm_response;
1201	ntlmssp_state->nt_resp = nt_response;
1202
1203	ntlmssp_state->expected_state = NTLMSSP_DONE;
1204
1205	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
1206	DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status)));
1207	}
1208
1209	return nt_status;
1210	}
1211
1212	NTSTATUS ntlmssp_client_start(NTLMSSP_STATE **ntlmssp_state)
1213	{
1214	TALLOC_CTX *mem_ctx;
1215
1216	mem_ctx = talloc_init("NTLMSSP Client context");
1217
1218	*ntlmssp_state = TALLOC_ZERO_P(mem_ctx, NTLMSSP_STATE);
1219	if (!*ntlmssp_state) {
1220	DEBUG(0,("ntlmssp_client_start: talloc failed!\n"));
1221	talloc_destroy(mem_ctx);
1222	return NT_STATUS_NO_MEMORY;
1223	}
1224
1225	(*ntlmssp_state)->role = NTLMSSP_CLIENT;
1226
1227	(*ntlmssp_state)->mem_ctx = mem_ctx;
1228
1229	(*ntlmssp_state)->get_global_myname = global_myname;
1230	(*ntlmssp_state)->get_domain = lp_workgroup;
1231
1232	(*ntlmssp_state)->unicode = True;
1233
1234	(*ntlmssp_state)->use_ntlmv2 = lp_client_ntlmv2_auth();
1235
1236	(*ntlmssp_state)->expected_state = NTLMSSP_INITIAL;
1237
1238	(*ntlmssp_state)->ref_count = 1;
1239
1240	(*ntlmssp_state)->neg_flags =
1241	NTLMSSP_NEGOTIATE_128 \|
1242	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \|
1243	NTLMSSP_NEGOTIATE_NTLM \|
1244	NTLMSSP_NEGOTIATE_NTLM2 \|
1245	NTLMSSP_NEGOTIATE_KEY_EXCH \|
1246	NTLMSSP_REQUEST_TARGET;
1247
1248	return NT_STATUS_OK;
1249	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: