source: branches/samba-3.5.x/libcli/auth/credentials.c@ 1025

Last change on this file since 1025 was 590, checked in by Herwig Bauernfeind, 14 years ago

Samba 3.5: Update trunk to 3.5.6

File size: 15.2 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 code to manipulate domain credentials
5
6 Copyright (C) Andrew Tridgell 1997-2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21*/
22
23#include "includes.h"
24#include "system/time.h"
25#include "../lib/crypto/crypto.h"
26#include "libcli/auth/libcli_auth.h"
27#include "../libcli/security/dom_sid.h"
28
29static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
30 const struct netr_Credential *in,
31 struct netr_Credential *out)
32{
33 des_crypt112(out->data, in->data, creds->session_key, 1);
34}
35
36/*
37 initialise the credentials state for old-style 64 bit session keys
38
39 this call is made after the netr_ServerReqChallenge call
40*/
41static void netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *creds,
42 const struct netr_Credential *client_challenge,
43 const struct netr_Credential *server_challenge,
44 const struct samr_Password *machine_password)
45{
46 uint32_t sum[2];
47 uint8_t sum2[8];
48
49 sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0);
50 sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4);
51
52 SIVAL(sum2,0,sum[0]);
53 SIVAL(sum2,4,sum[1]);
54
55 ZERO_STRUCT(creds->session_key);
56
57 des_crypt128(creds->session_key, sum2, machine_password->hash);
58}
59
60/*
61 initialise the credentials state for ADS-style 128 bit session keys
62
63 this call is made after the netr_ServerReqChallenge call
64*/
65static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *creds,
66 const struct netr_Credential *client_challenge,
67 const struct netr_Credential *server_challenge,
68 const struct samr_Password *machine_password)
69{
70 unsigned char zero[4], tmp[16];
71 HMACMD5Context ctx;
72 struct MD5Context md5;
73
74 ZERO_STRUCT(creds->session_key);
75
76 memset(zero, 0, sizeof(zero));
77
78 hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);
79 MD5Init(&md5);
80 MD5Update(&md5, zero, sizeof(zero));
81 MD5Update(&md5, client_challenge->data, 8);
82 MD5Update(&md5, server_challenge->data, 8);
83 MD5Final(tmp, &md5);
84 hmac_md5_update(tmp, sizeof(tmp), &ctx);
85 hmac_md5_final(creds->session_key, &ctx);
86}
87
88static void netlogon_creds_first_step(struct netlogon_creds_CredentialState *creds,
89 const struct netr_Credential *client_challenge,
90 const struct netr_Credential *server_challenge)
91{
92 netlogon_creds_step_crypt(creds, client_challenge, &creds->client);
93
94 netlogon_creds_step_crypt(creds, server_challenge, &creds->server);
95
96 creds->seed = creds->client;
97}
98
99/*
100 step the credentials to the next element in the chain, updating the
101 current client and server credentials and the seed
102*/
103static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
104{
105 struct netr_Credential time_cred;
106
107 DEBUG(5,("\tseed %08x:%08x\n",
108 IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4)));
109
110 SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence);
111 SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
112
113 DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
114
115 netlogon_creds_step_crypt(creds, &time_cred, &creds->client);
116
117 DEBUG(5,("\tCLIENT %08x:%08x\n",
118 IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
119
120 SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1);
121 SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
122
123 DEBUG(5,("\tseed+time+1 %08x:%08x\n",
124 IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
125
126 netlogon_creds_step_crypt(creds, &time_cred, &creds->server);
127
128 DEBUG(5,("\tSERVER %08x:%08x\n",
129 IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
130
131 creds->seed = time_cred;
132}
133
134
135/*
136 DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
137*/
138void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
139{
140 struct netr_LMSessionKey tmp;
141 des_crypt56(tmp.key, key->key, creds->session_key, 1);
142 *key = tmp;
143}
144
145/*
146 DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
147*/
148void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key)
149{
150 struct netr_LMSessionKey tmp;
151 des_crypt56(tmp.key, key->key, creds->session_key, 0);
152 *key = tmp;
153}
154
155/*
156 DES encrypt a 16 byte password buffer using the session key
157*/
158void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
159{
160 struct samr_Password tmp;
161 des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1);
162 *pass = tmp;
163}
164
165/*
166 DES decrypt a 16 byte password buffer using the session key
167*/
168void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass)
169{
170 struct samr_Password tmp;
171 des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0);
172 *pass = tmp;
173}
174
175/*
176 ARCFOUR encrypt/decrypt a password buffer using the session key
177*/
178void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
179{
180 DATA_BLOB session_key = data_blob(creds->session_key, 16);
181
182 arcfour_crypt_blob(data, len, &session_key);
183
184 data_blob_free(&session_key);
185}
186
187/*****************************************************************
188The above functions are common to the client and server interface
189next comes the client specific functions
190******************************************************************/
191
192/*
193 initialise the credentials chain and return the first client
194 credentials
195*/
196
197struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *mem_ctx,
198 const char *client_account,
199 const char *client_computer_name,
200 const struct netr_Credential *client_challenge,
201 const struct netr_Credential *server_challenge,
202 const struct samr_Password *machine_password,
203 struct netr_Credential *initial_credential,
204 uint32_t negotiate_flags)
205{
206 struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
207
208 if (!creds) {
209 return NULL;
210 }
211
212 creds->sequence = time(NULL);
213 creds->negotiate_flags = negotiate_flags;
214
215 creds->computer_name = talloc_strdup(creds, client_computer_name);
216 if (!creds->computer_name) {
217 talloc_free(creds);
218 return NULL;
219 }
220 creds->account_name = talloc_strdup(creds, client_account);
221 if (!creds->account_name) {
222 talloc_free(creds);
223 return NULL;
224 }
225
226 dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
227 dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
228 dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
229
230 if (negotiate_flags & NETLOGON_NEG_128BIT) {
231 netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password);
232 } else {
233 netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
234 }
235
236 netlogon_creds_first_step(creds, client_challenge, server_challenge);
237
238 dump_data_pw("Session key", creds->session_key, 16);
239 dump_data_pw("Credential ", creds->client.data, 8);
240
241 *initial_credential = creds->client;
242 return creds;
243}
244
245/*
246 initialise the credentials structure with only a session key. The caller better know what they are doing!
247 */
248
249struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TALLOC_CTX *mem_ctx,
250 const uint8_t session_key[16])
251{
252 struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
253
254 if (!creds) {
255 return NULL;
256 }
257
258 memcpy(creds->session_key, session_key, 16);
259
260 return creds;
261}
262
263/*
264 step the credentials to the next element in the chain, updating the
265 current client and server credentials and the seed
266
267 produce the next authenticator in the sequence ready to send to
268 the server
269*/
270void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
271 struct netr_Authenticator *next)
272{
273 creds->sequence += 2;
274 netlogon_creds_step(creds);
275
276 next->cred = creds->client;
277 next->timestamp = creds->sequence;
278}
279
280/*
281 check that a credentials reply from a server is correct
282*/
283bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
284 const struct netr_Credential *received_credentials)
285{
286 if (!received_credentials ||
287 memcmp(received_credentials->data, creds->server.data, 8) != 0) {
288 DEBUG(2,("credentials check failed\n"));
289 return false;
290 }
291 return true;
292}
293
294
295/*****************************************************************
296The above functions are common to the client and server interface
297next comes the server specific functions
298******************************************************************/
299
300/*
301 check that a credentials reply from a server is correct
302*/
303static bool netlogon_creds_server_check_internal(const struct netlogon_creds_CredentialState *creds,
304 const struct netr_Credential *received_credentials)
305{
306 if (memcmp(received_credentials->data, creds->client.data, 8) != 0) {
307 DEBUG(2,("credentials check failed\n"));
308 dump_data_pw("client creds", creds->client.data, 8);
309 dump_data_pw("calc creds", received_credentials->data, 8);
310 return false;
311 }
312 return true;
313}
314
315/*
316 initialise the credentials chain and return the first server
317 credentials
318*/
319struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *mem_ctx,
320 const char *client_account,
321 const char *client_computer_name,
322 uint16_t secure_channel_type,
323 const struct netr_Credential *client_challenge,
324 const struct netr_Credential *server_challenge,
325 const struct samr_Password *machine_password,
326 struct netr_Credential *credentials_in,
327 struct netr_Credential *credentials_out,
328 uint32_t negotiate_flags)
329{
330
331 struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
332
333 if (!creds) {
334 return NULL;
335 }
336
337 creds->negotiate_flags = negotiate_flags;
338 creds->secure_channel_type = secure_channel_type;
339
340 creds->computer_name = talloc_strdup(creds, client_computer_name);
341 if (!creds->computer_name) {
342 talloc_free(creds);
343 return NULL;
344 }
345 creds->account_name = talloc_strdup(creds, client_account);
346 if (!creds->account_name) {
347 talloc_free(creds);
348 return NULL;
349 }
350
351 if (negotiate_flags & NETLOGON_NEG_128BIT) {
352 netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
353 machine_password);
354 } else {
355 netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
356 machine_password);
357 }
358
359 netlogon_creds_first_step(creds, client_challenge, server_challenge);
360
361 /* And before we leak information about the machine account
362 * password, check that they got the first go right */
363 if (!netlogon_creds_server_check_internal(creds, credentials_in)) {
364 talloc_free(creds);
365 return NULL;
366 }
367
368 *credentials_out = creds->server;
369
370 return creds;
371}
372
373NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
374 struct netr_Authenticator *received_authenticator,
375 struct netr_Authenticator *return_authenticator)
376{
377 if (!received_authenticator || !return_authenticator) {
378 return NT_STATUS_INVALID_PARAMETER;
379 }
380
381 if (!creds) {
382 return NT_STATUS_ACCESS_DENIED;
383 }
384
385 /* TODO: this may allow the a replay attack on a non-signed
386 connection. Should we check that this is increasing? */
387 creds->sequence = received_authenticator->timestamp;
388 netlogon_creds_step(creds);
389 if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
390 return_authenticator->cred = creds->server;
391 return_authenticator->timestamp = creds->sequence;
392 return NT_STATUS_OK;
393 } else {
394 ZERO_STRUCTP(return_authenticator);
395 return NT_STATUS_ACCESS_DENIED;
396 }
397}
398
399void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
400 uint16_t validation_level,
401 union netr_Validation *validation)
402{
403 static const char zeros[16];
404
405 struct netr_SamBaseInfo *base = NULL;
406 switch (validation_level) {
407 case 2:
408 if (validation->sam2) {
409 base = &validation->sam2->base;
410 }
411 break;
412 case 3:
413 if (validation->sam3) {
414 base = &validation->sam3->base;
415 }
416 break;
417 case 6:
418 if (validation->sam6) {
419 base = &validation->sam6->base;
420 }
421 break;
422 default:
423 /* If we can't find it, we can't very well decrypt it */
424 return;
425 }
426
427 if (!base) {
428 return;
429 }
430
431 /* find and decyrpt the session keys, return in parameters above */
432 if (validation_level == 6) {
433 /* they aren't encrypted! */
434 } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
435 if (memcmp(base->key.key, zeros,
436 sizeof(base->key.key)) != 0) {
437 netlogon_creds_arcfour_crypt(creds,
438 base->key.key,
439 sizeof(base->key.key));
440 }
441
442 if (memcmp(base->LMSessKey.key, zeros,
443 sizeof(base->LMSessKey.key)) != 0) {
444 netlogon_creds_arcfour_crypt(creds,
445 base->LMSessKey.key,
446 sizeof(base->LMSessKey.key));
447 }
448 } else {
449 if (memcmp(base->LMSessKey.key, zeros,
450 sizeof(base->LMSessKey.key)) != 0) {
451 netlogon_creds_des_decrypt_LMKey(creds,
452 &base->LMSessKey);
453 }
454 }
455}
456
457/*
458 copy a netlogon_creds_CredentialState struct
459*/
460
461struct netlogon_creds_CredentialState *netlogon_creds_copy(TALLOC_CTX *mem_ctx,
462 struct netlogon_creds_CredentialState *creds_in)
463{
464 struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
465
466 if (!creds) {
467 return NULL;
468 }
469
470 creds->sequence = creds_in->sequence;
471 creds->negotiate_flags = creds_in->negotiate_flags;
472 creds->secure_channel_type = creds_in->secure_channel_type;
473
474 creds->computer_name = talloc_strdup(creds, creds_in->computer_name);
475 if (!creds->computer_name) {
476 talloc_free(creds);
477 return NULL;
478 }
479 creds->account_name = talloc_strdup(creds, creds_in->account_name);
480 if (!creds->account_name) {
481 talloc_free(creds);
482 return NULL;
483 }
484
485 if (creds_in->sid) {
486 creds->sid = dom_sid_dup(creds, creds_in->sid);
487 if (!creds->sid) {
488 talloc_free(creds);
489 return NULL;
490 }
491 }
492
493 memcpy(creds->session_key, creds_in->session_key, sizeof(creds->session_key));
494 memcpy(creds->seed.data, creds_in->seed.data, sizeof(creds->seed.data));
495 memcpy(creds->client.data, creds_in->client.data, sizeof(creds->client.data));
496 memcpy(creds->server.data, creds_in->server.data, sizeof(creds->server.data));
497
498 return creds;
499}
Note: See TracBrowser for help on using the repository browser.