Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.5.x/source3/libsmb/ntlmssp.c@ 850

Visit:

Last change on this file since 850 was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 39.7 KB

Line
1	/*
2	Unix SMB/Netbios implementation.
3	Version 3.0
4	handle NLTMSSP, server side
5
6	Copyright (C) Andrew Tridgell 2001
7	Copyright (C) Andrew Bartlett 2001-2003
8	Copyright (C) Andrew Bartlett 2005 (Updated from gensec).
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25	#include "../libcli/auth/libcli_auth.h"
26	#include "../librpc/gen_ndr/ndr_ntlmssp.h"
27	#include "libsmb/ntlmssp_ndr.h"
28
29	static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
30	DATA_BLOB reply, DATA_BLOB *next_request);
31	static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
32	const DATA_BLOB in, DATA_BLOB *out);
33	static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
34	const DATA_BLOB reply, DATA_BLOB *next_request);
35	static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
36	const DATA_BLOB request, DATA_BLOB *reply);
37
38	/**
39	* Callbacks for NTLMSSP - for both client and server operating modes
40	*
41	*/
42
43	static const struct ntlmssp_callbacks {
44	enum NTLMSSP_ROLE role;
45	enum NTLM_MESSAGE_TYPE ntlmssp_command;
46	NTSTATUS (fn)(struct ntlmssp_state ntlmssp_state,
47	DATA_BLOB in, DATA_BLOB *out);
48	} ntlmssp_callbacks[] = {
49	{NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial},
50	{NTLMSSP_SERVER, NTLMSSP_NEGOTIATE, ntlmssp_server_negotiate},
51	{NTLMSSP_CLIENT, NTLMSSP_CHALLENGE, ntlmssp_client_challenge},
52	{NTLMSSP_SERVER, NTLMSSP_AUTH, ntlmssp_server_auth},
53	{NTLMSSP_CLIENT, NTLMSSP_UNKNOWN, NULL},
54	{NTLMSSP_SERVER, NTLMSSP_UNKNOWN, NULL}
55	};
56
57
58	/**
59	* Print out the NTLMSSP flags for debugging
60	* @param neg_flags The flags from the packet
61	*/
62
63	void debug_ntlmssp_flags(uint32 neg_flags)
64	{
65	DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags));
66
67	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE)
68	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_UNICODE\n"));
69	if (neg_flags & NTLMSSP_NEGOTIATE_OEM)
70	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM\n"));
71	if (neg_flags & NTLMSSP_REQUEST_TARGET)
72	DEBUGADD(4, (" NTLMSSP_REQUEST_TARGET\n"));
73	if (neg_flags & NTLMSSP_NEGOTIATE_SIGN)
74	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SIGN\n"));
75	if (neg_flags & NTLMSSP_NEGOTIATE_SEAL)
76	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SEAL\n"));
77	if (neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM)
78	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DATAGRAM\n"));
79	if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
80	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_LM_KEY\n"));
81	if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE)
82	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NETWARE\n"));
83	if (neg_flags & NTLMSSP_NEGOTIATE_NTLM)
84	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM\n"));
85	if (neg_flags & NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED)
86	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED\n"));
87	if (neg_flags & NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED)
88	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED\n"));
89	if (neg_flags & NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL)
90	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n"));
91	if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)
92	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n"));
93	if (neg_flags & NTLMSSP_REQUEST_NON_NT_SESSION_KEY)
94	DEBUGADD(4, (" NTLMSSP_REQUEST_NON_NT_SESSION_KEY\n"));
95	if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
96	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM2\n"));
97	if (neg_flags & NTLMSSP_NEGOTIATE_TARGET_INFO)
98	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_TARGET_INFO\n"));
99	if (neg_flags & NTLMSSP_NEGOTIATE_VERSION)
100	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_VERSION\n"));
101	if (neg_flags & NTLMSSP_NEGOTIATE_128)
102	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_128\n"));
103	if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)
104	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_KEY_EXCH\n"));
105	if (neg_flags & NTLMSSP_NEGOTIATE_56)
106	DEBUGADD(4, (" NTLMSSP_NEGOTIATE_56\n"));
107	}
108
109	/**
110	* Default challenge generation code.
111	*
112	*/
113
114	static void get_challenge(const struct ntlmssp_state *ntlmssp_state,
115	uint8_t chal[8])
116	{
117	generate_random_buffer(chal, 8);
118	}
119
120	/**
121	* Default 'we can set the challenge to anything we like' implementation
122	*
123	*/
124
125	static bool may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
126	{
127	return True;
128	}
129
130	/**
131	* Default 'we can set the challenge to anything we like' implementation
132	*
133	* Does not actually do anything, as the value is always in the structure anyway.
134	*
135	*/
136
137	static NTSTATUS set_challenge(struct ntlmssp_state ntlmssp_state, DATA_BLOB challenge)
138	{
139	SMB_ASSERT(challenge->length == 8);
140	return NT_STATUS_OK;
141	}
142
143	/**
144	* Set a username on an NTLMSSP context - ensures it is talloc()ed
145	*
146	*/
147
148	NTSTATUS ntlmssp_set_username(NTLMSSP_STATE ntlmssp_state, const char user)
149	{
150	ntlmssp_state->user = talloc_strdup(ntlmssp_state, user ? user : "" );
151	if (!ntlmssp_state->user) {
152	return NT_STATUS_NO_MEMORY;
153	}
154	return NT_STATUS_OK;
155	}
156
157	/**
158	* Store NT and LM hashes on an NTLMSSP context - ensures they are talloc()ed
159	*
160	*/
161	NTSTATUS ntlmssp_set_hashes(NTLMSSP_STATE *ntlmssp_state,
162	const unsigned char lm_hash[16],
163	const unsigned char nt_hash[16])
164	{
165	ntlmssp_state->lm_hash = (unsigned char *)
166	TALLOC_MEMDUP(ntlmssp_state, lm_hash, 16);
167	ntlmssp_state->nt_hash = (unsigned char *)
168	TALLOC_MEMDUP(ntlmssp_state, nt_hash, 16);
169	if (!ntlmssp_state->lm_hash \|\| !ntlmssp_state->nt_hash) {
170	TALLOC_FREE(ntlmssp_state->lm_hash);
171	TALLOC_FREE(ntlmssp_state->nt_hash);
172	return NT_STATUS_NO_MEMORY;
173	}
174	return NT_STATUS_OK;
175	}
176
177	/**
178	* Converts a password to the hashes on an NTLMSSP context.
179	*
180	*/
181	NTSTATUS ntlmssp_set_password(NTLMSSP_STATE ntlmssp_state, const char password)
182	{
183	if (!password) {
184	ntlmssp_state->lm_hash = NULL;
185	ntlmssp_state->nt_hash = NULL;
186	} else {
187	unsigned char lm_hash[16];
188	unsigned char nt_hash[16];
189
190	E_deshash(password, lm_hash);
191	E_md4hash(password, nt_hash);
192	return ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
193	}
194	return NT_STATUS_OK;
195	}
196
197	/**
198	* Set a domain on an NTLMSSP context - ensures it is talloc()ed
199	*
200	*/
201	NTSTATUS ntlmssp_set_domain(NTLMSSP_STATE ntlmssp_state, const char domain)
202	{
203	ntlmssp_state->domain = talloc_strdup(ntlmssp_state,
204	domain ? domain : "" );
205	if (!ntlmssp_state->domain) {
206	return NT_STATUS_NO_MEMORY;
207	}
208	return NT_STATUS_OK;
209	}
210
211	/**
212	* Set a workstation on an NTLMSSP context - ensures it is talloc()ed
213	*
214	*/
215	NTSTATUS ntlmssp_set_workstation(NTLMSSP_STATE ntlmssp_state, const char workstation)
216	{
217	ntlmssp_state->workstation = talloc_strdup(ntlmssp_state, workstation);
218	if (!ntlmssp_state->workstation) {
219	return NT_STATUS_NO_MEMORY;
220	}
221	return NT_STATUS_OK;
222	}
223
224	/**
225	* Store a DATA_BLOB containing an NTLMSSP response, for use later.
226	* This copies the data blob
227	*/
228
229	NTSTATUS ntlmssp_store_response(NTLMSSP_STATE *ntlmssp_state,
230	DATA_BLOB response)
231	{
232	ntlmssp_state->stored_response = data_blob_talloc(ntlmssp_state,
233	response.data,
234	response.length);
235	return NT_STATUS_OK;
236	}
237
238	/**
239	* Request features for the NTLMSSP negotiation
240	*
241	* @param ntlmssp_state NTLMSSP state
242	* @param feature_list List of space seperated features requested from NTLMSSP.
243	*/
244	void ntlmssp_want_feature_list(NTLMSSP_STATE ntlmssp_state, char feature_list)
245	{
246	/*
247	* We need to set this to allow a later SetPassword
248	* via the SAMR pipe to succeed. Strange.... We could
249	* also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
250	*/
251	if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
252	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
253	}
254	if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
255	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
256	}
257	if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
258	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
259	}
260	if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
261	ntlmssp_state->use_ccache = true;
262	}
263	}
264
265	/**
266	* Request a feature for the NTLMSSP negotiation
267	*
268	* @param ntlmssp_state NTLMSSP state
269	* @param feature Bit flag specifying the requested feature
270	*/
271	void ntlmssp_want_feature(NTLMSSP_STATE *ntlmssp_state, uint32 feature)
272	{
273	/* As per JRA's comment above */
274	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
275	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
276	}
277	if (feature & NTLMSSP_FEATURE_SIGN) {
278	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
279	}
280	if (feature & NTLMSSP_FEATURE_SEAL) {
281	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
282	}
283	if (feature & NTLMSSP_FEATURE_CCACHE) {
284	ntlmssp_state->use_ccache = true;
285	}
286	}
287
288	/**
289	* Next state function for the NTLMSSP state machine
290	*
291	* @param ntlmssp_state NTLMSSP State
292	* @param in The packet in from the NTLMSSP partner, as a DATA_BLOB
293	* @param out The reply, as an allocated DATA_BLOB, caller to free.
294	* @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK.
295	*/
296
297	NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state,
298	const DATA_BLOB in, DATA_BLOB *out)
299	{
300	DATA_BLOB input;
301	uint32 ntlmssp_command;
302	int i;
303
304	if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
305	/* Called update after negotiations finished. */
306	DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
307	return NT_STATUS_INVALID_PARAMETER;
308	}
309
310	*out = data_blob_null;
311
312	if (!in.length && ntlmssp_state->stored_response.length) {
313	input = ntlmssp_state->stored_response;
314
315	/* we only want to read the stored response once - overwrite it */
316	ntlmssp_state->stored_response = data_blob_null;
317	} else {
318	input = in;
319	}
320
321	if (!input.length) {
322	switch (ntlmssp_state->role) {
323	case NTLMSSP_CLIENT:
324	ntlmssp_command = NTLMSSP_INITIAL;
325	break;
326	case NTLMSSP_SERVER:
327	/* 'datagram' mode - no neg packet */
328	ntlmssp_command = NTLMSSP_NEGOTIATE;
329	break;
330	}
331	} else {
332	if (!msrpc_parse(ntlmssp_state, &input, "Cd",
333	"NTLMSSP",
334	&ntlmssp_command)) {
335	DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
336	dump_data(2, input.data, input.length);
337	return NT_STATUS_INVALID_PARAMETER;
338	}
339	}
340
341	if (ntlmssp_command != ntlmssp_state->expected_state) {
342	DEBUG(1, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
343	return NT_STATUS_INVALID_PARAMETER;
344	}
345
346	for (i=0; ntlmssp_callbacks[i].fn; i++) {
347	if (ntlmssp_callbacks[i].role == ntlmssp_state->role
348	&& ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command) {
349	return ntlmssp_callbacks[i].fn(ntlmssp_state, input, out);
350	}
351	}
352
353	DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
354	ntlmssp_state->role, ntlmssp_command));
355
356	return NT_STATUS_INVALID_PARAMETER;
357	}
358
359	/**
360	* End an NTLMSSP state machine
361	*
362	* @param ntlmssp_state NTLMSSP State, free()ed by this function
363	*/
364
365	void ntlmssp_end(NTLMSSP_STATE **ntlmssp_state)
366	{
367	(*ntlmssp_state)->ref_count--;
368
369	if ((*ntlmssp_state)->ref_count == 0) {
370	data_blob_free(&(*ntlmssp_state)->chal);
371	data_blob_free(&(*ntlmssp_state)->lm_resp);
372	data_blob_free(&(*ntlmssp_state)->nt_resp);
373	TALLOC_FREE(*ntlmssp_state);
374	}
375
376	*ntlmssp_state = NULL;
377	return;
378	}
379
380	/**
381	* Determine correct target name flags for reply, given server role
382	* and negotiated flags
383	*
384	* @param ntlmssp_state NTLMSSP State
385	* @param neg_flags The flags from the packet
386	* @param chal_flags The flags to be set in the reply packet
387	* @return The 'target name' string.
388	*/
389
390	static const char ntlmssp_target_name(struct ntlmssp_state ntlmssp_state,
391	uint32 neg_flags, uint32 *chal_flags)
392	{
393	if (neg_flags & NTLMSSP_REQUEST_TARGET) {
394	*chal_flags \|= NTLMSSP_NEGOTIATE_TARGET_INFO;
395	*chal_flags \|= NTLMSSP_REQUEST_TARGET;
396	if (ntlmssp_state->server_role == ROLE_STANDALONE) {
397	*chal_flags \|= NTLMSSP_TARGET_TYPE_SERVER;
398	return ntlmssp_state->get_global_myname();
399	} else {
400	*chal_flags \|= NTLMSSP_TARGET_TYPE_DOMAIN;
401	return ntlmssp_state->get_domain();
402	};
403	} else {
404	return "";
405	}
406	}
407
408	static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
409	uint32 neg_flags, bool allow_lm) {
410	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
411	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_UNICODE;
412	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
413	ntlmssp_state->unicode = True;
414	} else {
415	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
416	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_OEM;
417	ntlmssp_state->unicode = False;
418	}
419
420	if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
421	/* other end forcing us to use LM */
422	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_LM_KEY;
423	ntlmssp_state->use_ntlmv2 = False;
424	} else {
425	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
426	}
427
428	if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
429	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
430	}
431
432	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
433	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
434	}
435
436	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
437	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
438	}
439
440	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
441	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
442	}
443
444	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
445	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
446	}
447
448	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
449	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
450	}
451
452	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
453	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
454	}
455
456	/* Woop Woop - unknown flag for Windows compatibility...
457	What does this really do ? JRA. */
458	if (!(neg_flags & NTLMSSP_NEGOTIATE_VERSION)) {
459	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_VERSION;
460	}
461
462	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
463	ntlmssp_state->neg_flags \|= NTLMSSP_REQUEST_TARGET;
464	}
465	}
466
467	/**
468	Weaken NTLMSSP keys to cope with down-level clients and servers.
469
470	We probably should have some parameters to control this, but as
471	it only occours for LM_KEY connections, and this is controlled
472	by the client lanman auth/lanman auth parameters, it isn't too bad.
473	*/
474
475	DATA_BLOB ntlmssp_weaken_keys(NTLMSSP_STATE ntlmssp_state, TALLOC_CTX mem_ctx)
476	{
477	DATA_BLOB weakened_key = data_blob_talloc(mem_ctx,
478	ntlmssp_state->session_key.data,
479	ntlmssp_state->session_key.length);
480
481	/* Nothing to weaken. We certainly don't want to 'extend' the length... */
482	if (weakened_key.length < 16) {
483	/* perhaps there was no key? */
484	return weakened_key;
485	}
486
487	/* Key weakening not performed on the master key for NTLM2
488	and does not occour for NTLM1. Therefore we only need
489	to do this for the LM_KEY.
490	*/
491
492	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
493	/* LM key doesn't support 128 bit crypto, so this is
494	* the best we can do. If you negotiate 128 bit, but
495	* not 56, you end up with 40 bit... */
496	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
497	weakened_key.data[7] = 0xa0;
498	} else { /* forty bits */
499	weakened_key.data[5] = 0xe5;
500	weakened_key.data[6] = 0x38;
501	weakened_key.data[7] = 0xb0;
502	}
503	weakened_key.length = 8;
504	}
505	return weakened_key;
506	}
507
508	/**
509	* Next state function for the Negotiate packet
510	*
511	* @param ntlmssp_state NTLMSSP State
512	* @param request The request, as a DATA_BLOB
513	* @param request The reply, as an allocated DATA_BLOB, caller to free.
514	* @return Errors or MORE_PROCESSING_REQUIRED if a reply is sent.
515	*/
516
517	static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
518	const DATA_BLOB request, DATA_BLOB *reply)
519	{
520	DATA_BLOB struct_blob;
521	const char *dnsname;
522	char *dnsdomname = NULL;
523	uint32 neg_flags = 0;
524	uint32 ntlmssp_command, chal_flags;
525	uint8_t cryptkey[8];
526	const char *target_name;
527	struct NEGOTIATE_MESSAGE negotiate;
528	struct CHALLENGE_MESSAGE challenge;
529
530	/* parse the NTLMSSP packet */
531	#if 0
532	file_save("ntlmssp_negotiate.dat", request.data, request.length);
533	#endif
534
535	if (request.length) {
536	if ((request.length < 16) \|\| !msrpc_parse(ntlmssp_state, &request, "Cdd",
537	"NTLMSSP",
538	&ntlmssp_command,
539	&neg_flags)) {
540	DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
541	(unsigned int)request.length));
542	dump_data(2, request.data, request.length);
543	return NT_STATUS_INVALID_PARAMETER;
544	}
545	debug_ntlmssp_flags(neg_flags);
546
547	if (DEBUGLEVEL >= 10) {
548	if (NT_STATUS_IS_OK(ntlmssp_pull_NEGOTIATE_MESSAGE(&request,
549	ntlmssp_state,
550	NULL,
551	&negotiate)))
552	{
553	NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE, &negotiate);
554	}
555	}
556	}
557
558	ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth());
559
560	/* Ask our caller what challenge they would like in the packet */
561	ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
562
563	/* Check if we may set the challenge */
564	if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
565	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
566	}
567
568	/* The flags we send back are not just the negotiated flags,
569	* they are also 'what is in this packet'. Therfore, we
570	* operate on 'chal_flags' from here on
571	*/
572
573	chal_flags = ntlmssp_state->neg_flags;
574
575	/* get the right name to fill in as 'target' */
576	target_name = ntlmssp_target_name(ntlmssp_state,
577	neg_flags, &chal_flags);
578	if (target_name == NULL)
579	return NT_STATUS_INVALID_PARAMETER;
580
581	ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8);
582	ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state,
583	cryptkey, 8);
584
585	/* This should be a 'netbios domain -> DNS domain' mapping */
586	dnsdomname = get_mydnsdomname(ntlmssp_state);
587	if (!dnsdomname) {
588	dnsdomname = talloc_strdup(ntlmssp_state, "");
589	}
590	if (!dnsdomname) {
591	return NT_STATUS_NO_MEMORY;
592	}
593	strlower_m(dnsdomname);
594
595	dnsname = get_mydnsfullname();
596	if (!dnsname) {
597	dnsname = "";
598	}
599
600	/* This creates the 'blob' of names that appears at the end of the packet */
601	if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO)
602	{
603	msrpc_gen(ntlmssp_state, &struct_blob, "aaaaa",
604	MsvAvNbDomainName, target_name,
605	MsvAvNbComputerName, ntlmssp_state->get_global_myname(),
606	MsvAvDnsDomainName, dnsdomname,
607	MsvAvDnsComputerName, dnsname,
608	MsvAvEOL, "");
609	} else {
610	struct_blob = data_blob_null;
611	}
612
613	{
614	/* Marshel the packet in the right format, be it unicode or ASCII */
615	const char *gen_string;
616	if (ntlmssp_state->unicode) {
617	gen_string = "CdUdbddB";
618	} else {
619	gen_string = "CdAdbddB";
620	}
621
622	msrpc_gen(ntlmssp_state, reply, gen_string,
623	"NTLMSSP",
624	NTLMSSP_CHALLENGE,
625	target_name,
626	chal_flags,
627	cryptkey, 8,
628	0, 0,
629	struct_blob.data, struct_blob.length);
630
631	if (DEBUGLEVEL >= 10) {
632	if (NT_STATUS_IS_OK(ntlmssp_pull_CHALLENGE_MESSAGE(reply,
633	ntlmssp_state,
634	NULL,
635	&challenge)))
636	{
637	NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, &challenge);
638	}
639	}
640	}
641
642	data_blob_free(&struct_blob);
643
644	ntlmssp_state->expected_state = NTLMSSP_AUTH;
645
646	return NT_STATUS_MORE_PROCESSING_REQUIRED;
647	}
648
649	/**
650	* Next state function for the Authenticate packet
651	*
652	* @param ntlmssp_state NTLMSSP State
653	* @param request The request, as a DATA_BLOB
654	* @param request The reply, as an allocated DATA_BLOB, caller to free.
655	* @return Errors or NT_STATUS_OK.
656	*/
657
658	static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
659	const DATA_BLOB request, DATA_BLOB *reply)
660	{
661	DATA_BLOB encrypted_session_key = data_blob_null;
662	DATA_BLOB user_session_key = data_blob_null;
663	DATA_BLOB lm_session_key = data_blob_null;
664	DATA_BLOB session_key = data_blob_null;
665	uint32 ntlmssp_command, auth_flags;
666	NTSTATUS nt_status = NT_STATUS_OK;
667	struct AUTHENTICATE_MESSAGE authenticate;
668
669	/* used by NTLM2 */
670	bool doing_ntlm2 = False;
671
672	uchar session_nonce[16];
673	uchar session_nonce_hash[16];
674
675	const char *parse_string;
676
677	/* parse the NTLMSSP packet */
678	*reply = data_blob_null;
679
680	#if 0
681	file_save("ntlmssp_auth.dat", request.data, request.length);
682	#endif
683
684	if (ntlmssp_state->unicode) {
685	parse_string = "CdBBUUUBd";
686	} else {
687	parse_string = "CdBBAAABd";
688	}
689
690	data_blob_free(&ntlmssp_state->lm_resp);
691	data_blob_free(&ntlmssp_state->nt_resp);
692
693	ntlmssp_state->user = NULL;
694	ntlmssp_state->domain = NULL;
695	ntlmssp_state->workstation = NULL;
696
697	/* now the NTLMSSP encoded auth hashes */
698	if (!msrpc_parse(ntlmssp_state, &request, parse_string,
699	"NTLMSSP",
700	&ntlmssp_command,
701	&ntlmssp_state->lm_resp,
702	&ntlmssp_state->nt_resp,
703	&ntlmssp_state->domain,
704	&ntlmssp_state->user,
705	&ntlmssp_state->workstation,
706	&encrypted_session_key,
707	&auth_flags)) {
708	auth_flags = 0;
709
710	/* Try again with a shorter string (Win9X truncates this packet) */
711	if (ntlmssp_state->unicode) {
712	parse_string = "CdBBUUU";
713	} else {
714	parse_string = "CdBBAAA";
715	}
716
717	/* now the NTLMSSP encoded auth hashes */
718	if (!msrpc_parse(ntlmssp_state, &request, parse_string,
719	"NTLMSSP",
720	&ntlmssp_command,
721	&ntlmssp_state->lm_resp,
722	&ntlmssp_state->nt_resp,
723	&ntlmssp_state->domain,
724	&ntlmssp_state->user,
725	&ntlmssp_state->workstation)) {
726	DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
727	dump_data(2, request.data, request.length);
728
729	return NT_STATUS_INVALID_PARAMETER;
730	}
731	}
732
733	if (auth_flags)
734	ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, lp_lanman_auth());
735
736	if (DEBUGLEVEL >= 10) {
737	if (NT_STATUS_IS_OK(ntlmssp_pull_AUTHENTICATE_MESSAGE(&request,
738	ntlmssp_state,
739	NULL,
740	&authenticate)))
741	{
742	NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, &authenticate);
743	}
744	}
745
746	DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
747	ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, (unsigned long)ntlmssp_state->lm_resp.length, (unsigned long)ntlmssp_state->nt_resp.length));
748
749	#if 0
750	file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
751	file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
752	#endif
753
754	/* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
755	client challenge
756
757	However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
758	*/
759	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
760	if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
761	struct MD5Context md5_session_nonce_ctx;
762	SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
763
764	doing_ntlm2 = True;
765
766	memcpy(session_nonce, ntlmssp_state->internal_chal.data, 8);
767	memcpy(&session_nonce[8], ntlmssp_state->lm_resp.data, 8);
768
769	MD5Init(&md5_session_nonce_ctx);
770	MD5Update(&md5_session_nonce_ctx, session_nonce, 16);
771	MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
772
773	ntlmssp_state->chal = data_blob_talloc(
774	ntlmssp_state, session_nonce_hash, 8);
775
776	/* LM response is no longer useful */
777	data_blob_free(&ntlmssp_state->lm_resp);
778
779	/* We changed the effective challenge - set it */
780	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) {
781	data_blob_free(&encrypted_session_key);
782	return nt_status;
783	}
784
785	/* LM Key is incompatible. */
786	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
787	}
788	}
789
790	/*
791	* Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
792	* is required (by "ntlm auth = no" and "lm auth = no" being set in the
793	* smb.conf file) and no NTLMv2 response was sent then the password check
794	* will fail here. JRA.
795	*/
796
797	/* Finally, actually ask if the password is OK */
798
799	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->check_password(ntlmssp_state,
800	&user_session_key, &lm_session_key))) {
801	data_blob_free(&encrypted_session_key);
802	return nt_status;
803	}
804
805	dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
806	dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
807
808	/* Handle the different session key derivation for NTLM2 */
809	if (doing_ntlm2) {
810	if (user_session_key.data && user_session_key.length == 16) {
811	session_key = data_blob_talloc(ntlmssp_state,
812	NULL, 16);
813	hmac_md5(user_session_key.data, session_nonce,
814	sizeof(session_nonce), session_key.data);
815	DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
816	dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
817
818	} else {
819	DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
820	session_key = data_blob_null;
821	}
822	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
823	if (lm_session_key.data && lm_session_key.length >= 8) {
824	if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
825	session_key = data_blob_talloc(ntlmssp_state,
826	NULL, 16);
827	if (session_key.data == NULL) {
828	return NT_STATUS_NO_MEMORY;
829	}
830	SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
831	session_key.data);
832	DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
833	} else {
834	uint8 zeros[24];
835	ZERO_STRUCT(zeros);
836	session_key = data_blob_talloc(
837	ntlmssp_state, NULL, 16);
838	if (session_key.data == NULL) {
839	return NT_STATUS_NO_MEMORY;
840	}
841	SMBsesskeygen_lm_sess_key(
842	lm_session_key.data, zeros,
843	session_key.data);
844	}
845	dump_data_pw("LM session key:\n", session_key.data,
846	session_key.length);
847	} else {
848	DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
849	session_key = data_blob_null;
850	}
851	} else if (user_session_key.data) {
852	session_key = user_session_key;
853	DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
854	dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
855	} else if (lm_session_key.data) {
856	session_key = lm_session_key;
857	DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
858	dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
859	} else {
860	DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
861	session_key = data_blob_null;
862	}
863
864	/* With KEY_EXCH, the client supplies the proposed session key,
865	but encrypts it with the long-term key */
866	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
867	if (!encrypted_session_key.data \|\| encrypted_session_key.length != 16) {
868	data_blob_free(&encrypted_session_key);
869	DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
870	(unsigned int)encrypted_session_key.length));
871	return NT_STATUS_INVALID_PARAMETER;
872	} else if (!session_key.data \|\| session_key.length != 16) {
873	DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
874	(unsigned int)session_key.length));
875	ntlmssp_state->session_key = session_key;
876	} else {
877	dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
878	arcfour_crypt_blob(encrypted_session_key.data,
879	encrypted_session_key.length,
880	&session_key);
881	ntlmssp_state->session_key = data_blob_talloc(
882	ntlmssp_state, encrypted_session_key.data,
883	encrypted_session_key.length);
884	dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data,
885	encrypted_session_key.length);
886	}
887	} else {
888	ntlmssp_state->session_key = session_key;
889	}
890
891	if (!NT_STATUS_IS_OK(nt_status)) {
892	ntlmssp_state->session_key = data_blob_null;
893	} else if (ntlmssp_state->session_key.length) {
894	nt_status = ntlmssp_sign_init(ntlmssp_state);
895	}
896
897	data_blob_free(&encrypted_session_key);
898
899	/* Only one authentication allowed per server state. */
900	ntlmssp_state->expected_state = NTLMSSP_DONE;
901
902	return nt_status;
903	}
904
905	/**
906	* Create an NTLMSSP state machine
907	*
908	* @param ntlmssp_state NTLMSSP State, allocated by this function
909	*/
910
911	NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
912	{
913	*ntlmssp_state = TALLOC_ZERO_P(NULL, NTLMSSP_STATE);
914	if (!*ntlmssp_state) {
915	DEBUG(0,("ntlmssp_server_start: talloc failed!\n"));
916	talloc_destroy(*ntlmssp_state);
917	return NT_STATUS_NO_MEMORY;
918	}
919
920	(*ntlmssp_state)->role = NTLMSSP_SERVER;
921
922	(*ntlmssp_state)->get_challenge = get_challenge;
923	(*ntlmssp_state)->set_challenge = set_challenge;
924	(*ntlmssp_state)->may_set_challenge = may_set_challenge;
925
926	(*ntlmssp_state)->get_global_myname = global_myname;
927	(*ntlmssp_state)->get_domain = lp_workgroup;
928	(ntlmssp_state)->server_role = ROLE_DOMAIN_MEMBER; / a good default */
929
930	(*ntlmssp_state)->expected_state = NTLMSSP_NEGOTIATE;
931
932	(*ntlmssp_state)->ref_count = 1;
933
934	(*ntlmssp_state)->neg_flags =
935	NTLMSSP_NEGOTIATE_128 \|
936	NTLMSSP_NEGOTIATE_56 \|
937	NTLMSSP_NEGOTIATE_VERSION \|
938	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \|
939	NTLMSSP_NEGOTIATE_NTLM \|
940	NTLMSSP_NEGOTIATE_NTLM2 \|
941	NTLMSSP_NEGOTIATE_KEY_EXCH \|
942	NTLMSSP_NEGOTIATE_SIGN \|
943	NTLMSSP_NEGOTIATE_SEAL;
944
945	return NT_STATUS_OK;
946	}
947
948	/*********************************************************************
949	Client side NTLMSSP
950	*********************************************************************/
951
952	/**
953	* Next state function for the Initial packet
954	*
955	* @param ntlmssp_state NTLMSSP State
956	* @param request The request, as a DATA_BLOB. reply.data must be NULL
957	* @param request The reply, as an allocated DATA_BLOB, caller to free.
958	* @return Errors or NT_STATUS_OK.
959	*/
960
961	static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
962	DATA_BLOB reply, DATA_BLOB *next_request)
963	{
964	struct NEGOTIATE_MESSAGE negotiate;
965
966	if (ntlmssp_state->unicode) {
967	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_UNICODE;
968	} else {
969	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_OEM;
970	}
971
972	if (ntlmssp_state->use_ntlmv2) {
973	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_NTLM2;
974	}
975
976	/* generate the ntlmssp negotiate packet */
977	msrpc_gen(ntlmssp_state, next_request, "CddAA",
978	"NTLMSSP",
979	NTLMSSP_NEGOTIATE,
980	ntlmssp_state->neg_flags,
981	ntlmssp_state->get_domain(),
982	ntlmssp_state->get_global_myname());
983
984	if (DEBUGLEVEL >= 10) {
985	if (NT_STATUS_IS_OK(ntlmssp_pull_NEGOTIATE_MESSAGE(next_request,
986	ntlmssp_state,
987	NULL,
988	&negotiate)))
989	{
990	NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE, &negotiate);
991	}
992	}
993
994	ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
995
996	return NT_STATUS_MORE_PROCESSING_REQUIRED;
997	}
998
999	/**
1000	* Next state function for the Challenge Packet. Generate an auth packet.
1001	*
1002	* @param ntlmssp_state NTLMSSP State
1003	* @param request The request, as a DATA_BLOB. reply.data must be NULL
1004	* @param request The reply, as an allocated DATA_BLOB, caller to free.
1005	* @return Errors or NT_STATUS_OK.
1006	*/
1007
1008	static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
1009	const DATA_BLOB reply, DATA_BLOB *next_request)
1010	{
1011	uint32 chal_flags, ntlmssp_command, unkn1, unkn2;
1012	DATA_BLOB server_domain_blob;
1013	DATA_BLOB challenge_blob;
1014	DATA_BLOB struct_blob = data_blob_null;
1015	char *server_domain;
1016	const char *chal_parse_string;
1017	const char *auth_gen_string;
1018	DATA_BLOB lm_response = data_blob_null;
1019	DATA_BLOB nt_response = data_blob_null;
1020	DATA_BLOB session_key = data_blob_null;
1021	DATA_BLOB encrypted_session_key = data_blob_null;
1022	NTSTATUS nt_status = NT_STATUS_OK;
1023	struct CHALLENGE_MESSAGE challenge;
1024	struct AUTHENTICATE_MESSAGE authenticate;
1025
1026	if (ntlmssp_state->use_ccache) {
1027	struct wbcCredentialCacheParams params;
1028	struct wbcCredentialCacheInfo *info = NULL;
1029	struct wbcAuthErrorInfo *error = NULL;
1030	struct wbcNamedBlob auth_blob;
1031	struct wbcBlob *wbc_next = NULL;
1032	struct wbcBlob *wbc_session_key = NULL;
1033	wbcErr wbc_status;
1034	int i;
1035
1036	params.account_name = ntlmssp_state->user;
1037	params.domain_name = ntlmssp_state->domain;
1038	params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
1039
1040	auth_blob.name = "challenge_blob";
1041	auth_blob.flags = 0;
1042	auth_blob.blob.data = reply.data;
1043	auth_blob.blob.length = reply.length;
1044	params.num_blobs = 1;
1045	params.blobs = &auth_blob;
1046
1047	wbc_status = wbcCredentialCache(&params, &info, &error);
1048	if (error != NULL) {
1049	wbcFreeMemory(error);
1050	}
1051	if (!WBC_ERROR_IS_OK(wbc_status)) {
1052	goto noccache;
1053	}
1054
1055	for (i=0; i<info->num_blobs; i++) {
1056	if (strequal(info->blobs[i].name, "auth_blob")) {
1057	wbc_next = &info->blobs[i].blob;
1058	}
1059	if (strequal(info->blobs[i].name, "session_key")) {
1060	wbc_session_key = &info->blobs[i].blob;
1061	}
1062	}
1063	if ((wbc_next == NULL) \|\| (wbc_session_key == NULL)) {
1064	wbcFreeMemory(info);
1065	goto noccache;
1066	}
1067
1068	*next_request = data_blob(wbc_next->data, wbc_next->length);
1069	ntlmssp_state->session_key = data_blob(
1070	wbc_session_key->data, wbc_session_key->length);
1071
1072	wbcFreeMemory(info);
1073	goto done;
1074	}
1075
1076	noccache:
1077
1078	if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
1079	"NTLMSSP",
1080	&ntlmssp_command,
1081	&server_domain_blob,
1082	&chal_flags)) {
1083	DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
1084	dump_data(2, reply.data, reply.length);
1085
1086	return NT_STATUS_INVALID_PARAMETER;
1087	}
1088
1089	if (DEBUGLEVEL >= 10) {
1090	if (NT_STATUS_IS_OK(ntlmssp_pull_CHALLENGE_MESSAGE(&reply,
1091	ntlmssp_state,
1092	NULL,
1093	&challenge)))
1094	{
1095	NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, &challenge);
1096	}
1097	}
1098
1099	data_blob_free(&server_domain_blob);
1100
1101	DEBUG(3, ("Got challenge flags:\n"));
1102	debug_ntlmssp_flags(chal_flags);
1103
1104	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
1105
1106	if (ntlmssp_state->unicode) {
1107	if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
1108	chal_parse_string = "CdUdbddB";
1109	} else {
1110	chal_parse_string = "CdUdbdd";
1111	}
1112	auth_gen_string = "CdBBUUUBd";
1113	} else {
1114	if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
1115	chal_parse_string = "CdAdbddB";
1116	} else {
1117	chal_parse_string = "CdAdbdd";
1118	}
1119
1120	auth_gen_string = "CdBBAAABd";
1121	}
1122
1123	DEBUG(3, ("NTLMSSP: Set final flags:\n"));
1124	debug_ntlmssp_flags(ntlmssp_state->neg_flags);
1125
1126	if (!msrpc_parse(ntlmssp_state, &reply, chal_parse_string,
1127	"NTLMSSP",
1128	&ntlmssp_command,
1129	&server_domain,
1130	&chal_flags,
1131	&challenge_blob, 8,
1132	&unkn1, &unkn2,
1133	&struct_blob)) {
1134	DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
1135	dump_data(2, reply.data, reply.length);
1136	return NT_STATUS_INVALID_PARAMETER;
1137	}
1138
1139	ntlmssp_state->server_domain = server_domain;
1140
1141	if (challenge_blob.length != 8) {
1142	data_blob_free(&struct_blob);
1143	return NT_STATUS_INVALID_PARAMETER;
1144	}
1145
1146	if (!ntlmssp_state->nt_hash \|\| !ntlmssp_state->lm_hash) {
1147	uchar zeros[16];
1148	/* do nothing - blobs are zero length */
1149
1150	ZERO_STRUCT(zeros);
1151
1152	/* session key is all zeros */
1153	session_key = data_blob_talloc(ntlmssp_state, zeros, 16);
1154
1155	/* not doing NLTM2 without a password */
1156	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
1157	} else if (ntlmssp_state->use_ntlmv2) {
1158	if (!struct_blob.length) {
1159	/* be lazy, match win2k - we can't do NTLMv2 without it */
1160	DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n"));
1161	return NT_STATUS_INVALID_PARAMETER;
1162	}
1163
1164	/* TODO: if the remote server is standalone, then we should replace 'domain'
1165	with the server name as supplied above */
1166
1167	if (!SMBNTLMv2encrypt_hash(ntlmssp_state,
1168	ntlmssp_state->user,
1169	ntlmssp_state->domain,
1170	ntlmssp_state->nt_hash, &challenge_blob,
1171	&struct_blob,
1172	&lm_response, &nt_response, NULL,
1173	&session_key)) {
1174	data_blob_free(&challenge_blob);
1175	data_blob_free(&struct_blob);
1176	return NT_STATUS_NO_MEMORY;
1177	}
1178	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
1179	struct MD5Context md5_session_nonce_ctx;
1180	uchar session_nonce[16];
1181	uchar session_nonce_hash[16];
1182	uchar user_session_key[16];
1183
1184	lm_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1185	generate_random_buffer(lm_response.data, 8);
1186	memset(lm_response.data+8, 0, 16);
1187
1188	memcpy(session_nonce, challenge_blob.data, 8);
1189	memcpy(&session_nonce[8], lm_response.data, 8);
1190
1191	MD5Init(&md5_session_nonce_ctx);
1192	MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8);
1193	MD5Update(&md5_session_nonce_ctx, lm_response.data, 8);
1194	MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
1195
1196	DEBUG(5, ("NTLMSSP challenge set by NTLM2\n"));
1197	DEBUG(5, ("challenge is: \n"));
1198	dump_data(5, session_nonce_hash, 8);
1199
1200	nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1201	SMBNTencrypt_hash(ntlmssp_state->nt_hash,
1202	session_nonce_hash,
1203	nt_response.data);
1204
1205	session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
1206
1207	SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, user_session_key);
1208	hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
1209	dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
1210	} else {
1211	/* lanman auth is insecure, it may be disabled */
1212	if (lp_client_lanman_auth()) {
1213	lm_response = data_blob_talloc(ntlmssp_state,
1214	NULL, 24);
1215	SMBencrypt_hash(ntlmssp_state->lm_hash,challenge_blob.data,
1216	lm_response.data);
1217	}
1218
1219	nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
1220	SMBNTencrypt_hash(ntlmssp_state->nt_hash,challenge_blob.data,
1221	nt_response.data);
1222
1223	session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
1224	if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
1225	&& lp_client_lanman_auth()) {
1226	SMBsesskeygen_lm_sess_key(ntlmssp_state->lm_hash, lm_response.data,
1227	session_key.data);
1228	dump_data_pw("LM session key\n", session_key.data, session_key.length);
1229	} else {
1230	SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, session_key.data);
1231	dump_data_pw("NT session key:\n", session_key.data, session_key.length);
1232	}
1233	}
1234	data_blob_free(&struct_blob);
1235
1236	/* Key exchange encryptes a new client-generated session key with
1237	the password-derived key */
1238	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
1239	/* Make up a new session key */
1240	uint8 client_session_key[16];
1241	generate_random_buffer(client_session_key, sizeof(client_session_key));
1242
1243	/* Encrypt the new session key with the old one */
1244	encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key));
1245	dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
1246	arcfour_crypt_blob(encrypted_session_key.data, encrypted_session_key.length, &session_key);
1247	dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
1248
1249	/* Mark the new session key as the 'real' session key */
1250	data_blob_free(&session_key);
1251	session_key = data_blob_talloc(ntlmssp_state,
1252	client_session_key,
1253	sizeof(client_session_key));
1254	}
1255
1256	/* this generates the actual auth packet */
1257	if (!msrpc_gen(ntlmssp_state, next_request, auth_gen_string,
1258	"NTLMSSP",
1259	NTLMSSP_AUTH,
1260	lm_response.data, lm_response.length,
1261	nt_response.data, nt_response.length,
1262	ntlmssp_state->domain,
1263	ntlmssp_state->user,
1264	ntlmssp_state->get_global_myname(),
1265	encrypted_session_key.data, encrypted_session_key.length,
1266	ntlmssp_state->neg_flags)) {
1267
1268	return NT_STATUS_NO_MEMORY;
1269	}
1270
1271	if (DEBUGLEVEL >= 10) {
1272	if (NT_STATUS_IS_OK(ntlmssp_pull_AUTHENTICATE_MESSAGE(next_request,
1273	ntlmssp_state,
1274	NULL,
1275	&authenticate)))
1276	{
1277	NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, &authenticate);
1278	}
1279	}
1280
1281	data_blob_free(&encrypted_session_key);
1282
1283	data_blob_free(&ntlmssp_state->chal);
1284
1285	ntlmssp_state->session_key = session_key;
1286
1287	ntlmssp_state->chal = challenge_blob;
1288	ntlmssp_state->lm_resp = lm_response;
1289	ntlmssp_state->nt_resp = nt_response;
1290
1291	done:
1292
1293	ntlmssp_state->expected_state = NTLMSSP_DONE;
1294
1295	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
1296	DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status)));
1297	}
1298
1299	return nt_status;
1300	}
1301
1302	NTSTATUS ntlmssp_client_start(NTLMSSP_STATE **ntlmssp_state)
1303	{
1304	*ntlmssp_state = TALLOC_ZERO_P(NULL, NTLMSSP_STATE);
1305	if (!*ntlmssp_state) {
1306	DEBUG(0,("ntlmssp_client_start: talloc failed!\n"));
1307	talloc_destroy(*ntlmssp_state);
1308	return NT_STATUS_NO_MEMORY;
1309	}
1310
1311	(*ntlmssp_state)->role = NTLMSSP_CLIENT;
1312
1313	(*ntlmssp_state)->get_global_myname = global_myname;
1314	(*ntlmssp_state)->get_domain = lp_workgroup;
1315
1316	(*ntlmssp_state)->unicode = True;
1317
1318	(*ntlmssp_state)->use_ntlmv2 = lp_client_ntlmv2_auth();
1319
1320	(*ntlmssp_state)->expected_state = NTLMSSP_INITIAL;
1321
1322	(*ntlmssp_state)->ref_count = 1;
1323
1324	(*ntlmssp_state)->neg_flags =
1325	NTLMSSP_NEGOTIATE_128 \|
1326	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \|
1327	NTLMSSP_NEGOTIATE_NTLM \|
1328	NTLMSSP_NEGOTIATE_NTLM2 \|
1329	NTLMSSP_NEGOTIATE_KEY_EXCH \|
1330	NTLMSSP_REQUEST_TARGET;
1331
1332	return NT_STATUS_OK;
1333	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: