Context Navigation

source: trunk/server/libcli/auth/credentials.c@ 707

Visit:

Last change on this file since 707 was 590, checked in by Herwig Bauernfeind, 14 years ago
Samba 3.5: Update trunk to 3.5.6
File size: 15.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	code to manipulate domain credentials
5
6	Copyright (C) Andrew Tridgell 1997-2003
7	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	#include "includes.h"
24	#include "system/time.h"
25	#include "../lib/crypto/crypto.h"
26	#include "libcli/auth/libcli_auth.h"
27	#include "../libcli/security/dom_sid.h"
28
29	static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
30	const struct netr_Credential *in,
31	struct netr_Credential *out)
32	{
33	des_crypt112(out->data, in->data, creds->session_key, 1);
34	}
35
36	/*
37	initialise the credentials state for old-style 64 bit session keys
38
39	this call is made after the netr_ServerReqChallenge call
40	*/
41	static void netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *creds,
42	const struct netr_Credential *client_challenge,
43	const struct netr_Credential *server_challenge,
44	const struct samr_Password *machine_password)
45	{
46	uint32_t sum[2];
47	uint8_t sum2[8];
48
49	sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0);
50	sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4);
51
52	SIVAL(sum2,0,sum[0]);
53	SIVAL(sum2,4,sum[1]);
54
55	ZERO_STRUCT(creds->session_key);
56
57	des_crypt128(creds->session_key, sum2, machine_password->hash);
58	}
59
60	/*
61	initialise the credentials state for ADS-style 128 bit session keys
62
63	this call is made after the netr_ServerReqChallenge call
64	*/
65	static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *creds,
66	const struct netr_Credential *client_challenge,
67	const struct netr_Credential *server_challenge,
68	const struct samr_Password *machine_password)
69	{
70	unsigned char zero[4], tmp[16];
71	HMACMD5Context ctx;
72	struct MD5Context md5;
73
74	ZERO_STRUCT(creds->session_key);
75
76	memset(zero, 0, sizeof(zero));
77
78	hmac_md5_init_rfc2104(machine_password->hash, sizeof(machine_password->hash), &ctx);
79	MD5Init(&md5);
80	MD5Update(&md5, zero, sizeof(zero));
81	MD5Update(&md5, client_challenge->data, 8);
82	MD5Update(&md5, server_challenge->data, 8);
83	MD5Final(tmp, &md5);
84	hmac_md5_update(tmp, sizeof(tmp), &ctx);
85	hmac_md5_final(creds->session_key, &ctx);
86	}
87
88	static void netlogon_creds_first_step(struct netlogon_creds_CredentialState *creds,
89	const struct netr_Credential *client_challenge,
90	const struct netr_Credential *server_challenge)
91	{
92	netlogon_creds_step_crypt(creds, client_challenge, &creds->client);
93
94	netlogon_creds_step_crypt(creds, server_challenge, &creds->server);
95
96	creds->seed = creds->client;
97	}
98
99	/*
100	step the credentials to the next element in the chain, updating the
101	current client and server credentials and the seed
102	*/
103	static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
104	{
105	struct netr_Credential time_cred;
106
107	DEBUG(5,("\tseed %08x:%08x\n",
108	IVAL(creds->seed.data, 0), IVAL(creds->seed.data, 4)));
109
110	SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence);
111	SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
112
113	DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
114
115	netlogon_creds_step_crypt(creds, &time_cred, &creds->client);
116
117	DEBUG(5,("\tCLIENT %08x:%08x\n",
118	IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
119
120	SIVAL(time_cred.data, 0, IVAL(creds->seed.data, 0) + creds->sequence + 1);
121	SIVAL(time_cred.data, 4, IVAL(creds->seed.data, 4));
122
123	DEBUG(5,("\tseed+time+1 %08x:%08x\n",
124	IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
125
126	netlogon_creds_step_crypt(creds, &time_cred, &creds->server);
127
128	DEBUG(5,("\tSERVER %08x:%08x\n",
129	IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
130
131	creds->seed = time_cred;
132	}
133
134
135	/*
136	DES encrypt a 8 byte LMSessionKey buffer using the Netlogon session key
137	*/
138	void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState creds, struct netr_LMSessionKey key)
139	{
140	struct netr_LMSessionKey tmp;
141	des_crypt56(tmp.key, key->key, creds->session_key, 1);
142	*key = tmp;
143	}
144
145	/*
146	DES decrypt a 8 byte LMSessionKey buffer using the Netlogon session key
147	*/
148	void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState creds, struct netr_LMSessionKey key)
149	{
150	struct netr_LMSessionKey tmp;
151	des_crypt56(tmp.key, key->key, creds->session_key, 0);
152	*key = tmp;
153	}
154
155	/*
156	DES encrypt a 16 byte password buffer using the session key
157	*/
158	void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState creds, struct samr_Password pass)
159	{
160	struct samr_Password tmp;
161	des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 1);
162	*pass = tmp;
163	}
164
165	/*
166	DES decrypt a 16 byte password buffer using the session key
167	*/
168	void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState creds, struct samr_Password pass)
169	{
170	struct samr_Password tmp;
171	des_crypt112_16(tmp.hash, pass->hash, creds->session_key, 0);
172	*pass = tmp;
173	}
174
175	/*
176	ARCFOUR encrypt/decrypt a password buffer using the session key
177	*/
178	void netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState creds, uint8_t data, size_t len)
179	{
180	DATA_BLOB session_key = data_blob(creds->session_key, 16);
181
182	arcfour_crypt_blob(data, len, &session_key);
183
184	data_blob_free(&session_key);
185	}
186
187	/*****************************************************************
188	The above functions are common to the client and server interface
189	next comes the client specific functions
190	******************************************************************/
191
192	/*
193	initialise the credentials chain and return the first client
194	credentials
195	*/
196
197	struct netlogon_creds_CredentialState netlogon_creds_client_init(TALLOC_CTX mem_ctx,
198	const char *client_account,
199	const char *client_computer_name,
200	const struct netr_Credential *client_challenge,
201	const struct netr_Credential *server_challenge,
202	const struct samr_Password *machine_password,
203	struct netr_Credential *initial_credential,
204	uint32_t negotiate_flags)
205	{
206	struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
207
208	if (!creds) {
209	return NULL;
210	}
211
212	creds->sequence = time(NULL);
213	creds->negotiate_flags = negotiate_flags;
214
215	creds->computer_name = talloc_strdup(creds, client_computer_name);
216	if (!creds->computer_name) {
217	talloc_free(creds);
218	return NULL;
219	}
220	creds->account_name = talloc_strdup(creds, client_account);
221	if (!creds->account_name) {
222	talloc_free(creds);
223	return NULL;
224	}
225
226	dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
227	dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
228	dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash));
229
230	if (negotiate_flags & NETLOGON_NEG_128BIT) {
231	netlogon_creds_init_128bit(creds, client_challenge, server_challenge, machine_password);
232	} else {
233	netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
234	}
235
236	netlogon_creds_first_step(creds, client_challenge, server_challenge);
237
238	dump_data_pw("Session key", creds->session_key, 16);
239	dump_data_pw("Credential ", creds->client.data, 8);
240
241	*initial_credential = creds->client;
242	return creds;
243	}
244
245	/*
246	initialise the credentials structure with only a session key. The caller better know what they are doing!
247	*/
248
249	struct netlogon_creds_CredentialState netlogon_creds_client_init_session_key(TALLOC_CTX mem_ctx,
250	const uint8_t session_key[16])
251	{
252	struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
253
254	if (!creds) {
255	return NULL;
256	}
257
258	memcpy(creds->session_key, session_key, 16);
259
260	return creds;
261	}
262
263	/*
264	step the credentials to the next element in the chain, updating the
265	current client and server credentials and the seed
266
267	produce the next authenticator in the sequence ready to send to
268	the server
269	*/
270	void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
271	struct netr_Authenticator *next)
272	{
273	creds->sequence += 2;
274	netlogon_creds_step(creds);
275
276	next->cred = creds->client;
277	next->timestamp = creds->sequence;
278	}
279
280	/*
281	check that a credentials reply from a server is correct
282	*/
283	bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
284	const struct netr_Credential *received_credentials)
285	{
286	if (!received_credentials \|\|
287	memcmp(received_credentials->data, creds->server.data, 8) != 0) {
288	DEBUG(2,("credentials check failed\n"));
289	return false;
290	}
291	return true;
292	}
293
294
295	/*****************************************************************
296	The above functions are common to the client and server interface
297	next comes the server specific functions
298	******************************************************************/
299
300	/*
301	check that a credentials reply from a server is correct
302	*/
303	static bool netlogon_creds_server_check_internal(const struct netlogon_creds_CredentialState *creds,
304	const struct netr_Credential *received_credentials)
305	{
306	if (memcmp(received_credentials->data, creds->client.data, 8) != 0) {
307	DEBUG(2,("credentials check failed\n"));
308	dump_data_pw("client creds", creds->client.data, 8);
309	dump_data_pw("calc creds", received_credentials->data, 8);
310	return false;
311	}
312	return true;
313	}
314
315	/*
316	initialise the credentials chain and return the first server
317	credentials
318	*/
319	struct netlogon_creds_CredentialState netlogon_creds_server_init(TALLOC_CTX mem_ctx,
320	const char *client_account,
321	const char *client_computer_name,
322	uint16_t secure_channel_type,
323	const struct netr_Credential *client_challenge,
324	const struct netr_Credential *server_challenge,
325	const struct samr_Password *machine_password,
326	struct netr_Credential *credentials_in,
327	struct netr_Credential *credentials_out,
328	uint32_t negotiate_flags)
329	{
330
331	struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
332
333	if (!creds) {
334	return NULL;
335	}
336
337	creds->negotiate_flags = negotiate_flags;
338	creds->secure_channel_type = secure_channel_type;
339
340	creds->computer_name = talloc_strdup(creds, client_computer_name);
341	if (!creds->computer_name) {
342	talloc_free(creds);
343	return NULL;
344	}
345	creds->account_name = talloc_strdup(creds, client_account);
346	if (!creds->account_name) {
347	talloc_free(creds);
348	return NULL;
349	}
350
351	if (negotiate_flags & NETLOGON_NEG_128BIT) {
352	netlogon_creds_init_128bit(creds, client_challenge, server_challenge,
353	machine_password);
354	} else {
355	netlogon_creds_init_64bit(creds, client_challenge, server_challenge,
356	machine_password);
357	}
358
359	netlogon_creds_first_step(creds, client_challenge, server_challenge);
360
361	/* And before we leak information about the machine account
362	* password, check that they got the first go right */
363	if (!netlogon_creds_server_check_internal(creds, credentials_in)) {
364	talloc_free(creds);
365	return NULL;
366	}
367
368	*credentials_out = creds->server;
369
370	return creds;
371	}
372
373	NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
374	struct netr_Authenticator *received_authenticator,
375	struct netr_Authenticator *return_authenticator)
376	{
377	if (!received_authenticator \|\| !return_authenticator) {
378	return NT_STATUS_INVALID_PARAMETER;
379	}
380
381	if (!creds) {
382	return NT_STATUS_ACCESS_DENIED;
383	}
384
385	/* TODO: this may allow the a replay attack on a non-signed
386	connection. Should we check that this is increasing? */
387	creds->sequence = received_authenticator->timestamp;
388	netlogon_creds_step(creds);
389	if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
390	return_authenticator->cred = creds->server;
391	return_authenticator->timestamp = creds->sequence;
392	return NT_STATUS_OK;
393	} else {
394	ZERO_STRUCTP(return_authenticator);
395	return NT_STATUS_ACCESS_DENIED;
396	}
397	}
398
399	void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *creds,
400	uint16_t validation_level,
401	union netr_Validation *validation)
402	{
403	static const char zeros[16];
404
405	struct netr_SamBaseInfo *base = NULL;
406	switch (validation_level) {
407	case 2:
408	if (validation->sam2) {
409	base = &validation->sam2->base;
410	}
411	break;
412	case 3:
413	if (validation->sam3) {
414	base = &validation->sam3->base;
415	}
416	break;
417	case 6:
418	if (validation->sam6) {
419	base = &validation->sam6->base;
420	}
421	break;
422	default:
423	/* If we can't find it, we can't very well decrypt it */
424	return;
425	}
426
427	if (!base) {
428	return;
429	}
430
431	/* find and decyrpt the session keys, return in parameters above */
432	if (validation_level == 6) {
433	/* they aren't encrypted! */
434	} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
435	if (memcmp(base->key.key, zeros,
436	sizeof(base->key.key)) != 0) {
437	netlogon_creds_arcfour_crypt(creds,
438	base->key.key,
439	sizeof(base->key.key));
440	}
441
442	if (memcmp(base->LMSessKey.key, zeros,
443	sizeof(base->LMSessKey.key)) != 0) {
444	netlogon_creds_arcfour_crypt(creds,
445	base->LMSessKey.key,
446	sizeof(base->LMSessKey.key));
447	}
448	} else {
449	if (memcmp(base->LMSessKey.key, zeros,
450	sizeof(base->LMSessKey.key)) != 0) {
451	netlogon_creds_des_decrypt_LMKey(creds,
452	&base->LMSessKey);
453	}
454	}
455	}
456
457	/*
458	copy a netlogon_creds_CredentialState struct
459	*/
460
461	struct netlogon_creds_CredentialState netlogon_creds_copy(TALLOC_CTX mem_ctx,
462	struct netlogon_creds_CredentialState *creds_in)
463	{
464	struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
465
466	if (!creds) {
467	return NULL;
468	}
469
470	creds->sequence = creds_in->sequence;
471	creds->negotiate_flags = creds_in->negotiate_flags;
472	creds->secure_channel_type = creds_in->secure_channel_type;
473
474	creds->computer_name = talloc_strdup(creds, creds_in->computer_name);
475	if (!creds->computer_name) {
476	talloc_free(creds);
477	return NULL;
478	}
479	creds->account_name = talloc_strdup(creds, creds_in->account_name);
480	if (!creds->account_name) {
481	talloc_free(creds);
482	return NULL;
483	}
484
485	if (creds_in->sid) {
486	creds->sid = dom_sid_dup(creds, creds_in->sid);
487	if (!creds->sid) {
488	talloc_free(creds);
489	return NULL;
490	}
491	}
492
493	memcpy(creds->session_key, creds_in->session_key, sizeof(creds->session_key));
494	memcpy(creds->seed.data, creds_in->seed.data, sizeof(creds->seed.data));
495	memcpy(creds->client.data, creds_in->client.data, sizeof(creds->client.data));
496	memcpy(creds->server.data, creds_in->server.data, sizeof(creds->server.data));
497
498	return creds;
499	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: