Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

ntlmssp_server.c

Visit:

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 11.8 KB

Line
1	/*
2	Unix SMB/Netbios implementation.
3	Version 3.0
4	handle NLTMSSP, client server side parsing
5
6	Copyright (C) Andrew Tridgell 2001
7	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8	Copyright (C) Stefan Metzmacher 2005
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25	#include "system/network.h"
26	#include "lib/tsocket/tsocket.h"
27	#include "auth/ntlmssp/ntlmssp.h"
28	#include "../librpc/gen_ndr/ndr_ntlmssp.h"
29	#include "../libcli/auth/ntlmssp_ndr.h"
30	#include "../libcli/auth/ntlmssp_private.h"
31	#include "../libcli/auth/libcli_auth.h"
32	#include "../lib/crypto/crypto.h"
33	#include "auth/gensec/gensec.h"
34	#include "auth/gensec/gensec_proto.h"
35	#include "auth/auth.h"
36	#include "param/param.h"
37
38	/**
39	* Next state function for the Negotiate packet (GENSEC wrapper)
40	*
41	* @param gensec_security GENSEC state
42	* @param out_mem_ctx Memory context for *out
43	* @param in The request, as a DATA_BLOB. reply.data must be NULL
44	* @param out The reply, as an allocated DATA_BLOB, caller to free.
45	* @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
46	*/
47
48	NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
49	TALLOC_CTX *out_mem_ctx,
50	const DATA_BLOB request, DATA_BLOB *reply)
51	{
52	struct gensec_ntlmssp_context *gensec_ntlmssp =
53	talloc_get_type_abort(gensec_security->private_data,
54	struct gensec_ntlmssp_context);
55	struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
56	return ntlmssp_server_negotiate(ntlmssp_state, out_mem_ctx, request, reply);
57	}
58
59	/**
60	* Next state function for the Authenticate packet (GENSEC wrapper)
61	*
62	* @param gensec_security GENSEC state
63	* @param out_mem_ctx Memory context for *out
64	* @param in The request, as a DATA_BLOB. reply.data must be NULL
65	* @param out The reply, as an allocated DATA_BLOB, caller to free.
66	* @return Errors or NT_STATUS_OK if authentication sucessful
67	*/
68
69	NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
70	TALLOC_CTX *out_mem_ctx,
71	const DATA_BLOB in, DATA_BLOB *out)
72	{
73	struct gensec_ntlmssp_context *gensec_ntlmssp =
74	talloc_get_type_abort(gensec_security->private_data,
75	struct gensec_ntlmssp_context);
76	struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
77	return ntlmssp_server_auth(ntlmssp_state, out_mem_ctx, in, out);
78	}
79
80	/**
81	* Return the challenge as determined by the authentication subsystem
82	* @return an 8 byte random challenge
83	*/
84
85	static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
86	uint8_t chal[8])
87	{
88	struct gensec_ntlmssp_context *gensec_ntlmssp =
89	talloc_get_type_abort(ntlmssp_state->callback_private,
90	struct gensec_ntlmssp_context);
91	struct auth_context *auth_context = gensec_ntlmssp->auth_context;
92	NTSTATUS status;
93
94	status = auth_context->get_challenge(auth_context, chal);
95	if (!NT_STATUS_IS_OK(status)) {
96	DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
97	nt_errstr(status)));
98	return status;
99	}
100
101	return NT_STATUS_OK;
102	}
103
104	/**
105	* Some authentication methods 'fix' the challenge, so we may not be able to set it
106	*
107	* @return If the effective challenge used by the auth subsystem may be modified
108	*/
109	static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
110	{
111	struct gensec_ntlmssp_context *gensec_ntlmssp =
112	talloc_get_type_abort(ntlmssp_state->callback_private,
113	struct gensec_ntlmssp_context);
114	struct auth_context *auth_context = gensec_ntlmssp->auth_context;
115
116	return auth_context->challenge_may_be_modified(auth_context);
117	}
118
119	/**
120	* NTLM2 authentication modifies the effective challenge,
121	* @param challenge The new challenge value
122	*/
123	static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state ntlmssp_state, DATA_BLOB challenge)
124	{
125	struct gensec_ntlmssp_context *gensec_ntlmssp =
126	talloc_get_type_abort(ntlmssp_state->callback_private,
127	struct gensec_ntlmssp_context);
128	struct auth_context *auth_context = gensec_ntlmssp->auth_context;
129	NTSTATUS nt_status;
130	const uint8_t *chal;
131
132	if (challenge->length != 8) {
133	return NT_STATUS_INVALID_PARAMETER;
134	}
135
136	chal = challenge->data;
137
138	nt_status = auth_context->set_challenge(auth_context,
139	chal,
140	"NTLMSSP callback (NTLM2)");
141
142	return nt_status;
143	}
144
145	/**
146	* Check the password on an NTLMSSP login.
147	*
148	* Return the session keys used on the connection.
149	*/
150
151	static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
152	TALLOC_CTX *mem_ctx,
153	DATA_BLOB user_session_key, DATA_BLOB lm_session_key)
154	{
155	struct gensec_ntlmssp_context *gensec_ntlmssp =
156	talloc_get_type_abort(ntlmssp_state->callback_private,
157	struct gensec_ntlmssp_context);
158	struct auth_context *auth_context = gensec_ntlmssp->auth_context;
159	NTSTATUS nt_status;
160	struct auth_usersupplied_info *user_info;
161
162	user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
163	if (!user_info) {
164	return NT_STATUS_NO_MEMORY;
165	}
166
167	user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT \| MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
168	user_info->flags = 0;
169	user_info->mapped_state = false;
170	user_info->client.account_name = ntlmssp_state->user;
171	user_info->client.domain_name = ntlmssp_state->domain;
172	user_info->workstation_name = ntlmssp_state->client.netbios_name;
173	user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
174
175	user_info->password_state = AUTH_PASSWORD_RESPONSE;
176	user_info->password.response.lanman = ntlmssp_state->lm_resp;
177	user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
178	user_info->password.response.nt = ntlmssp_state->nt_resp;
179	user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
180
181	nt_status = auth_context->check_password(auth_context,
182	gensec_ntlmssp,
183	user_info,
184	&gensec_ntlmssp->user_info_dc);
185	talloc_free(user_info);
186	NT_STATUS_NOT_OK_RETURN(nt_status);
187
188	if (gensec_ntlmssp->user_info_dc->user_session_key.length) {
189	DEBUG(10, ("Got NT session key of length %u\n",
190	(unsigned)gensec_ntlmssp->user_info_dc->user_session_key.length));
191	*user_session_key = gensec_ntlmssp->user_info_dc->user_session_key;
192	talloc_steal(mem_ctx, user_session_key->data);
193	gensec_ntlmssp->user_info_dc->user_session_key = data_blob_null;
194	}
195	if (gensec_ntlmssp->user_info_dc->lm_session_key.length) {
196	DEBUG(10, ("Got LM session key of length %u\n",
197	(unsigned)gensec_ntlmssp->user_info_dc->lm_session_key.length));
198	*lm_session_key = gensec_ntlmssp->user_info_dc->lm_session_key;
199	talloc_steal(mem_ctx, lm_session_key->data);
200	gensec_ntlmssp->user_info_dc->lm_session_key = data_blob_null;
201	}
202	return nt_status;
203	}
204
205	/**
206	* Return the credentials of a logged on user, including session keys
207	* etc.
208	*
209	* Only valid after a successful authentication
210	*
211	* May only be called once per authentication.
212	*
213	*/
214
215	NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
216	struct auth_session_info **session_info)
217	{
218	NTSTATUS nt_status;
219	struct gensec_ntlmssp_context *gensec_ntlmssp =
220	talloc_get_type_abort(gensec_security->private_data,
221	struct gensec_ntlmssp_context);
222	struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
223
224	nt_status = gensec_generate_session_info(ntlmssp_state,
225	gensec_security,
226	gensec_ntlmssp->user_info_dc,
227	session_info);
228	NT_STATUS_NOT_OK_RETURN(nt_status);
229
230	(session_info)->session_key = data_blob_talloc(session_info,
231	ntlmssp_state->session_key.data,
232	ntlmssp_state->session_key.length);
233
234	return NT_STATUS_OK;
235	}
236
237	/**
238	* Start NTLMSSP on the server side
239	*
240	*/
241	NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
242	{
243	NTSTATUS nt_status;
244	struct ntlmssp_state *ntlmssp_state;
245	struct gensec_ntlmssp_context *gensec_ntlmssp;
246
247	nt_status = gensec_ntlmssp_start(gensec_security);
248	NT_STATUS_NOT_OK_RETURN(nt_status);
249
250	gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
251	struct gensec_ntlmssp_context);
252	ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
253
254	ntlmssp_state->role = NTLMSSP_SERVER;
255
256	ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
257
258	ntlmssp_state->allow_lm_key = (lpcfg_lanman_auth(gensec_security->settings->lp_ctx)
259	&& gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false));
260
261	ntlmssp_state->neg_flags =
262	NTLMSSP_NEGOTIATE_NTLM \| NTLMSSP_NEGOTIATE_VERSION;
263
264	ntlmssp_state->lm_resp = data_blob(NULL, 0);
265	ntlmssp_state->nt_resp = data_blob(NULL, 0);
266
267	if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
268	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_128;
269	}
270
271	if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
272	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_56;
273	}
274
275	if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
276	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_KEY_EXCH;
277	}
278
279	if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
280	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
281	}
282
283	if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
284	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_NTLM2;
285	}
286
287	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
288	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
289	}
290	if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
291	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
292	}
293
294	gensec_ntlmssp->auth_context = gensec_security->auth_context;
295
296	ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
297	ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
298	ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
299	ntlmssp_state->check_password = auth_ntlmssp_check_password;
300	if (lpcfg_server_role(gensec_security->settings->lp_ctx) == ROLE_STANDALONE) {
301	ntlmssp_state->server.is_standalone = true;
302	} else {
303	ntlmssp_state->server.is_standalone = false;
304	}
305
306	ntlmssp_state->server.netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx);
307
308	ntlmssp_state->server.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
309
310	{
311	char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN];
312
313	/* Find out the DNS domain name */
314	dnsdomname[0] = '\0';
315	safe_strcpy(dnsdomname, lpcfg_dnsdomain(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1);
316
317	/* Find out the DNS host name */
318	safe_strcpy(dnsname, ntlmssp_state->server.netbios_name, sizeof(dnsname) - 1);
319	if (dnsdomname[0] != '\0') {
320	safe_strcat(dnsname, ".", sizeof(dnsname) - 1);
321	safe_strcat(dnsname, dnsdomname, sizeof(dnsname) - 1);
322	}
323	strlower_m(dnsname);
324
325	ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state,
326	dnsname);
327	NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name);
328
329	ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state,
330	dnsdomname);
331	NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
332	}
333
334	return NT_STATUS_OK;
335	}
336

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/source4/auth/ntlmssp/ntlmssp_server.c

Download in other formats: