Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: vendor/3.6.0/libcli/auth/ntlmssp_server.c

Visit:

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago
Samba Server: update vendor to 3.6.0
File size: 18.6 KB

Line
1	/*
2	Unix SMB/Netbios implementation.
3	Version 3.0
4	handle NTLMSSP, server side
5
6	Copyright (C) Andrew Tridgell 2001
7	Copyright (C) Andrew Bartlett 2001-2010
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	#include "includes.h"
24	#include "../libcli/auth/ntlmssp.h"
25	#include "../libcli/auth/ntlmssp_private.h"
26	#include "../librpc/gen_ndr/ndr_ntlmssp.h"
27	#include "../libcli/auth/ntlmssp_ndr.h"
28	#include "../libcli/auth/libcli_auth.h"
29	#include "../lib/crypto/crypto.h"
30
31	/**
32	* Determine correct target name flags for reply, given server role
33	* and negotiated flags
34	*
35	* @param ntlmssp_state NTLMSSP State
36	* @param neg_flags The flags from the packet
37	* @param chal_flags The flags to be set in the reply packet
38	* @return The 'target name' string.
39	*/
40
41	const char ntlmssp_target_name(struct ntlmssp_state ntlmssp_state,
42	uint32_t neg_flags, uint32_t *chal_flags)
43	{
44	if (neg_flags & NTLMSSP_REQUEST_TARGET) {
45	*chal_flags \|= NTLMSSP_NEGOTIATE_TARGET_INFO;
46	*chal_flags \|= NTLMSSP_REQUEST_TARGET;
47	if (ntlmssp_state->server.is_standalone) {
48	*chal_flags \|= NTLMSSP_TARGET_TYPE_SERVER;
49	return ntlmssp_state->server.netbios_name;
50	} else {
51	*chal_flags \|= NTLMSSP_TARGET_TYPE_DOMAIN;
52	return ntlmssp_state->server.netbios_domain;
53	};
54	} else {
55	return "";
56	}
57	}
58
59	/**
60	* Next state function for the Negotiate packet
61	*
62	* @param ntlmssp_state NTLMSSP state
63	* @param out_mem_ctx Memory context for *out
64	* @param in The request, as a DATA_BLOB. reply.data must be NULL
65	* @param out The reply, as an allocated DATA_BLOB, caller to free.
66	* @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
67	*/
68
69	NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
70	TALLOC_CTX *out_mem_ctx,
71	const DATA_BLOB request, DATA_BLOB *reply)
72	{
73	DATA_BLOB struct_blob;
74	uint32_t neg_flags = 0;
75	uint32_t ntlmssp_command, chal_flags;
76	uint8_t cryptkey[8];
77	const char *target_name;
78	NTSTATUS status;
79
80	/* parse the NTLMSSP packet */
81	#if 0
82	file_save("ntlmssp_negotiate.dat", request.data, request.length);
83	#endif
84
85	if (request.length) {
86	if ((request.length < 16) \|\| !msrpc_parse(ntlmssp_state, &request, "Cdd",
87	"NTLMSSP",
88	&ntlmssp_command,
89	&neg_flags)) {
90	DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n",
91	(unsigned int)request.length));
92	dump_data(2, request.data, request.length);
93	return NT_STATUS_INVALID_PARAMETER;
94	}
95	debug_ntlmssp_flags(neg_flags);
96
97	if (DEBUGLEVEL >= 10) {
98	struct NEGOTIATE_MESSAGE *negotiate = talloc(
99	ntlmssp_state, struct NEGOTIATE_MESSAGE);
100	if (negotiate != NULL) {
101	status = ntlmssp_pull_NEGOTIATE_MESSAGE(
102	&request, negotiate, negotiate);
103	if (NT_STATUS_IS_OK(status)) {
104	NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
105	negotiate);
106	}
107	TALLOC_FREE(negotiate);
108	}
109	}
110	}
111
112	ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, ntlmssp_state->allow_lm_key);
113
114	/* Ask our caller what challenge they would like in the packet */
115	status = ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
116	if (!NT_STATUS_IS_OK(status)) {
117	DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n",
118	nt_errstr(status)));
119	return status;
120	}
121
122	/* Check if we may set the challenge */
123	if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
124	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
125	}
126
127	/* The flags we send back are not just the negotiated flags,
128	* they are also 'what is in this packet'. Therfore, we
129	* operate on 'chal_flags' from here on
130	*/
131
132	chal_flags = ntlmssp_state->neg_flags;
133
134	/* get the right name to fill in as 'target' */
135	target_name = ntlmssp_target_name(ntlmssp_state,
136	neg_flags, &chal_flags);
137	if (target_name == NULL)
138	return NT_STATUS_INVALID_PARAMETER;
139
140	ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8);
141	ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state,
142	cryptkey, 8);
143
144	/* This creates the 'blob' of names that appears at the end of the packet */
145	if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO)
146	{
147	status = msrpc_gen(ntlmssp_state, &struct_blob, "aaaaa",
148	MsvAvNbDomainName, target_name,
149	MsvAvNbComputerName, ntlmssp_state->server.netbios_name,
150	MsvAvDnsDomainName, ntlmssp_state->server.dns_domain,
151	MsvAvDnsComputerName, ntlmssp_state->server.dns_name,
152	MsvAvEOL, "");
153	if (!NT_STATUS_IS_OK(status)) {
154	return status;
155	}
156	} else {
157	struct_blob = data_blob_null;
158	}
159
160	{
161	/* Marshal the packet in the right format, be it unicode or ASCII */
162	const char *gen_string;
163	DATA_BLOB version_blob = data_blob_null;
164
165	if (chal_flags & NTLMSSP_NEGOTIATE_VERSION) {
166	enum ndr_err_code err;
167	struct ntlmssp_VERSION vers;
168
169	/* "What Windows returns" as a version number. */
170	ZERO_STRUCT(vers);
171	vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6;
172	vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1;
173	vers.ProductBuild = 0;
174	vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
175
176	err = ndr_push_struct_blob(&version_blob,
177	ntlmssp_state,
178	&vers,
179	(ndr_push_flags_fn_t)ndr_push_ntlmssp_VERSION);
180
181	if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
182	data_blob_free(&struct_blob);
183	return NT_STATUS_NO_MEMORY;
184	}
185	}
186
187	if (ntlmssp_state->unicode) {
188	gen_string = "CdUdbddBb";
189	} else {
190	gen_string = "CdAdbddBb";
191	}
192
193	status = msrpc_gen(out_mem_ctx, reply, gen_string,
194	"NTLMSSP",
195	NTLMSSP_CHALLENGE,
196	target_name,
197	chal_flags,
198	cryptkey, 8,
199	0, 0,
200	struct_blob.data, struct_blob.length,
201	version_blob.data, version_blob.length);
202
203	if (!NT_STATUS_IS_OK(status)) {
204	data_blob_free(&version_blob);
205	data_blob_free(&struct_blob);
206	return status;
207	}
208
209	data_blob_free(&version_blob);
210
211	if (DEBUGLEVEL >= 10) {
212	struct CHALLENGE_MESSAGE *challenge = talloc(
213	ntlmssp_state, struct CHALLENGE_MESSAGE);
214	if (challenge != NULL) {
215	challenge->NegotiateFlags = chal_flags;
216	status = ntlmssp_pull_CHALLENGE_MESSAGE(
217	reply, challenge, challenge);
218	if (NT_STATUS_IS_OK(status)) {
219	NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
220	challenge);
221	}
222	TALLOC_FREE(challenge);
223	}
224	}
225	}
226
227	data_blob_free(&struct_blob);
228
229	ntlmssp_state->expected_state = NTLMSSP_AUTH;
230
231	return NT_STATUS_MORE_PROCESSING_REQUIRED;
232	}
233
234	struct ntlmssp_server_auth_state {
235	DATA_BLOB user_session_key;
236	DATA_BLOB lm_session_key;
237	/* internal variables used by KEY_EXCH (client-supplied user session key */
238	DATA_BLOB encrypted_session_key;
239	bool doing_ntlm2;
240	/* internal variables used by NTLM2 */
241	uint8_t session_nonce[16];
242	};
243
244	/**
245	* Next state function for the Authenticate packet
246	*
247	* @param ntlmssp_state NTLMSSP State
248	* @param request The request, as a DATA_BLOB
249	* @return Errors or NT_STATUS_OK.
250	*/
251
252	static NTSTATUS ntlmssp_server_preauth(struct ntlmssp_state *ntlmssp_state,
253	struct ntlmssp_server_auth_state *state,
254	const DATA_BLOB request)
255	{
256	uint32_t ntlmssp_command, auth_flags;
257	NTSTATUS nt_status;
258
259	uint8_t session_nonce_hash[16];
260
261	const char *parse_string;
262
263	#if 0
264	file_save("ntlmssp_auth.dat", request.data, request.length);
265	#endif
266
267	if (ntlmssp_state->unicode) {
268	parse_string = "CdBBUUUBd";
269	} else {
270	parse_string = "CdBBAAABd";
271	}
272
273	/* zero these out */
274	data_blob_free(&ntlmssp_state->session_key);
275	data_blob_free(&ntlmssp_state->lm_resp);
276	data_blob_free(&ntlmssp_state->nt_resp);
277
278	ntlmssp_state->user = NULL;
279	ntlmssp_state->domain = NULL;
280	ntlmssp_state->client.netbios_name = NULL;
281
282	/* now the NTLMSSP encoded auth hashes */
283	if (!msrpc_parse(ntlmssp_state, &request, parse_string,
284	"NTLMSSP",
285	&ntlmssp_command,
286	&ntlmssp_state->lm_resp,
287	&ntlmssp_state->nt_resp,
288	&ntlmssp_state->domain,
289	&ntlmssp_state->user,
290	&ntlmssp_state->client.netbios_name,
291	&state->encrypted_session_key,
292	&auth_flags)) {
293	DEBUG(10, ("ntlmssp_server_auth: failed to parse NTLMSSP (nonfatal):\n"));
294	dump_data(10, request.data, request.length);
295
296	/* zero this out */
297	data_blob_free(&state->encrypted_session_key);
298	auth_flags = 0;
299
300	/* Try again with a shorter string (Win9X truncates this packet) */
301	if (ntlmssp_state->unicode) {
302	parse_string = "CdBBUUU";
303	} else {
304	parse_string = "CdBBAAA";
305	}
306
307	/* now the NTLMSSP encoded auth hashes */
308	if (!msrpc_parse(ntlmssp_state, &request, parse_string,
309	"NTLMSSP",
310	&ntlmssp_command,
311	&ntlmssp_state->lm_resp,
312	&ntlmssp_state->nt_resp,
313	&ntlmssp_state->domain,
314	&ntlmssp_state->user,
315	&ntlmssp_state->client.netbios_name)) {
316	DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP (tried both formats):\n"));
317	dump_data(2, request.data, request.length);
318
319	return NT_STATUS_INVALID_PARAMETER;
320	}
321	}
322
323	talloc_steal(state, state->encrypted_session_key.data);
324
325	if (auth_flags)
326	ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, ntlmssp_state->allow_lm_key);
327
328	if (DEBUGLEVEL >= 10) {
329	struct AUTHENTICATE_MESSAGE *authenticate = talloc(
330	ntlmssp_state, struct AUTHENTICATE_MESSAGE);
331	if (authenticate != NULL) {
332	NTSTATUS status;
333	authenticate->NegotiateFlags = auth_flags;
334	status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
335	&request, authenticate, authenticate);
336	if (NT_STATUS_IS_OK(status)) {
337	NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
338	authenticate);
339	}
340	TALLOC_FREE(authenticate);
341	}
342	}
343
344	DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
345	ntlmssp_state->user, ntlmssp_state->domain,
346	ntlmssp_state->client.netbios_name,
347	(unsigned long)ntlmssp_state->lm_resp.length,
348	(unsigned long)ntlmssp_state->nt_resp.length));
349
350	#if 0
351	file_save("nthash1.dat", &ntlmssp_state->nt_resp.data, &ntlmssp_state->nt_resp.length);
352	file_save("lmhash1.dat", &ntlmssp_state->lm_resp.data, &ntlmssp_state->lm_resp.length);
353	#endif
354
355	/* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a
356	client challenge
357
358	However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
359	*/
360	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
361	if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
362	struct MD5Context md5_session_nonce_ctx;
363	state->doing_ntlm2 = true;
364
365	memcpy(state->session_nonce, ntlmssp_state->internal_chal.data, 8);
366	memcpy(&state->session_nonce[8], ntlmssp_state->lm_resp.data, 8);
367
368	SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
369
370	MD5Init(&md5_session_nonce_ctx);
371	MD5Update(&md5_session_nonce_ctx, state->session_nonce, 16);
372	MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
373
374	ntlmssp_state->chal = data_blob_talloc(
375	ntlmssp_state, session_nonce_hash, 8);
376
377	/* LM response is no longer useful */
378	data_blob_free(&ntlmssp_state->lm_resp);
379
380	/* We changed the effective challenge - set it */
381	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) {
382	return nt_status;
383	}
384
385	/* LM Key is incompatible. */
386	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
387	}
388	}
389	return NT_STATUS_OK;
390	}
391
392	/**
393	* Next state function for the Authenticate packet
394	* (after authentication - figures out the session keys etc)
395	*
396	* @param ntlmssp_state NTLMSSP State
397	* @return Errors or NT_STATUS_OK.
398	*/
399
400	static NTSTATUS ntlmssp_server_postauth(struct ntlmssp_state *ntlmssp_state,
401	struct ntlmssp_server_auth_state *state)
402	{
403	DATA_BLOB user_session_key = state->user_session_key;
404	DATA_BLOB lm_session_key = state->lm_session_key;
405	NTSTATUS nt_status = NT_STATUS_OK;
406	DATA_BLOB session_key = data_blob(NULL, 0);
407
408	dump_data_pw("NT session key:\n", user_session_key.data, user_session_key.length);
409	dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
410
411	/* Handle the different session key derivation for NTLM2 */
412	if (state->doing_ntlm2) {
413	if (user_session_key.data && user_session_key.length == 16) {
414	session_key = data_blob_talloc(ntlmssp_state,
415	NULL, 16);
416	hmac_md5(user_session_key.data, state->session_nonce,
417	sizeof(state->session_nonce), session_key.data);
418	DEBUG(10,("ntlmssp_server_auth: Created NTLM2 session key.\n"));
419	dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
420
421	} else {
422	DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
423	session_key = data_blob_null;
424	}
425	} else if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
426	/* Ensure we can never get here on NTLMv2 */
427	&& (ntlmssp_state->nt_resp.length == 0 \|\| ntlmssp_state->nt_resp.length == 24)) {
428
429	if (lm_session_key.data && lm_session_key.length >= 8) {
430	if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
431	session_key = data_blob_talloc(ntlmssp_state,
432	NULL, 16);
433	if (session_key.data == NULL) {
434	return NT_STATUS_NO_MEMORY;
435	}
436	SMBsesskeygen_lm_sess_key(lm_session_key.data, ntlmssp_state->lm_resp.data,
437	session_key.data);
438	DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
439	} else {
440	static const uint8_t zeros[24] = {0, };
441	session_key = data_blob_talloc(
442	ntlmssp_state, NULL, 16);
443	if (session_key.data == NULL) {
444	return NT_STATUS_NO_MEMORY;
445	}
446	SMBsesskeygen_lm_sess_key(zeros, zeros,
447	session_key.data);
448	DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
449	}
450	dump_data_pw("LM session key:\n", session_key.data,
451	session_key.length);
452	} else {
453	/* LM Key not selected */
454	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
455
456	DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
457	session_key = data_blob_null;
458	}
459
460	} else if (user_session_key.data) {
461	session_key = user_session_key;
462	DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
463	dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
464
465	/* LM Key not selected */
466	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
467
468	} else if (lm_session_key.data) {
469	/* Very weird to have LM key, but no user session key, but anyway.. */
470	session_key = lm_session_key;
471	DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
472	dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
473
474	/* LM Key not selected */
475	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
476
477	} else {
478	DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
479	session_key = data_blob_null;
480
481	/* LM Key not selected */
482	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
483	}
484
485	/* With KEY_EXCH, the client supplies the proposed session key,
486	but encrypts it with the long-term key */
487	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
488	if (!state->encrypted_session_key.data
489	\|\| state->encrypted_session_key.length != 16) {
490	DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n",
491	(unsigned)state->encrypted_session_key.length));
492	return NT_STATUS_INVALID_PARAMETER;
493	} else if (!session_key.data \|\| session_key.length != 16) {
494	DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n",
495	(unsigned int)session_key.length));
496	ntlmssp_state->session_key = session_key;
497	talloc_steal(ntlmssp_state, session_key.data);
498	} else {
499	dump_data_pw("KEY_EXCH session key (enc):\n",
500	state->encrypted_session_key.data,
501	state->encrypted_session_key.length);
502	arcfour_crypt(state->encrypted_session_key.data,
503	session_key.data,
504	state->encrypted_session_key.length);
505	ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state,
506	state->encrypted_session_key.data,
507	state->encrypted_session_key.length);
508	dump_data_pw("KEY_EXCH session key:\n",
509	state->encrypted_session_key.data,
510	state->encrypted_session_key.length);
511	}
512	} else {
513	ntlmssp_state->session_key = session_key;
514	talloc_steal(ntlmssp_state, session_key.data);
515	}
516
517	if (ntlmssp_state->session_key.length) {
518	nt_status = ntlmssp_sign_init(ntlmssp_state);
519	}
520
521	ntlmssp_state->expected_state = NTLMSSP_DONE;
522
523	return nt_status;
524	}
525
526
527	/**
528	* Next state function for the Authenticate packet
529	*
530	* @param gensec_security GENSEC state
531	* @param out_mem_ctx Memory context for *out
532	* @param in The request, as a DATA_BLOB. reply.data must be NULL
533	* @param out The reply, as an allocated DATA_BLOB, caller to free.
534	* @return Errors or NT_STATUS_OK if authentication sucessful
535	*/
536
537	NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
538	TALLOC_CTX *out_mem_ctx,
539	const DATA_BLOB in, DATA_BLOB *out)
540	{
541	struct ntlmssp_server_auth_state *state;
542	NTSTATUS nt_status;
543
544	/* zero the outbound NTLMSSP packet */
545	*out = data_blob_null;
546
547	state = talloc_zero(ntlmssp_state, struct ntlmssp_server_auth_state);
548	if (state == NULL) {
549	return NT_STATUS_NO_MEMORY;
550	}
551
552	nt_status = ntlmssp_server_preauth(ntlmssp_state, state, in);
553	if (!NT_STATUS_IS_OK(nt_status)) {
554	TALLOC_FREE(state);
555	return nt_status;
556	}
557
558	/*
559	* Note we don't check here for NTLMv2 auth settings. If NTLMv2 auth
560	* is required (by "ntlm auth = no" and "lm auth = no" being set in the
561	* smb.conf file) and no NTLMv2 response was sent then the password check
562	* will fail here. JRA.
563	*/
564
565	/* Finally, actually ask if the password is OK */
566	nt_status = ntlmssp_state->check_password(ntlmssp_state,
567	state,
568	&state->user_session_key,
569	&state->lm_session_key);
570	if (!NT_STATUS_IS_OK(nt_status)) {
571	TALLOC_FREE(state);
572	return nt_status;
573	}
574
575	/* When we get more async in the auth code behind
576	ntlmssp_state->check_password, the ntlmssp_server_postpath
577	can be done in a callback */
578
579	nt_status = ntlmssp_server_postauth(ntlmssp_state, state);
580	TALLOC_FREE(state);
581	return nt_status;
582	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: