Context Navigation

source: vendor/3.6.0/source3/libsmb/ntlmssp.c

Visit:

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago
Samba Server: update vendor to 3.6.0
File size: 23.8 KB

Line
1	/*
2	Unix SMB/Netbios implementation.
3	Version 3.0
4	handle NLTMSSP, server side
5
6	Copyright (C) Andrew Tridgell 2001
7	Copyright (C) Andrew Bartlett 2001-2010
8	Copyright (C) Stefan Metzmacher 2005
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25	#include "../libcli/auth/ntlmssp.h"
26	#include "../libcli/auth/ntlmssp_private.h"
27	#include "../libcli/auth/libcli_auth.h"
28	#include "../librpc/gen_ndr/ndr_ntlmssp.h"
29	#include "../libcli/auth/ntlmssp_ndr.h"
30	#include "../lib/crypto/md5.h"
31	#include "../lib/crypto/arcfour.h"
32	#include "../lib/crypto/hmacmd5.h"
33	#include "../nsswitch/libwbclient/wbclient.h"
34
35	static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
36	TALLOC_CTX out_mem_ctx, / Unused at this time */
37	DATA_BLOB reply, DATA_BLOB *next_request);
38	static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
39	TALLOC_CTX out_mem_ctx, / Unused at this time */
40	const DATA_BLOB reply, DATA_BLOB *next_request);
41	/**
42	* Callbacks for NTLMSSP - for both client and server operating modes
43	*
44	*/
45
46	static const struct ntlmssp_callbacks {
47	enum ntlmssp_role role;
48	enum ntlmssp_message_type ntlmssp_command;
49	NTSTATUS (fn)(struct ntlmssp_state ntlmssp_state,
50	TALLOC_CTX *out_mem_ctx,
51	DATA_BLOB in, DATA_BLOB *out);
52	} ntlmssp_callbacks[] = {
53	{NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial},
54	{NTLMSSP_SERVER, NTLMSSP_NEGOTIATE, ntlmssp_server_negotiate},
55	{NTLMSSP_CLIENT, NTLMSSP_CHALLENGE, ntlmssp_client_challenge},
56	{NTLMSSP_SERVER, NTLMSSP_AUTH, ntlmssp_server_auth},
57	{NTLMSSP_CLIENT, NTLMSSP_UNKNOWN, NULL},
58	{NTLMSSP_SERVER, NTLMSSP_UNKNOWN, NULL}
59	};
60
61
62	/**
63	* Default challenge generation code.
64	*
65	*/
66
67	static NTSTATUS get_challenge(const struct ntlmssp_state *ntlmssp_state,
68	uint8_t chal[8])
69	{
70	generate_random_buffer(chal, 8);
71	return NT_STATUS_OK;
72	}
73
74	/**
75	* Default 'we can set the challenge to anything we like' implementation
76	*
77	*/
78
79	static bool may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
80	{
81	return True;
82	}
83
84	/**
85	* Default 'we can set the challenge to anything we like' implementation
86	*
87	* Does not actually do anything, as the value is always in the structure anyway.
88	*
89	*/
90
91	static NTSTATUS set_challenge(struct ntlmssp_state ntlmssp_state, DATA_BLOB challenge)
92	{
93	SMB_ASSERT(challenge->length == 8);
94	return NT_STATUS_OK;
95	}
96
97	/**
98	* Set a username on an NTLMSSP context - ensures it is talloc()ed
99	*
100	*/
101
102	NTSTATUS ntlmssp_set_username(struct ntlmssp_state ntlmssp_state, const char user)
103	{
104	ntlmssp_state->user = talloc_strdup(ntlmssp_state, user ? user : "" );
105	if (!ntlmssp_state->user) {
106	return NT_STATUS_NO_MEMORY;
107	}
108	return NT_STATUS_OK;
109	}
110
111	/**
112	* Store NT and LM hashes on an NTLMSSP context - ensures they are talloc()ed
113	*
114	*/
115	NTSTATUS ntlmssp_set_hashes(struct ntlmssp_state *ntlmssp_state,
116	const uint8_t lm_hash[16],
117	const uint8_t nt_hash[16])
118	{
119	ntlmssp_state->lm_hash = (uint8_t *)
120	TALLOC_MEMDUP(ntlmssp_state, lm_hash, 16);
121	ntlmssp_state->nt_hash = (uint8_t *)
122	TALLOC_MEMDUP(ntlmssp_state, nt_hash, 16);
123	if (!ntlmssp_state->lm_hash \|\| !ntlmssp_state->nt_hash) {
124	TALLOC_FREE(ntlmssp_state->lm_hash);
125	TALLOC_FREE(ntlmssp_state->nt_hash);
126	return NT_STATUS_NO_MEMORY;
127	}
128	return NT_STATUS_OK;
129	}
130
131	/**
132	* Converts a password to the hashes on an NTLMSSP context.
133	*
134	*/
135	NTSTATUS ntlmssp_set_password(struct ntlmssp_state ntlmssp_state, const char password)
136	{
137	if (!password) {
138	ntlmssp_state->lm_hash = NULL;
139	ntlmssp_state->nt_hash = NULL;
140	} else {
141	uint8_t lm_hash[16];
142	uint8_t nt_hash[16];
143
144	E_deshash(password, lm_hash);
145	E_md4hash(password, nt_hash);
146	return ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
147	}
148	return NT_STATUS_OK;
149	}
150
151	/**
152	* Set a domain on an NTLMSSP context - ensures it is talloc()ed
153	*
154	*/
155	NTSTATUS ntlmssp_set_domain(struct ntlmssp_state ntlmssp_state, const char domain)
156	{
157	ntlmssp_state->domain = talloc_strdup(ntlmssp_state,
158	domain ? domain : "" );
159	if (!ntlmssp_state->domain) {
160	return NT_STATUS_NO_MEMORY;
161	}
162	return NT_STATUS_OK;
163	}
164
165	/**
166	* Request features for the NTLMSSP negotiation
167	*
168	* @param ntlmssp_state NTLMSSP state
169	* @param feature_list List of space seperated features requested from NTLMSSP.
170	*/
171	void ntlmssp_want_feature_list(struct ntlmssp_state ntlmssp_state, char feature_list)
172	{
173	/*
174	* We need to set this to allow a later SetPassword
175	* via the SAMR pipe to succeed. Strange.... We could
176	* also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
177	*/
178	if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
179	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
180	}
181	if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
182	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
183	}
184	if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
185	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
186	}
187	if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
188	ntlmssp_state->use_ccache = true;
189	}
190	}
191
192	/**
193	* Request a feature for the NTLMSSP negotiation
194	*
195	* @param ntlmssp_state NTLMSSP state
196	* @param feature Bit flag specifying the requested feature
197	*/
198	void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
199	{
200	/* As per JRA's comment above */
201	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
202	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
203	}
204	if (feature & NTLMSSP_FEATURE_SIGN) {
205	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
206	}
207	if (feature & NTLMSSP_FEATURE_SEAL) {
208	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL;
209	}
210	if (feature & NTLMSSP_FEATURE_CCACHE) {
211	ntlmssp_state->use_ccache = true;
212	}
213	}
214
215	/**
216	* Next state function for the NTLMSSP state machine
217	*
218	* @param ntlmssp_state NTLMSSP State
219	* @param in The packet in from the NTLMSSP partner, as a DATA_BLOB
220	* @param out The reply, as an allocated DATA_BLOB, caller to free.
221	* @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK.
222	*/
223
224	NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
225	const DATA_BLOB input, DATA_BLOB *out)
226	{
227	uint32_t ntlmssp_command;
228	int i;
229
230	if (ntlmssp_state->expected_state == NTLMSSP_DONE) {
231	/* Called update after negotiations finished. */
232	DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n"));
233	return NT_STATUS_INVALID_PARAMETER;
234	}
235
236	*out = data_blob_null;
237
238	if (!input.length) {
239	switch (ntlmssp_state->role) {
240	case NTLMSSP_CLIENT:
241	ntlmssp_command = NTLMSSP_INITIAL;
242	break;
243	case NTLMSSP_SERVER:
244	/* 'datagram' mode - no neg packet */
245	ntlmssp_command = NTLMSSP_NEGOTIATE;
246	break;
247	default:
248	DEBUG(1, ("Invalid role: %d\n", ntlmssp_state->role));
249	return NT_STATUS_INVALID_PARAMETER;
250	}
251	} else {
252	if (!msrpc_parse(ntlmssp_state, &input, "Cd",
253	"NTLMSSP",
254	&ntlmssp_command)) {
255	DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
256	dump_data(2, input.data, input.length);
257	return NT_STATUS_INVALID_PARAMETER;
258	}
259	}
260
261	if (ntlmssp_command != ntlmssp_state->expected_state) {
262	DEBUG(1, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
263	return NT_STATUS_INVALID_PARAMETER;
264	}
265
266	for (i=0; ntlmssp_callbacks[i].fn; i++) {
267	if (ntlmssp_callbacks[i].role == ntlmssp_state->role
268	&& ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command) {
269	return ntlmssp_callbacks[i].fn(ntlmssp_state, ntlmssp_state, input, out);
270	}
271	}
272
273	DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n",
274	ntlmssp_state->role, ntlmssp_command));
275
276	return NT_STATUS_INVALID_PARAMETER;
277	}
278
279	/**
280	* Create an NTLMSSP state machine
281	*
282	* @param ntlmssp_state NTLMSSP State, allocated by this function
283	*/
284
285	NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
286	bool is_standalone,
287	const char *netbios_name,
288	const char *netbios_domain,
289	const char *dns_name,
290	const char *dns_domain,
291	struct ntlmssp_state **_ntlmssp_state)
292	{
293	struct ntlmssp_state *ntlmssp_state;
294
295	if (!netbios_name) {
296	netbios_name = "";
297	}
298
299	if (!netbios_domain) {
300	netbios_domain = "";
301	}
302
303	if (!dns_domain) {
304	dns_domain = "";
305	}
306
307	if (!dns_name) {
308	dns_name = "";
309	}
310
311	ntlmssp_state = talloc_zero(mem_ctx, struct ntlmssp_state);
312	if (!ntlmssp_state) {
313	return NT_STATUS_NO_MEMORY;
314	}
315
316	ntlmssp_state->role = NTLMSSP_SERVER;
317
318	ntlmssp_state->get_challenge = get_challenge;
319	ntlmssp_state->set_challenge = set_challenge;
320	ntlmssp_state->may_set_challenge = may_set_challenge;
321
322	ntlmssp_state->server.is_standalone = is_standalone;
323
324	ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
325
326	ntlmssp_state->allow_lm_key = lp_lanman_auth();
327
328	ntlmssp_state->neg_flags =
329	NTLMSSP_NEGOTIATE_128 \|
330	NTLMSSP_NEGOTIATE_56 \|
331	NTLMSSP_NEGOTIATE_VERSION \|
332	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \|
333	NTLMSSP_NEGOTIATE_NTLM \|
334	NTLMSSP_NEGOTIATE_NTLM2 \|
335	NTLMSSP_NEGOTIATE_KEY_EXCH \|
336	NTLMSSP_NEGOTIATE_SIGN \|
337	NTLMSSP_NEGOTIATE_SEAL;
338
339	ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
340	if (!ntlmssp_state->server.netbios_name) {
341	talloc_free(ntlmssp_state);
342	return NT_STATUS_NO_MEMORY;
343	}
344	ntlmssp_state->server.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
345	if (!ntlmssp_state->server.netbios_domain) {
346	talloc_free(ntlmssp_state);
347	return NT_STATUS_NO_MEMORY;
348	}
349	ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state, dns_name);
350	if (!ntlmssp_state->server.dns_name) {
351	talloc_free(ntlmssp_state);
352	return NT_STATUS_NO_MEMORY;
353	}
354	ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state, dns_domain);
355	if (!ntlmssp_state->server.dns_domain) {
356	talloc_free(ntlmssp_state);
357	return NT_STATUS_NO_MEMORY;
358	}
359
360	*_ntlmssp_state = ntlmssp_state;
361	return NT_STATUS_OK;
362	}
363
364	/*********************************************************************
365	Client side NTLMSSP
366	*********************************************************************/
367
368	/**
369	* Next state function for the Initial packet
370	*
371	* @param ntlmssp_state NTLMSSP State
372	* @param request The request, as a DATA_BLOB. reply.data must be NULL
373	* @param request The reply, as an allocated DATA_BLOB, caller to free.
374	* @return Errors or NT_STATUS_OK.
375	*/
376
377	static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
378	TALLOC_CTX out_mem_ctx, / Unused at this time */
379	DATA_BLOB reply, DATA_BLOB *next_request)
380	{
381	NTSTATUS status;
382
383	if (ntlmssp_state->unicode) {
384	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_UNICODE;
385	} else {
386	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_OEM;
387	}
388
389	if (ntlmssp_state->use_ntlmv2) {
390	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_NTLM2;
391	}
392
393	/* generate the ntlmssp negotiate packet */
394	status = msrpc_gen(ntlmssp_state, next_request, "CddAA",
395	"NTLMSSP",
396	NTLMSSP_NEGOTIATE,
397	ntlmssp_state->neg_flags,
398	ntlmssp_state->client.netbios_domain,
399	ntlmssp_state->client.netbios_name);
400	if (!NT_STATUS_IS_OK(status)) {
401	DEBUG(0, ("ntlmssp_client_initial: failed to generate "
402	"ntlmssp negotiate packet\n"));
403	return status;
404	}
405
406	if (DEBUGLEVEL >= 10) {
407	struct NEGOTIATE_MESSAGE *negotiate = talloc(
408	talloc_tos(), struct NEGOTIATE_MESSAGE);
409	if (negotiate != NULL) {
410	status = ntlmssp_pull_NEGOTIATE_MESSAGE(
411	next_request, negotiate, negotiate);
412	if (NT_STATUS_IS_OK(status)) {
413	NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
414	negotiate);
415	}
416	TALLOC_FREE(negotiate);
417	}
418	}
419
420	ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
421
422	return NT_STATUS_MORE_PROCESSING_REQUIRED;
423	}
424
425	/**
426	* Next state function for the Challenge Packet. Generate an auth packet.
427	*
428	* @param ntlmssp_state NTLMSSP State
429	* @param request The request, as a DATA_BLOB. reply.data must be NULL
430	* @param request The reply, as an allocated DATA_BLOB, caller to free.
431	* @return Errors or NT_STATUS_OK.
432	*/
433
434	static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
435	TALLOC_CTX out_mem_ctx, / Unused at this time */
436	const DATA_BLOB reply, DATA_BLOB *next_request)
437	{
438	uint32_t chal_flags, ntlmssp_command, unkn1, unkn2;
439	DATA_BLOB server_domain_blob;
440	DATA_BLOB challenge_blob;
441	DATA_BLOB struct_blob = data_blob_null;
442	char *server_domain;
443	const char *chal_parse_string;
444	const char *auth_gen_string;
445	DATA_BLOB lm_response = data_blob_null;
446	DATA_BLOB nt_response = data_blob_null;
447	DATA_BLOB session_key = data_blob_null;
448	DATA_BLOB encrypted_session_key = data_blob_null;
449	NTSTATUS nt_status = NT_STATUS_OK;
450
451	if (ntlmssp_state->use_ccache) {
452	struct wbcCredentialCacheParams params;
453	struct wbcCredentialCacheInfo *info = NULL;
454	struct wbcAuthErrorInfo *error = NULL;
455	struct wbcNamedBlob auth_blob;
456	struct wbcBlob *wbc_next = NULL;
457	struct wbcBlob *wbc_session_key = NULL;
458	wbcErr wbc_status;
459	int i;
460
461	params.account_name = ntlmssp_state->user;
462	params.domain_name = ntlmssp_state->domain;
463	params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
464
465	auth_blob.name = "challenge_blob";
466	auth_blob.flags = 0;
467	auth_blob.blob.data = reply.data;
468	auth_blob.blob.length = reply.length;
469	params.num_blobs = 1;
470	params.blobs = &auth_blob;
471
472	wbc_status = wbcCredentialCache(&params, &info, &error);
473	wbcFreeMemory(error);
474	if (!WBC_ERROR_IS_OK(wbc_status)) {
475	goto noccache;
476	}
477
478	for (i=0; i<info->num_blobs; i++) {
479	if (strequal(info->blobs[i].name, "auth_blob")) {
480	wbc_next = &info->blobs[i].blob;
481	}
482	if (strequal(info->blobs[i].name, "session_key")) {
483	wbc_session_key = &info->blobs[i].blob;
484	}
485	}
486	if ((wbc_next == NULL) \|\| (wbc_session_key == NULL)) {
487	wbcFreeMemory(info);
488	goto noccache;
489	}
490
491	*next_request = data_blob(wbc_next->data, wbc_next->length);
492	ntlmssp_state->session_key = data_blob(
493	wbc_session_key->data, wbc_session_key->length);
494
495	wbcFreeMemory(info);
496	goto done;
497	}
498
499	noccache:
500
501	if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
502	"NTLMSSP",
503	&ntlmssp_command,
504	&server_domain_blob,
505	&chal_flags)) {
506	DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
507	dump_data(2, reply.data, reply.length);
508
509	return NT_STATUS_INVALID_PARAMETER;
510	}
511
512	if (DEBUGLEVEL >= 10) {
513	struct CHALLENGE_MESSAGE *challenge = talloc(
514	talloc_tos(), struct CHALLENGE_MESSAGE);
515	if (challenge != NULL) {
516	NTSTATUS status;
517	challenge->NegotiateFlags = chal_flags;
518	status = ntlmssp_pull_CHALLENGE_MESSAGE(
519	&reply, challenge, challenge);
520	if (NT_STATUS_IS_OK(status)) {
521	NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
522	challenge);
523	}
524	TALLOC_FREE(challenge);
525	}
526	}
527
528	data_blob_free(&server_domain_blob);
529
530	DEBUG(3, ("Got challenge flags:\n"));
531	debug_ntlmssp_flags(chal_flags);
532
533	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
534
535	if (ntlmssp_state->unicode) {
536	if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
537	chal_parse_string = "CdUdbddB";
538	} else {
539	chal_parse_string = "CdUdbdd";
540	}
541	auth_gen_string = "CdBBUUUBd";
542	} else {
543	if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
544	chal_parse_string = "CdAdbddB";
545	} else {
546	chal_parse_string = "CdAdbdd";
547	}
548
549	auth_gen_string = "CdBBAAABd";
550	}
551
552	DEBUG(3, ("NTLMSSP: Set final flags:\n"));
553	debug_ntlmssp_flags(ntlmssp_state->neg_flags);
554
555	if (!msrpc_parse(ntlmssp_state, &reply, chal_parse_string,
556	"NTLMSSP",
557	&ntlmssp_command,
558	&server_domain,
559	&chal_flags,
560	&challenge_blob, 8,
561	&unkn1, &unkn2,
562	&struct_blob)) {
563	DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
564	dump_data(2, reply.data, reply.length);
565	return NT_STATUS_INVALID_PARAMETER;
566	}
567
568	if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
569	ntlmssp_state->server.is_standalone = true;
570	} else {
571	ntlmssp_state->server.is_standalone = false;
572	}
573	/* TODO: parse struct_blob and fill in the rest */
574	ntlmssp_state->server.netbios_name = "";
575	ntlmssp_state->server.netbios_domain = server_domain;
576	ntlmssp_state->server.dns_name = "";
577	ntlmssp_state->server.dns_domain = "";
578
579	if (challenge_blob.length != 8) {
580	data_blob_free(&struct_blob);
581	return NT_STATUS_INVALID_PARAMETER;
582	}
583
584	if (!ntlmssp_state->nt_hash \|\| !ntlmssp_state->lm_hash) {
585	static const uint8_t zeros[16] = {0, };
586	/* do nothing - blobs are zero length */
587
588	/* session key is all zeros */
589	session_key = data_blob_talloc(ntlmssp_state, zeros, 16);
590
591	/* not doing NLTM2 without a password */
592	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
593	} else if (ntlmssp_state->use_ntlmv2) {
594	if (!struct_blob.length) {
595	/* be lazy, match win2k - we can't do NTLMv2 without it */
596	DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n"));
597	return NT_STATUS_INVALID_PARAMETER;
598	}
599
600	/* TODO: if the remote server is standalone, then we should replace 'domain'
601	with the server name as supplied above */
602
603	if (!SMBNTLMv2encrypt_hash(ntlmssp_state,
604	ntlmssp_state->user,
605	ntlmssp_state->domain,
606	ntlmssp_state->nt_hash, &challenge_blob,
607	&struct_blob,
608	&lm_response, &nt_response, NULL,
609	&session_key)) {
610	data_blob_free(&challenge_blob);
611	data_blob_free(&struct_blob);
612	return NT_STATUS_NO_MEMORY;
613	}
614	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
615	struct MD5Context md5_session_nonce_ctx;
616	uint8_t session_nonce[16];
617	uint8_t session_nonce_hash[16];
618	uint8_t user_session_key[16];
619
620	lm_response = data_blob_talloc(ntlmssp_state, NULL, 24);
621	generate_random_buffer(lm_response.data, 8);
622	memset(lm_response.data+8, 0, 16);
623
624	memcpy(session_nonce, challenge_blob.data, 8);
625	memcpy(&session_nonce[8], lm_response.data, 8);
626
627	MD5Init(&md5_session_nonce_ctx);
628	MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8);
629	MD5Update(&md5_session_nonce_ctx, lm_response.data, 8);
630	MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
631
632	DEBUG(5, ("NTLMSSP challenge set by NTLM2\n"));
633	DEBUG(5, ("challenge is: \n"));
634	dump_data(5, session_nonce_hash, 8);
635
636	nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
637	SMBNTencrypt_hash(ntlmssp_state->nt_hash,
638	session_nonce_hash,
639	nt_response.data);
640
641	session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
642
643	SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, user_session_key);
644	hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
645	dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
646	} else {
647	/* lanman auth is insecure, it may be disabled */
648	if (lp_client_lanman_auth()) {
649	lm_response = data_blob_talloc(ntlmssp_state,
650	NULL, 24);
651	SMBencrypt_hash(ntlmssp_state->lm_hash,challenge_blob.data,
652	lm_response.data);
653	}
654
655	nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
656	SMBNTencrypt_hash(ntlmssp_state->nt_hash,challenge_blob.data,
657	nt_response.data);
658
659	session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
660	if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
661	&& lp_client_lanman_auth()) {
662	SMBsesskeygen_lm_sess_key(ntlmssp_state->lm_hash, lm_response.data,
663	session_key.data);
664	dump_data_pw("LM session key\n", session_key.data, session_key.length);
665	} else {
666	SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, session_key.data);
667	dump_data_pw("NT session key:\n", session_key.data, session_key.length);
668	}
669	}
670	data_blob_free(&struct_blob);
671
672	/* Key exchange encryptes a new client-generated session key with
673	the password-derived key */
674	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
675	/* Make up a new session key */
676	uint8_t client_session_key[16];
677	generate_random_buffer(client_session_key, sizeof(client_session_key));
678
679	/* Encrypt the new session key with the old one */
680	encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key));
681	dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
682	arcfour_crypt_blob(encrypted_session_key.data, encrypted_session_key.length, &session_key);
683	dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
684
685	/* Mark the new session key as the 'real' session key */
686	data_blob_free(&session_key);
687	session_key = data_blob_talloc(ntlmssp_state,
688	client_session_key,
689	sizeof(client_session_key));
690	}
691
692	/* this generates the actual auth packet */
693	nt_status = msrpc_gen(ntlmssp_state, next_request, auth_gen_string,
694	"NTLMSSP",
695	NTLMSSP_AUTH,
696	lm_response.data, lm_response.length,
697	nt_response.data, nt_response.length,
698	ntlmssp_state->domain,
699	ntlmssp_state->user,
700	ntlmssp_state->client.netbios_name,
701	encrypted_session_key.data, encrypted_session_key.length,
702	ntlmssp_state->neg_flags);
703
704	if (!NT_STATUS_IS_OK(nt_status)) {
705	return NT_STATUS_NO_MEMORY;
706	}
707
708	if (DEBUGLEVEL >= 10) {
709	struct AUTHENTICATE_MESSAGE *authenticate = talloc(
710	talloc_tos(), struct AUTHENTICATE_MESSAGE);
711	if (authenticate != NULL) {
712	NTSTATUS status;
713	authenticate->NegotiateFlags =
714	ntlmssp_state->neg_flags;
715	status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
716	next_request, authenticate, authenticate);
717	if (NT_STATUS_IS_OK(status)) {
718	NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
719	authenticate);
720	}
721	TALLOC_FREE(authenticate);
722	}
723	}
724
725	data_blob_free(&encrypted_session_key);
726
727	data_blob_free(&ntlmssp_state->chal);
728
729	ntlmssp_state->session_key = session_key;
730
731	ntlmssp_state->chal = challenge_blob;
732	ntlmssp_state->lm_resp = lm_response;
733	ntlmssp_state->nt_resp = nt_response;
734
735	done:
736
737	ntlmssp_state->expected_state = NTLMSSP_DONE;
738
739	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
740	DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status)));
741	}
742
743	return nt_status;
744	}
745
746	NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
747	const char *netbios_name,
748	const char *netbios_domain,
749	bool use_ntlmv2,
750	struct ntlmssp_state **_ntlmssp_state)
751	{
752	struct ntlmssp_state *ntlmssp_state;
753
754	if (!netbios_name) {
755	netbios_name = "";
756	}
757
758	if (!netbios_domain) {
759	netbios_domain = "";
760	}
761
762	ntlmssp_state = talloc_zero(mem_ctx, struct ntlmssp_state);
763	if (!ntlmssp_state) {
764	return NT_STATUS_NO_MEMORY;
765	}
766
767	ntlmssp_state->role = NTLMSSP_CLIENT;
768
769	ntlmssp_state->unicode = True;
770
771	ntlmssp_state->use_ntlmv2 = use_ntlmv2;
772
773	ntlmssp_state->expected_state = NTLMSSP_INITIAL;
774
775	ntlmssp_state->neg_flags =
776	NTLMSSP_NEGOTIATE_128 \|
777	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \|
778	NTLMSSP_NEGOTIATE_NTLM \|
779	NTLMSSP_NEGOTIATE_NTLM2 \|
780	NTLMSSP_NEGOTIATE_KEY_EXCH \|
781	NTLMSSP_REQUEST_TARGET;
782
783	ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
784	if (!ntlmssp_state->client.netbios_name) {
785	talloc_free(ntlmssp_state);
786	return NT_STATUS_NO_MEMORY;
787	}
788	ntlmssp_state->client.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
789	if (!ntlmssp_state->client.netbios_domain) {
790	talloc_free(ntlmssp_state);
791	return NT_STATUS_NO_MEMORY;
792	}
793
794	*_ntlmssp_state = ntlmssp_state;
795	return NT_STATUS_OK;
796	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: