2005-04-25 09:03:50 +04:00
/*
Unix SMB / Netbios implementation .
Version 3.0
handle NLTMSSP , client server side parsing
Copyright ( C ) Andrew Tridgell 2001
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2001 - 2005
Copyright ( C ) Stefan Metzmacher 2005
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2005-04-25 09:03:50 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-04-25 09:03:50 +04:00
*/
# include "includes.h"
# include "auth/ntlmssp/ntlmssp.h"
2008-09-24 17:30:23 +04:00
# include "../lib/crypto/crypto.h"
2009-04-16 04:17:17 +04:00
# include "../libcli/auth/libcli_auth.h"
2006-11-07 03:48:36 +03:00
# include "auth/credentials/credentials.h"
# include "auth/gensec/gensec.h"
2007-09-08 16:42:09 +04:00
# include "param/param.h"
2005-04-25 09:03:50 +04:00
/*********************************************************************
Client side NTLMSSP
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/**
* Next state function for the Initial packet
*
* @ param ntlmssp_state NTLMSSP State
* @ param out_mem_ctx The DATA_BLOB * out will be allocated on this context
2005-04-25 14:33:00 +04:00
* @ param in A NULL data blob ( input ignored )
* @ param out The initial negotiate request to the server , as an talloc ( ) ed DATA_BLOB , on out_mem_ctx
2005-04-25 09:03:50 +04:00
* @ return Errors or NT_STATUS_OK .
*/
2005-04-25 10:33:20 +04:00
NTSTATUS ntlmssp_client_initial ( struct gensec_security * gensec_security ,
2005-04-25 09:03:50 +04:00
TALLOC_CTX * out_mem_ctx ,
DATA_BLOB in , DATA_BLOB * out )
{
2007-09-07 19:08:14 +04:00
struct gensec_ntlmssp_state * gensec_ntlmssp_state = ( struct gensec_ntlmssp_state * ) gensec_security - > private_data ;
2008-07-15 09:04:06 +04:00
const char * domain = gensec_ntlmssp_state - > domain ;
const char * workstation = cli_credentials_get_workstation ( gensec_security - > credentials ) ;
/* These don't really matter in the initial packet, so don't panic if they are not set */
if ( ! domain ) {
domain = " " ;
}
if ( ! workstation ) {
workstation = " " ;
}
2005-04-25 10:33:20 +04:00
2005-04-25 14:33:00 +04:00
if ( gensec_ntlmssp_state - > unicode ) {
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_UNICODE ;
2005-04-25 09:03:50 +04:00
} else {
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_OEM ;
2005-04-25 09:03:50 +04:00
}
2005-04-25 14:33:00 +04:00
if ( gensec_ntlmssp_state - > use_ntlmv2 ) {
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_NTLM2 ;
2005-04-25 09:03:50 +04:00
}
/* generate the ntlmssp negotiate packet */
msrpc_gen ( out_mem_ctx ,
out , " CddAA " ,
" NTLMSSP " ,
NTLMSSP_NEGOTIATE ,
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags ,
2008-07-15 09:04:06 +04:00
domain ,
workstation ) ;
2005-04-25 09:03:50 +04:00
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > expected_state = NTLMSSP_CHALLENGE ;
2005-04-25 09:03:50 +04:00
return NT_STATUS_MORE_PROCESSING_REQUIRED ;
}
/**
* Next state function for the Challenge Packet . Generate an auth packet .
*
2005-04-25 14:33:00 +04:00
* @ param gensec_security GENSEC state
* @ param out_mem_ctx Memory context for * out
* @ param in The server challnege , as a DATA_BLOB . reply . data must be NULL
* @ param out The next request ( auth packet ) to the server , as an allocated DATA_BLOB , on the out_mem_ctx context
2005-04-25 09:03:50 +04:00
* @ return Errors or NT_STATUS_OK .
*/
2005-04-25 10:33:20 +04:00
NTSTATUS ntlmssp_client_challenge ( struct gensec_security * gensec_security ,
2005-04-25 09:03:50 +04:00
TALLOC_CTX * out_mem_ctx ,
const DATA_BLOB in , DATA_BLOB * out )
{
2007-09-07 19:08:14 +04:00
struct gensec_ntlmssp_state * gensec_ntlmssp_state = ( struct gensec_ntlmssp_state * ) gensec_security - > private_data ;
2005-04-25 09:03:50 +04:00
uint32_t chal_flags , ntlmssp_command , unkn1 , unkn2 ;
DATA_BLOB server_domain_blob ;
DATA_BLOB challenge_blob ;
2005-10-14 07:57:35 +04:00
DATA_BLOB target_info = data_blob ( NULL , 0 ) ;
2005-04-25 09:03:50 +04:00
char * server_domain ;
const char * chal_parse_string ;
const char * auth_gen_string ;
DATA_BLOB lm_response = data_blob ( NULL , 0 ) ;
DATA_BLOB nt_response = data_blob ( NULL , 0 ) ;
DATA_BLOB session_key = data_blob ( NULL , 0 ) ;
DATA_BLOB lm_session_key = data_blob ( NULL , 0 ) ;
DATA_BLOB encrypted_session_key = data_blob ( NULL , 0 ) ;
NTSTATUS nt_status ;
2005-10-14 07:57:35 +04:00
int flags = 0 ;
const char * user , * domain ;
2005-04-25 09:03:50 +04:00
2005-10-14 07:57:35 +04:00
TALLOC_CTX * mem_ctx = talloc_new ( out_mem_ctx ) ;
if ( ! mem_ctx ) {
return NT_STATUS_NO_MEMORY ;
}
2005-04-25 10:33:20 +04:00
2005-10-14 07:57:35 +04:00
if ( ! msrpc_parse ( mem_ctx ,
2005-04-25 09:03:50 +04:00
& in , " CdBd " ,
" NTLMSSP " ,
& ntlmssp_command ,
& server_domain_blob ,
& chal_flags ) ) {
DEBUG ( 1 , ( " Failed to parse the NTLMSSP Challenge: (#1) \n " ) ) ;
dump_data ( 2 , in . data , in . length ) ;
2005-10-14 07:57:35 +04:00
talloc_free ( mem_ctx ) ;
2005-04-25 09:03:50 +04:00
return NT_STATUS_INVALID_PARAMETER ;
}
data_blob_free ( & server_domain_blob ) ;
DEBUG ( 3 , ( " Got challenge flags: \n " ) ) ;
debug_ntlmssp_flags ( chal_flags ) ;
2005-04-25 14:33:00 +04:00
ntlmssp_handle_neg_flags ( gensec_ntlmssp_state , chal_flags , gensec_ntlmssp_state - > allow_lm_key ) ;
2005-04-25 09:03:50 +04:00
2005-04-25 14:33:00 +04:00
if ( gensec_ntlmssp_state - > unicode ) {
2009-08-25 14:12:59 +04:00
if ( chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO ) {
2005-04-25 09:03:50 +04:00
chal_parse_string = " CdUdbddB " ;
} else {
chal_parse_string = " CdUdbdd " ;
}
auth_gen_string = " CdBBUUUBd " ;
} else {
2009-08-25 14:12:59 +04:00
if ( chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO ) {
2005-04-25 09:03:50 +04:00
chal_parse_string = " CdAdbddB " ;
} else {
chal_parse_string = " CdAdbdd " ;
}
auth_gen_string = " CdBBAAABd " ;
}
2005-10-14 07:57:35 +04:00
if ( ! msrpc_parse ( mem_ctx ,
2005-04-25 09:03:50 +04:00
& in , chal_parse_string ,
" NTLMSSP " ,
& ntlmssp_command ,
& server_domain ,
& chal_flags ,
& challenge_blob , 8 ,
& unkn1 , & unkn2 ,
2005-10-14 07:57:35 +04:00
& target_info ) ) {
2005-04-25 09:03:50 +04:00
DEBUG ( 1 , ( " Failed to parse the NTLMSSP Challenge: (#2) \n " ) ) ;
dump_data ( 2 , in . data , in . length ) ;
2005-10-14 07:57:35 +04:00
talloc_free ( mem_ctx ) ;
2005-04-25 09:03:50 +04:00
return NT_STATUS_INVALID_PARAMETER ;
}
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > server_domain = server_domain ;
2005-04-25 09:03:50 +04:00
if ( challenge_blob . length ! = 8 ) {
2005-10-14 07:57:35 +04:00
talloc_free ( mem_ctx ) ;
2005-04-25 09:03:50 +04:00
return NT_STATUS_INVALID_PARAMETER ;
}
2005-10-14 07:57:35 +04:00
cli_credentials_get_ntlm_username_domain ( gensec_security - > credentials , mem_ctx ,
2005-09-22 05:50:58 +04:00
& user , & domain ) ;
2005-04-25 10:33:20 +04:00
2005-10-14 07:57:35 +04:00
if ( gensec_ntlmssp_state - > neg_flags & NTLMSSP_NEGOTIATE_NTLM2 ) {
flags | = CLI_CRED_NTLM2 ;
}
if ( gensec_ntlmssp_state - > use_ntlmv2 ) {
flags | = CLI_CRED_NTLMv2_AUTH ;
}
if ( gensec_ntlmssp_state - > use_nt_response ) {
flags | = CLI_CRED_NTLM_AUTH ;
}
2008-11-02 04:05:48 +03:00
if ( lp_client_lanman_auth ( gensec_security - > settings - > lp_ctx ) ) {
2005-10-14 07:57:35 +04:00
flags | = CLI_CRED_LANMAN_AUTH ;
}
2005-04-25 09:03:50 +04:00
2005-10-14 07:57:35 +04:00
nt_status = cli_credentials_get_ntlm_response ( gensec_security - > credentials , mem_ctx ,
& flags , challenge_blob , target_info ,
& lm_response , & nt_response ,
& lm_session_key , & session_key ) ;
2005-04-25 09:03:50 +04:00
2005-10-14 07:57:35 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
2005-04-25 09:03:50 +04:00
2005-10-14 07:57:35 +04:00
if ( ! ( flags & CLI_CRED_LANMAN_AUTH ) ) {
2006-03-25 04:00:37 +03:00
/* LM Key is still possible, just silly. Fortunetly
* we require command line options to end up here */
/* gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; */
2005-10-14 07:57:35 +04:00
}
2005-04-25 09:03:50 +04:00
2005-10-14 07:57:35 +04:00
if ( ! ( flags & CLI_CRED_NTLM2 ) ) {
/* NTLM2 is incompatible... */
gensec_ntlmssp_state - > neg_flags & = ~ NTLMSSP_NEGOTIATE_NTLM2 ;
2005-04-25 09:03:50 +04:00
}
2005-04-25 14:33:00 +04:00
if ( ( gensec_ntlmssp_state - > neg_flags & NTLMSSP_NEGOTIATE_LM_KEY )
2008-11-02 04:05:48 +03:00
& & lp_client_lanman_auth ( gensec_security - > settings - > lp_ctx ) & & lm_session_key . length = = 16 ) {
2005-10-14 07:57:35 +04:00
DATA_BLOB new_session_key = data_blob_talloc ( mem_ctx , NULL , 16 ) ;
2005-04-25 09:03:50 +04:00
if ( lm_response . length = = 24 ) {
SMBsesskeygen_lm_sess_key ( lm_session_key . data , lm_response . data ,
new_session_key . data ) ;
} else {
static const uint8_t zeros [ 24 ] ;
SMBsesskeygen_lm_sess_key ( lm_session_key . data , zeros ,
new_session_key . data ) ;
}
session_key = new_session_key ;
dump_data_pw ( " LM session key \n " , session_key . data , session_key . length ) ;
}
/* Key exchange encryptes a new client-generated session key with
the password - derived key */
2005-04-25 14:33:00 +04:00
if ( gensec_ntlmssp_state - > neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH ) {
2005-04-25 09:03:50 +04:00
/* Make up a new session key */
uint8_t client_session_key [ 16 ] ;
2007-10-16 03:27:15 +04:00
generate_secret_buffer ( client_session_key , sizeof ( client_session_key ) ) ;
2005-04-25 09:03:50 +04:00
/* Encrypt the new session key with the old one */
2005-04-25 14:33:00 +04:00
encrypted_session_key = data_blob_talloc ( gensec_ntlmssp_state ,
2005-04-25 09:03:50 +04:00
client_session_key , sizeof ( client_session_key ) ) ;
dump_data_pw ( " KEY_EXCH session key: \n " , encrypted_session_key . data , encrypted_session_key . length ) ;
arcfour_crypt ( encrypted_session_key . data , session_key . data , encrypted_session_key . length ) ;
dump_data_pw ( " KEY_EXCH session key (enc): \n " , encrypted_session_key . data , encrypted_session_key . length ) ;
/* Mark the new session key as the 'real' session key */
2005-10-14 07:57:35 +04:00
session_key = data_blob_talloc ( mem_ctx , client_session_key , sizeof ( client_session_key ) ) ;
2005-04-25 09:03:50 +04:00
}
2006-02-12 15:06:08 +03:00
DEBUG ( 3 , ( " NTLMSSP: Set final flags: \n " ) ) ;
debug_ntlmssp_flags ( gensec_ntlmssp_state - > neg_flags ) ;
2005-04-25 09:03:50 +04:00
/* this generates the actual auth packet */
2005-10-14 07:57:35 +04:00
if ( ! msrpc_gen ( mem_ctx ,
2005-04-25 09:03:50 +04:00
out , auth_gen_string ,
" NTLMSSP " ,
NTLMSSP_AUTH ,
lm_response . data , lm_response . length ,
nt_response . data , nt_response . length ,
2005-04-25 10:33:20 +04:00
domain ,
user ,
cli_credentials_get_workstation ( gensec_security - > credentials ) ,
2005-04-25 09:03:50 +04:00
encrypted_session_key . data , encrypted_session_key . length ,
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags ) ) {
2005-10-14 07:57:35 +04:00
talloc_free ( mem_ctx ) ;
2005-04-25 09:03:50 +04:00
return NT_STATUS_NO_MEMORY ;
}
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > session_key = session_key ;
2005-10-14 07:57:35 +04:00
talloc_steal ( gensec_ntlmssp_state , session_key . data ) ;
talloc_steal ( out_mem_ctx , out - > data ) ;
2005-04-25 09:03:50 +04:00
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > chal = challenge_blob ;
gensec_ntlmssp_state - > lm_resp = lm_response ;
2005-10-14 07:57:35 +04:00
talloc_steal ( gensec_ntlmssp_state - > lm_resp . data , lm_response . data ) ;
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > nt_resp = nt_response ;
2005-10-14 07:57:35 +04:00
talloc_steal ( gensec_ntlmssp_state - > nt_resp . data , nt_response . data ) ;
2005-04-25 09:03:50 +04:00
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > expected_state = NTLMSSP_DONE ;
2005-04-25 09:03:50 +04:00
2005-08-29 08:30:22 +04:00
if ( gensec_security - > want_features & ( GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL ) ) {
2005-08-23 09:29:37 +04:00
nt_status = ntlmssp_sign_init ( gensec_ntlmssp_state ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
DEBUG ( 1 , ( " Could not setup NTLMSSP signing/sealing system (error was: %s) \n " ,
nt_errstr ( nt_status ) ) ) ;
2005-10-14 07:57:35 +04:00
talloc_free ( mem_ctx ) ;
2005-08-23 09:29:37 +04:00
return nt_status ;
}
2005-04-25 09:03:50 +04:00
}
2005-10-14 07:57:35 +04:00
talloc_free ( mem_ctx ) ;
2005-08-29 08:30:22 +04:00
return NT_STATUS_OK ;
2005-04-25 09:03:50 +04:00
}
2007-12-03 19:41:50 +03:00
NTSTATUS gensec_ntlmssp_client_start ( struct gensec_security * gensec_security )
2005-04-25 09:03:50 +04:00
{
2005-04-25 14:33:00 +04:00
struct gensec_ntlmssp_state * gensec_ntlmssp_state ;
NTSTATUS nt_status ;
2005-04-25 09:03:50 +04:00
2005-04-25 14:33:00 +04:00
nt_status = gensec_ntlmssp_start ( gensec_security ) ;
NT_STATUS_NOT_OK_RETURN ( nt_status ) ;
2007-09-07 19:08:14 +04:00
gensec_ntlmssp_state = ( struct gensec_ntlmssp_state * ) gensec_security - > private_data ;
2005-04-25 09:03:50 +04:00
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > role = NTLMSSP_CLIENT ;
2005-04-25 09:03:50 +04:00
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state - > domain = lp_workgroup ( gensec_security - > settings - > lp_ctx ) ;
2005-04-25 09:03:50 +04:00
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state - > unicode = gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " unicode " , true ) ;
2005-04-25 09:03:50 +04:00
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state - > use_nt_response = gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " send_nt_reponse " , true ) ;
2005-04-25 14:33:00 +04:00
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state - > allow_lm_key = ( lp_client_lanman_auth ( gensec_security - > settings - > lp_ctx )
& & ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " allow_lm_key " , false )
| | gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " lm_key " , false ) ) ) ;
2005-04-25 09:03:50 +04:00
2008-11-02 04:05:48 +03:00
gensec_ntlmssp_state - > use_ntlmv2 = lp_client_ntlmv2_auth ( gensec_security - > settings - > lp_ctx ) ;
2005-04-25 09:03:50 +04:00
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > expected_state = NTLMSSP_INITIAL ;
2005-04-25 09:03:50 +04:00
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags =
2005-04-25 09:03:50 +04:00
NTLMSSP_NEGOTIATE_NTLM |
NTLMSSP_REQUEST_TARGET ;
2008-11-02 04:05:48 +03:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " 128bit " , true ) ) {
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_128 ;
2005-04-25 09:03:50 +04:00
}
2008-11-02 04:05:48 +03:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " 56bit " , false ) ) {
2006-02-12 15:06:08 +03:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_56 ;
}
2008-11-02 04:05:48 +03:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " lm_key " , false ) ) {
2006-02-12 15:06:08 +03:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_LM_KEY ;
}
2008-11-02 04:05:48 +03:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " keyexchange " , true ) ) {
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_KEY_EXCH ;
2005-04-25 09:03:50 +04:00
}
2008-11-02 04:05:48 +03:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " alwayssign " , true ) ) {
2006-11-20 23:58:00 +03:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_ALWAYS_SIGN ;
}
2008-11-02 04:05:48 +03:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_client " , " ntlm2 " , true ) ) {
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_NTLM2 ;
2005-04-25 09:03:50 +04:00
} else {
/* apparently we can't do ntlmv2 if we don't do ntlm2 */
2007-10-07 02:16:19 +04:00
gensec_ntlmssp_state - > use_ntlmv2 = false ;
2005-04-25 09:03:50 +04:00
}
if ( gensec_security - > want_features & GENSEC_FEATURE_SESSION_KEY ) {
/*
* We need to set this to allow a later SetPassword
* via the SAMR pipe to succeed . Strange . . . . We could
* also add NTLMSSP_NEGOTIATE_SEAL here . JRA .
*
* Without this , Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing . ( It is actually pulled out and used directly )
*/
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SIGN ;
2005-04-25 09:03:50 +04:00
}
if ( gensec_security - > want_features & GENSEC_FEATURE_SIGN ) {
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SIGN ;
2005-04-25 09:03:50 +04:00
}
if ( gensec_security - > want_features & GENSEC_FEATURE_SEAL ) {
2010-03-24 08:09:02 +03:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SIGN ;
2005-04-25 14:33:00 +04:00
gensec_ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SEAL ;
2005-04-25 09:03:50 +04:00
}
gensec_security - > private_data = gensec_ntlmssp_state ;
return NT_STATUS_OK ;
}