2009-12-24 23:47:53 +03:00
/*
2003-08-13 05:53:07 +04:00
Unix SMB / CIFS implementation .
SMB parameters and setup
Copyright ( C ) Andrew Tridgell 1992 - 1997
Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1997
Copyright ( C ) Paul Ashton 1997
2009-12-24 23:47:53 +03:00
2003-08-13 05:53:07 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-08-13 05:53:07 +04:00
( at your option ) any later version .
2009-12-24 23:47:53 +03:00
2003-08-13 05:53:07 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-12-24 23:47:53 +03:00
2003-08-13 05:53:07 +04:00
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-08-13 05:53:07 +04:00
*/
2006-03-16 03:23:11 +03:00
# include "librpc/gen_ndr/samr.h"
2009-08-28 15:42:39 +04:00
# include "../librpc/gen_ndr/ntlmssp.h"
2005-01-10 20:28:36 +03:00
2003-08-13 05:53:07 +04:00
/* NTLMSSP mode */
2004-06-04 11:46:24 +04:00
enum ntlmssp_role
2003-08-13 05:53:07 +04:00
{
NTLMSSP_SERVER ,
NTLMSSP_CLIENT
} ;
/* NTLMSSP message types */
2004-06-04 11:46:24 +04:00
enum ntlmssp_message_type
2003-08-13 05:53:07 +04:00
{
2003-11-26 04:16:41 +03:00
NTLMSSP_INITIAL = 0 /* samba internal state */ ,
2003-08-13 05:53:07 +04:00
NTLMSSP_NEGOTIATE = 1 ,
NTLMSSP_CHALLENGE = 2 ,
NTLMSSP_AUTH = 3 ,
2004-05-25 18:06:28 +04:00
NTLMSSP_UNKNOWN = 4 ,
2009-12-24 23:47:53 +03:00
NTLMSSP_DONE = 5 /* samba final state */
2003-08-13 05:53:07 +04:00
} ;
2005-04-25 14:33:00 +04:00
struct gensec_ntlmssp_state
2003-08-13 05:53:07 +04:00
{
2006-01-09 19:20:02 +03:00
struct gensec_security * gensec_security ;
2004-06-04 11:46:24 +04:00
enum ntlmssp_role role ;
2004-05-27 08:13:58 +04:00
enum samr_Role server_role ;
2004-05-25 20:24:13 +04:00
uint32_t expected_state ;
2003-08-13 05:53:07 +04:00
2007-08-27 22:10:19 +04:00
bool unicode ;
bool use_ntlmv2 ;
bool use_nt_response ; /* Set to 'False' to debug what happens when the NT response is omited */
bool allow_lm_key ; /* The LM_KEY code is not functional at this point, and it's not
2004-05-02 16:42:01 +04:00
very secure anyway */
2004-05-25 18:06:28 +04:00
2007-08-27 22:10:19 +04:00
bool server_multiple_authentications ; /* Set to 'True' to allow squid 2.5
2004-05-25 18:06:28 +04:00
style ' challenge caching ' */
2003-08-13 05:53:07 +04:00
char * user ;
2007-09-28 05:17:46 +04:00
const char * domain ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
const char * workstation ;
2003-11-26 04:16:41 +03:00
char * server_domain ;
2003-08-13 05:53:07 +04:00
2003-11-26 04:16:41 +03:00
DATA_BLOB internal_chal ; /* Random challenge as supplied to the client for NTLM authentication */
2003-08-13 05:53:07 +04:00
2003-11-26 04:16:41 +03:00
DATA_BLOB chal ; /* Random challenge as input into the actual NTLM (or NTLM2) authentication */
2009-12-24 23:47:53 +03:00
DATA_BLOB lm_resp ;
2003-08-13 05:53:07 +04:00
DATA_BLOB nt_resp ;
DATA_BLOB session_key ;
2009-12-24 23:47:53 +03:00
2004-05-25 20:24:13 +04:00
uint32_t neg_flags ; /* the current state of negotiation with the NTLMSSP partner */
2004-05-02 12:45:00 +04:00
/* internal variables used by KEY_EXCH (client-supplied user session key */
DATA_BLOB encrypted_session_key ;
2003-08-13 05:53:07 +04:00
2003-11-26 04:16:41 +03:00
/**
2009-12-24 23:47:53 +03:00
* Callback to get the ' challenge ' used for NTLM authentication .
2003-11-26 04:16:41 +03:00
*
* @ param ntlmssp_state This structure
2004-09-12 03:05:08 +04:00
* @ return 8 bytes of challenge data , determined by the server to be the challenge for NTLM authentication
2003-11-26 04:16:41 +03:00
*
*/
2009-12-29 12:44:19 +03:00
NTSTATUS ( * get_challenge ) ( const struct gensec_ntlmssp_state * ,
uint8_t challenge [ 8 ] ) ;
2003-11-26 04:16:41 +03:00
/**
2009-12-24 23:47:53 +03:00
* Callback to find if the challenge used by NTLM authentication may be modified
2003-11-26 04:16:41 +03:00
*
* The NTLM2 authentication scheme modifies the effective challenge , but this is not compatiable with the
2009-12-24 23:47:53 +03:00
* current ' security = server ' implementation . .
2003-11-26 04:16:41 +03:00
*
* @ param ntlmssp_state This structure
* @ return Can the challenge be set to arbitary values ?
*
*/
2007-08-27 22:10:19 +04:00
bool ( * may_set_challenge ) ( const struct gensec_ntlmssp_state * ) ;
2003-11-26 04:16:41 +03:00
/**
2009-12-24 23:47:53 +03:00
* Callback to set the ' challenge ' used for NTLM authentication .
2003-11-26 04:16:41 +03:00
*
* The callback may use the void * auth_context to store state information , but the same value is always available
* from the DATA_BLOB chal on this structure .
*
* @ param ntlmssp_state This structure
2005-04-25 15:47:41 +04:00
* @ param challenge 8 bytes of data , agreed by the client and server to be the effective challenge for NTLM2 authentication
2003-11-26 04:16:41 +03:00
*
*/
2005-04-25 14:33:00 +04:00
NTSTATUS ( * set_challenge ) ( struct gensec_ntlmssp_state * , DATA_BLOB * challenge ) ;
2003-11-26 04:16:41 +03:00
/**
2009-12-24 23:47:53 +03:00
* Callback to check the user ' s password .
2003-11-26 04:16:41 +03:00
*
2009-12-24 23:47:53 +03:00
* The callback must reads the feilds of this structure for the information it needs on the user
2003-11-26 04:16:41 +03:00
* @ param ntlmssp_state This structure
* @ param nt_session_key If an NT session key is returned by the authentication process , return it here
* @ param lm_session_key If an LM session key is returned by the authentication process , return it here
*
*/
2009-12-24 23:47:53 +03:00
NTSTATUS ( * check_password ) ( struct gensec_ntlmssp_state * ,
2005-04-25 14:33:00 +04:00
DATA_BLOB * nt_session_key , DATA_BLOB * lm_session_key ) ;
2003-11-26 04:16:41 +03:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
const char * server_name ;
2003-11-26 04:16:41 +03:00
2009-12-24 23:47:53 +03:00
bool doing_ntlm2 ;
2003-08-13 05:53:07 +04:00
2005-04-25 13:23:56 +04:00
union {
/* NTLM */
struct {
uint32_t seq_num ;
struct arcfour_state * arcfour_state ;
} ntlm ;
/* NTLM2 */
struct {
uint32_t send_seq_num ;
uint32_t recv_seq_num ;
DATA_BLOB send_sign_key ;
DATA_BLOB recv_sign_key ;
struct arcfour_state * send_seal_arcfour_state ;
struct arcfour_state * recv_seal_arcfour_state ;
/* internal variables used by NTLM2 */
uint8_t session_nonce [ 16 ] ;
} ntlm2 ;
2005-05-11 23:22:22 +04:00
} crypt ;
2003-08-13 05:53:07 +04:00
2005-04-25 07:37:37 +04:00
struct auth_context * auth_context ;
struct auth_serversupplied_info * server_info ;
} ;
2007-12-03 19:41:37 +03:00
struct loadparm_context ;
2006-03-14 18:03:25 +03:00
struct auth_session_info ;
2008-04-02 06:53:27 +04:00
2006-03-07 14:07:23 +03:00
# include "auth/ntlmssp/proto.h"
